Mark Knowles, GM Security Assurance, at Xero is responsible for managing security risk and compliance, as part of his security governance responsibilities. He leads the identification of security assessment and ensuring that ISO and SOC 2 compliance requirements are followed for all of Xero, globally.
Xero is a global small business platform with 3.3 million subscribers, provides accounting software and tools for accountants, bookkeepers, and small businesses.
I asked Knowles about security best practice at Xero, and to share some of the security challenges and solutions he manages at Xero. Knowles referred to his overarching mandate at Xero as managing ‘good security posture.’
“Good security posture,” explained Knowles, is, “knowing what data we protect and knowing what regulatory requirements we have to be careful of and be aware of, then ensuring that we’ve got those compliance things in place and up to date all the time.” A company and partner-wide undertaking, Knowles was also quick to complement the cross-check work of external auditors.
Multifactor Authentication (MFA)
Beginning with individually managed security, Knowles said, “ensuring that customers protect themselves, that they are not just logging in at a cafe or a restaurant is critical. Ensuring that they use virtual private networks. Ensuring that they use password managers for secure passwords,” are all aspects of corporate security governance.
“Also, we have Xero Verify.”
“Xero Verify is multifactor authentication. It’s a must now, it’s like a safety net. Two-factor authentication.”
Knowles explained, “You log on using a secure password. And, you should have many different passwords. We encourage our customers not to have the same password for everything that they work with.”
“But not only having a secure password through password manager or discouraging them from using your name with a number at the end … or pet name. And then, once you log in, using Xero Verify, you then get sent a verification. So, are you in this place? And you then verify.”
MFA was initially a mandate from the Australian government, “but then we decided this is actually best practice for every region. So, though it was hard for customers, we said, “We’re custodians of your data. And as accountants, bookkeepers you’re custodians of your customers’ data. It’s an extra step, but we think it’s important.”
Cyberattacks Find a Way
“We also talk all of the time about what we’re doing in regard to securing our information,” stated Knowles.
“We’ve seen a lot more [cybercrime] in the last 12 to 18 months,” began Knowles, “ … cyber criminals trying to encourage disgruntled employees to come on board, stay working for the company that you’re disgruntled with, but [then] planting some malware into the company,” shared Knowles. Knowles also explained how disgruntled employees can be paid to introduce malware, too.
“So how can you protect yourself against that?” asked Knowles. “One of the things that’s great about Xero is the environment that we work in. We look after our staff.”
Another danger to manage through education and security compliance is careful use of USB sticks.
Said Knowles, “Malware can be easily put onto a USB stick,” about which Knowles advised how data exchange is better managed through HTTPS websites or tools like Hubdoc or the Xero platform in its case.
Knowles shared, for example, “one of the Xero accountants came up to me and said, “Look, Mark, I go and see customers. And I take a USB stick with me. Is it okay if I plug it into their computer and then take it back and plug it into mine?”
His reply to this question was, “It’s really not, because how do you know that the customer that you’re talking to doesn’t already have malware on their laptop and you’re transferring it via that USB stick onto yours? And the real problem with malware is that it sits hidden behind for a long time, and therefore ransomware attacks can happen.”
Scenario-based Security Training and Dialogue
Knowles shared, “We talk about this a lot at work, we practice potential ransomware attacks. We practice malicious insider attacks.”
More often than once a year, Xero teams face scenario-based threats and how to handle security attacks.
“One of the things I’m doing at the moment is rolling out an initiative called Security Champions, where we have a security champion throughout the whole of Xero, no matter what part of the world they work in. They … ask us to do tabletop exercises within their team to help them to understand what the risk might be.” Added Knowles, “whether you’re a Xero employee, or whether you’re a private business, accountant, bookkeeper, or just own your own business, [it is important] to practice what do I do to stop this from being a risk.”
Said Knowles, “Cyber criminals, they don’t have any rules. They can use your brand or my brand to create a phishing email. They don’t care that it’s not legal to do that.”
“One of the biggest challenges is that we don’t talk to each other about [security breaches], because maybe it’s embarrassing that we had a cyberattack, or maybe it’s embarrassing that I clicked on a link. So, one of the things we do in Xero is we talk and practice with phishing simulations often, so that we get people to talk about them and to say, “Hey, that was really real. And I got caught.”
Knowles provided the example of employees being lured into clicking on a phoney email that went through the company, one which they thought was coming from a trusted, Xero staff member. “But people clicked,” revealed Knowles. Employees were lured by a fun invitation instead of confirming the invitation came from a trusted source. “So, you’re never going to stop everyone from clicking,” said Knowles. “Best practice for phishing is to get your numbers down to about 5%. We usually run about 5%.”
With more than 15 years of cybersecurity experience behind him, Knowles added, “the more that we can do to educate people and create a human firewall I think, is better than technology. Now that’s not to say, we have all the technology behind the scenes operating.”
Internal Communication, Development and Data Security at Xero
“I also am accountable for education awareness for all Xero staff,” began Knowles.
“We use Slack internally at work,” shared Knowles. “Our Slack is protected, and it’s locked down. So, I can communicate with [someone internally, and] no one else can intercept our communication.”
Knowles ensures that Xero software developers run work through Secure Code Warrior, “which is a really awesome process,” said Knowles.
Knowles communicated that Xero has, “… insight and responsible data use guidelines that are very clear around these are the principles of security… and how we will use your data. All very transparent.”
Regarding data security, “because we’re global, we look at what the best and tightest compliance requirements are around the world,” shared Knowles. “GDPR, which is the one that is in place for Europe is the best for privacy controls. So, we follow all the rules of GDPR” Knowles shared the following example, “So, if you, as a customer, don’t want us to hold data, under GDPR rules, we have to be able to delete it on your request. So, we do that.”
Knowles called out Canadian privacy standard, as well. “The Canadian team for Xero is sensational. And, I’ve had experience with the Canadian government and what they do for security in Canada. I think that the world has grown up, and Canada’s always had quite a positive future-facing look at health and safety.”
Knowles proudly added, “I’ve never worked for an organization that takes security as seriously as what Xero does.”
Security vigilance is a task for all of us. Said Knowles, “I just love the fact that what you do and what I do is actually spreading the news to just be aware, [learn and do] the basics, protect yourself.”
Related: Data protection