No accounting practice is immune to cybercrime or the damage it can cause. And the recent rollout of the Notifiable Data Breach (NDB) scheme now imposes significant penalties for failures to report breaches.
Update 23 April 2018: According to the OAIC's first quarterly report, 63 data breach notifications were received during the first six weeks of the Notifiable Data Breaches (NDB) scheme, which came into force on 22 February 2018.
By Dr Michael Axelsen FCPA
Accountants today are trusted advisors using a raft of cloud-based and online technologies – file synchronisation software, online accounting packages and social media tools – to help their clients succeed.
They work more closely with clients and know more about their businesses than ever before, but in an always-on, interconnected world of databases and email, that knowledge is vulnerable to cybercrime.
Some firms might argue: “we’re too small”, “we don’t have anything of importance”, or “who would even bother?” As comforting as these platitudes are, they do not hold true. The rewards for cybercriminals from gaining access to client records can be substantial, the cost of carrying out attacks negligible, and the ramifications for accountants and clients far-reaching.
Why even small practices are cybercrime targets
The average accounting firm in Australia has 280 clients per partner and even “small” practices manage high-value clients. Indeed, a small firm will often have a client base worth millions of dollars – an extremely attractive target for cybercriminals and one which is sometimes a bit like shooting fish in a barrel.
Tax file numbers, addresses, dates of birth and bank account details constitute a treasure trove of information that can be used to steal a client’s identity. It can then be sold on the “dark web” for fraud using fake documentation to obtain real loans.
Privacy, data breaches and cyber security. Understand how to protect your business and comply with the notifiable data breach scheme. Learn more.
As for “bothering” to attack – well, frankly, it is often not much bother at all. In stark contrast to the IT security at some accounting firms, cybercriminals are increasingly sophisticated. Indeed, a practice might not even be aware that its security has been breached until client information is “in the wild”. Also, because of the value of the information firms retain, they make tempting targets for ransomware attacks, which are simple, effective and cheap to launch.
Clearly, the risk to a firm’s reputation and exposure to legal liabilities is great. As Warren Buffet famously noted, it takes 20 years to build a reputation and five minutes to ruin it. A practice known to have suffered a security breach may find it difficult to attract and keep clients; reason why many hesitate to disclose a compromise.
NDB Scheme takes effect
The rollout of the Notifiable Data Breach (NDB) Scheme on 22 February 2018 aims to end this by imposing significant penalties on entities that fail to report breaches.
This new amendment to the Privacy Act requires a practice to report eligible security breaches. Such a breach is where personal and/or sensitive information is lost with serious harm for an individual as a likely consequence. The practice must report the breach to the Office of the Australian Information Commissioner (OAIC) or risk a $2.1 million civil penalty (the value of an Australian federal law penalty unit increased from $180 to $210 on 1 July 2017).
See the full report: NDB Quarterly Statistics Report January - March 2018
Although the NDB Scheme “only” extends to businesses with more than $3 million turnover, the TFN Rule applies to individual taxpayers’ tax file numbers. Hence, all authorised TFN recipients must comply with the regime in managing TFNs, meaning that all accounting practices must comply with the Privacy Act, at least insofar as TFNs are concerned.
Three steps to improve your cyber security
Accounting firms need to first identify the private and/or sensitive information they hold, and if the data is not needed, responsibly dispose of it.
Second, they must take reasonable measures to mitigate the risk of cyber security incidents.
The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies. Its “Top 4” strategies are:
- application whitelisting (to protect against malware)
- patching applications
- patching operating systems
- restricting administrative privileges.
Finally, it is important to be able to detect a security breach if it occurs and know how to respond – something which can be helped by having a formal data breach incident response plan
Dr Micheal Axelsen FCPA is lecturer, business information systems, University of Queensland.
Top 4 mitigation strategies to protect your ICT system