Table of Contents
How do you bring cybersecurity into the accounting profession? Christophe Ballihaut is in charge of the digital transformation of this business at Mazars France, and he’s given it a lot of thought.
Business districts are strange worlds. It’s easy to feel very small in the midst of skyscrapers and their thousands of glass panes, of which you can guess nothing.
Take this tower, for example, on the northern esplanade of La Défense, the Paris business district. 72 meters high, 16 storeys, 21,500 m² served by 10 elevators, it’s a colossus. On its north and south faces, a logo greets passers-by. Mazars.
An international group that commands respect, just like its head office, with 83 years of history and a presence in 100 countries and territories, organized around four main activities: auditing, legal services, consulting, and public accounting.
Cybersecurity, a Major Challenge for Digital Transformation
Behind one of the highest windows in the Mazars building is Christophe Ballihaut. As Director of Transformation and Innovation, he’s in charge of this department for Mazars’ accounting business in France. His role is to orchestrate “the digital transformation of the company, and everything to do with the use of new technologies in the various service lines of our accounting business,” he sums up.
And at Mazars, as elsewhere, digital transformation comes with its own set of cybersecurity challenges.
Bringing Cybersecurity Into Accounting
At Mazars, the rigour expected of an accounting firm also extends to the management of digital security. In this area, the French division sets an example.
Under Christophe’s leadership, the digital transformation of the accounting business has focused on three key cyber issues:
- ensuring the operational continuity of the business;
- guaranteeing organizational and operational compliance with the information systems security plan, compliant with ISO27001 and managed by the IT Department;
- raising awareness of cyber risks among all employees.
1. Digital Operational Resilience
The first task was to maintain the operational readiness of the business. “The first stage of the digital transformation was to talk about RPO and RTO, and DRP and BCP,” explains Christophe. In other words, making sure that the machine keeps running even if something goes wrong, and ensuring that things get back to normal as quickly as possible.
Digital operational resilience is a crucial issue in international finance. It’s no longer just a question of protecting against threats, but of maintaining business activity even under heavy fire. In Europe, the subject has become so central that in December 2022 it led to DORA (Digital Operational Resilience Act), a major piece of European Union legislation on the cybersecurity of financial entities.
2. ISO27001 Certification
Once business continuity was assured, an information system security plan had to be put in place. The Director of Transformation and Innovation explains:
“There are more regulatory obligations for the audit business than for the public accounting business, but we have also set ourselves high standards. We are ISO27001 certified. We are therefore subject to security requirements linked to maintaining our certification in the different perimeters.”
3. Reducing Human Risk
Last but not least, raising staff awareness of cyber risks. The very nature of the accounting business means that human vectors account for a significant proportion of the attack surface. Here again, Christophe explains:
“The digitalisation, transformation and change in uses and practices in our accounting businesses is following a cycle that started perhaps a little later than in other industries, but has been hit hard by the rise of artificial intelligence. For example, sharing fully digitized documents in the cloud is a much more recent practice than in other sectors. This materiality of the human risk is therefore very prevalent in all the processes involved in digitizing our business.
“It is therefore imperative that we make all our employees aware of the dangers of attacks by social engineering, and of attacks due to a lack of vigilance. Let’s remind the obvious rules, such as not having a single password on several systems, never leaving your passwords lying around, having centralized access via SSO and protected by a second factor (2FA)…
“That was in the past, but today we’re still stressing the importance of having a truly hygienic approach to access management. It’s unthinkable that there could be a data leak due to an employee not maintaining good password hygiene on external systems.”
The eazy Portal, “The First Brick to Bring Software to the Public”
For Mazars, as for everyone else, digital transformation has brought another subject to the table: open doors on the web. Cloud services and SaaS applications are now legion, and pose cybersecurity questions that didn’t exist before.
For the accounting business, this first opening to the outside world came with the eazy portal, a global management solution for entrepreneurs designed by Mazars. Christophe recalls:
“At the level of France and the accounting profession, we were the first brick to bring software to the public. For the first time, the eazy portal provided access to our clients’ critical data via a web gateway.”
“Our Priority Is to Guarantee Secure Access to Our Clients’ Data”
The eazy portal is a management solution for entrepreneurs, for which the Mazars group must guarantee data security. These cyber stakes are pretty standard for a SaaS platform, except that the data hosted is highly sensitive, and there is no room for mistakes.
“Our priority is to guarantee the security of our customers’ data and, secondly, to guarantee access to our customer portfolio,” stresses Christophe. The digital impermeability of the solution is therefore at the heart of his concerns.
A Global Culture of Cybersecurity…
It goes without saying that security can never be the concern of a single team, especially in a group as large as Mazars. “We have a Global Chief Security Officer who standardized practices at group level. In France, the IT Department is responsible for security across all national perimeters,” explains Christophe.
… Which Starts as Close to the Product as Possible
In a group the size of Mazars, the security team can’t scrutinize every application produced in every detail. It’s outright impossible. As such, every team that creates software must be responsible for cyber issues:
“For Mazars’ cybersecurity teams in France, one of the tasks is to standardize security practices with regard to development. Once these principles and guidelines have been provided, it’s up to us to apply them.”
To complete the overall security continuum, consistency and security implementation checks are also carried out. Anyone who has ever crossed paths with Christophe Ballihaut will be able to tell you that he is far, very far from advocating theoretical security. Bringing this culture of cybersecurity as close as possible to the product and the production professions is one of his top priorities.
eazy: End-To-End Digital Security
The SecOps approach is part of the DNA of the eazy portal teams. “In addition to the security team’s guidelines, we have an entire quality assurance process integrated into a GitLab CI/CD, in which we also have security testing elements,” explains Christophe.
The idea is simple: to consider security from the very first lines of code, and to put in place multiple lines of defense, control and verification.
“In terms of development processes, we follow the standards. In other words, the code is produced and, automatically, first-level tests are carried out on dependencies, packages, things like that that could carry vulnerabilities. Then there are security reports produced by static analysis tools (SAST).
“Before each version is put into production, additional security tests are carried out by the developers, on top of the scanning tools. Finally, there is the last internal bastion, the last protection: pentesting carried out completely at random.” – Christophe Ballihaut
Bug Bounty, “An Ongoing Program That Complements Previous Tests”
The eazy portal follows a well-honed application cycle that has nothing to envy of the processes in place at the biggest software publishers. But why stop there when you can do even better?
“We decided to set up a bug bounty to provide additional control. It comes at the end of the process, it’s a continuous program that amends all the previous security tests. Today, it’s more relevant than ever, as public accounting now falls within the scope of ISO27001 certification.
Mobilizing Security Researchers to Strengthen Digital Security
Bug Bounty is a method of detecting vulnerabilities. A bug hunt that mobilizes the ethical hacker community to test the security of a digital asset — applications, websites, IoT, etc. If a hacker finds a vulnerability, the organization awards them a bounty. The more critical the vulnerability, the higher the reward. If the hackers find nothing, the organization incurs no expense. Easy, isn’t it? Yes, but it’s only useful if you’re serious about it. Here, the eazy portal is a case in point.
“We Have a Server Farm Dedicated to Bug Bounty”
The eazy teams are giving their bug bounty program every chance of success by allocating the necessary technical and human resources. “We have a server farm completely dedicated to bug bounty, and a referent in the development teams, in addition to the Mazars security teams,” explains Christophe Ballihaut.
Mathieu Bouvet, Lead CSM at Yogosha, concurs: “They provide cloned environments, and that requires resources. There’s a real willingness to take bug bounty seriously, it’s very pleasing.“
The triage of vulnerability reports sent by security researchers is done by the developers, with Yogosha’s assistance. All the steps up to remediation follow: “When we receive a report, it is analyzed, prioritized in our backlog, and treated as a security incident,” explains eazy’s Director of Transformation and Innovation.
Identifying Critical Vulnerabilities
With bug bounty, Christophe seeks to identify the most critical vulnerabilities. The security level imposed by Mazars in France is high, and the eazy portal is already subject to numerous reviews.
“Some less-experienced bug hunters, with 2 years’ experience or a security school-leaver’s vision, may come up with evidence that doesn’t correspond to a real security issue. This famous version of Apache Log4j, for example. Obviously, an organization like ours doesn’t expect this kind of feedback. What we’re looking for are intellectual constructs that properly integrate the intimate modus operandi of the eazy portal, to find the doors that might be left open.”
To attract the best security researchers, Christophe provides his bug bounty with material, human and financial resources.
“The idea behind our bug bounty is therefore to encourage the most relevant reports, which will lead to big bounties, rather than basic reports that only bring up obvious things.”
Indeed, the most critical vulnerabilities are also the most difficult and time-consuming to find. They require real expertise from the researchers. The promise of a substantial bonus thus encourages the best bug hunters to take part in the program rather than their neighbor’s, which may be cheaper in its rewards.
The competitiveness of the rewards promised to researchers is a determining factor in the effectiveness of a bug bounty, even if it is far from being the only one. For further information on this topic, we recommend you read our guide to a successful bug bounty.
E-Book: Bug bounty, the ultimate guide to a successful program
Learn how to build your Bug Bounty program, make it attractive and leverage hackers to identify high-risk vulnerabilities.
The bug bounty led by Christophe is thought through from A to Z, from its role in the eazy portal’s overall security journey to the extent of the rewards to attract the top performers. Naturally, the program pays off in the end.
“Not a quarter goes by without us receiving an extremely qualitative report, which completely justifies working with a bug bounty program. It has always enabled us to improve our security, and to further consolidate our development structures.
Christophe sees this training aspect of bug bounty right down to his own development teams.
“Bug bounty plays an indirect role in training development teams. There’s an educational side to it, it gives everyone a culture of concern for security. My developer teams are still very DevOps-oriented, and bug bounty really raises their awareness of security.”
The Director of Transformation and Innovation goes even further in the educational use of bug bounty, as he uses some of the reports sent in by hackers as learning aids.
“Sometimes I take advantage of minor reports that I know we won’t fix at all. I give them that as material to analyze, think about and complete, while reading documentation to become aware of the risk. So even minor reports are useful to help them maintain and develop this sensitivity to application security.”
Rethinking Security Audits
Christophe Ballihaut is not a man to place blind trust in his suppliers. A wise attitude: it’s vital to be sure of the quality of your partners, in cybersecurity perhaps more than anywhere else.
“I’m a big believer in the motto ‘Trust doesn’t exclude control.‘ It’s something I’ve applied since one of my first experiences with an audit company, at the time commissioned to carry out a pentest. I had put in a honeypot, and left behind a real security breach. It happened as it was expected to: the auditor made a big fuss about the honeypot, and never found the real security issue behind it.
“It was a way for me to gauge the mindset and level of precision with which the auditor would work, and his ability to bring up real issues. And Yogosha was subject to the same type of procedure — as I said, trust doesn’t exclude control.
“Things are going well with Yogosha. It’s a complete and active part of the security system. I always look at the relevance of what comes up to adjust the delivery, but the fact is that we’ve been working together historically and it’s still relevant. We always come across real issues, and that completely justifies the bug bounty and the investment we make in it.”
Pentest: “We Need to Complete the Traditional Mission Model”
In his search for the right service provider, Christophe wondered about the very nature of security testing as we know it, and its relevance in today’s ecosystem. Historically, penetration tests have always been carried out by traditional auditing firms, accustomed to providing one-off services. This approach to security has two major pitfalls.
“This anecdote about the honeypot led me to reflect on the relevance of carrying out pentests in a direct, structured way via an external company. I think we need to stop, or at least complete, this traditional mission model with a start and end date, a framework and a methodology that we execute. We need to go further than traditional pentesting: after a while, you fall into the easy way out. You pick up CVSS scores that are falsely problematic without going into any depth.”
Structured approaches struggle to detect the most devious vulnerabilities. Malicious actors compete in ingenuity to reach their targets, and so must we. Here, eazy’s Director of Transformation and Innovation testifies to the value of a solution like Yogosha.
“A traditional auditing firm masters the methodology very well, which is structured, but often doesn’t leave enough room for the creativity of its pentesters. They focus more on unfolding their methodology, and on the time spent. There’s not enough room for the unexpected. With people who think differently, like ethical hackers, we try to find the real problems.“
“It’s the Continuity of the Work That Really Makes the Difference”
The second limitation of pentesting in its traditional form is that security testing is seen as a single step, a one-off exercise. This approach is no longer adapted to modern application lifecycles. Companies are looking for agility, and deliveries are far more numerous and frequent than a few years ago.
If Offensive Security (OffSec) can no longer be punctual, it must be continuous. It’s this certainty that drives all our activity, and Christophe Ballihaut’s feedback is most welcome.
“Hackers are a complete game-changer in terms of qualitative feedback. I’d say the two are complementary, but it’s the continuity of the work that really makes the difference. With Yogosha, there’s a real ongoing effort that keeps us on our toes at all times.“
This continuous security watch obviously involves bug bounty, but also the modernization of pentesting activities. That’s why at Yogosha, we advocate Pentest as a Service (PtaaS): penetration tests that can be activated on demand, in less than a week, and at a cost that is much more attractive to organizations.
“The Next Project Is to Have a Complete Secdevops Pipeline”
As you may have gathered, security is an ongoing topic for Mazars France, and in particular for the eazy team. And while we ponder these considerations, Christophe Ballihaut already has his eyes on the future.
“The next big security project is to integrate everything into a single Factory, and stop having tools all over the place, with an increasingly aligned and industrialized logic.”
We don’t know much about accountancy, to say the least. But for entrepreneurs looking for a management solution that cares about their data, we have just one thing to say. Remember that on the northern esplanade of the Paris business district, behind one of the top-floor windows of the Mazars building, a man works with a single obsession in mind: “the priority is our customers’ data.” And they’re clearly in safe hands.
If your customers’ data security is as precious to you as it is to Christophe Ballihaut, feel free to contact us. We won’t be able to help you with your accounting needs, but Offensive Security is where we shine.