Successful Attacks on Accounting Information System

Argument on “Should companies be held liable for successful attacks on their Accounting information System by outside sources”


A debate on whether companies are to be held liable for the loss sustained for the successful external attacks on their accounting information systems has greatly increased in the recent times. There are those who feel that the company should be liable for the loss sustained due to negligence or unauthorized access of the accounting information. But, on the other hand, other people feel that if the company has adequate security controls in their accounting information, then they should not be held liable for losses. However, in my own opinion, successful attack on company’s financial systems should amount to some legal proceeding. It is the role of the company to ensure that their accounting information systems are safely held to avoid external access. And, because of this reason, the credibility of company’s accounting information systems should be ensured at all times. This paper will fully support the motion that “companies should be held liable for successful attacks on their accounting information system by outside sources”.

It is evident that the majority of firm’s information systems seek to uphold confidentiality, integrity and availability to the users. Companies should ensure necessary secrecy levels of their data and always strive to fight unauthorized disclosures of such information. They should regularly monitor their system in order to ensure no external threats succeed. They should also encrypt most of their data before storage in order to make it hard for an unauthorized user to access their files. And, in some cases, they should implement some strict access control mechanisms in accessing some of the highly confidential accounting information from their systems (Layton, 2007).

It is the company duty to choose the appropriate administrative, technical or physical controls on its accounting information. Proper administrative controls should be enforced in order to publish security policies, screen workers and conduct some security awareness training to their staffs at all time. The controls should be established in a way that they barely give the hackers and unauthorized users any chance to access the accounting information. This should be done through the continuing update of the systems to detect such hackers. In addition, the company can also choose to use technical or physical controls to ensure data security. Technical controls involve the effective implementation and maintenance of the access control mechanisms (Schneier & Miller, 2002).

If in any case unauthorized users such as hackers illegally access such confidential information, then it means that there are no proper measures put to prevent such illegal access. And, for this reason, the company should be held liable for any loss sustained as a result of asuccessful attack. This is because managers and directors of a company owe the shareholder duty of care which is violated by such successful attacks. They should, therefore, prove their innocence only if the event was unforeseeable. However, as technology advances, companies ought to review their accounting information systems in order to ensure that no room is left for the hackers who gain unauthorized access to such information. Companies should also be keen to identify potential threats at all times. But the company should, however, seek to mitigate such losses immediately after they identify them. Proper measures should be taken to reduce chances of further loss by either changing the prevailing access control mechanisms or physically blocking passwords (Peltier, 2001).

Although such attacks are unforeseeable, the blame wholly lies on the company since it should always ensure safety of confidentiality of information. As a matter of fact, unauthorized access of accounting information can only be facilitated by the internal stakeholders who fully understand how the system runs. And it would be very wrong for the company to provide loopholes at the cost of stakeholders. But if the company has well-established information system, secure enough to prevent normal unauthorized access, and then no way such loss can be incurred. It is true that most of the accounting information is treated as confidential in most of the companies. Access of such information should thus amount to some fraudulent attack. And those liable for it should pay for the losses sustained (Schneier & Miller, 2002).

Companies should also undertake proper and efficient identification and authentication of system controls in order to strengthen safety in their systems. More improvised security devices and configuration of the infrastructures are some additional technical controls that the firm may use to reinforce its system security.

Finally, in order to ensure safe accounting information systems, proper physical controls such as the control of the individual access to data should be put in place. The management should always lock up the sensitive information systems in order to prevent unauthorized access. They should also install tracking software, which effectively monitors external intrusion into the system. These controls should be used interchangeably in order to reduce and eliminate chances of external attacks through the use of company’s accounting information systems (Alexander, 2008).

In conclusion, the company should be held liable for the losses sustained because of a successful attack made on their accounting information system by outside sources. This is because company managers and directors owe the shareholders duty of care which includes safeguarding the company interests. A successful attack by the outside sources would mean that there are no effective measures to ensure security in the system.