Beyond the scaremongering
New data breach laws are forcing accountants to take a closer look at their security systems. A handful of steps might help ensure they’re on the right path to safeguarding their clients and staying on the right side of the law.
It won’t happen to my business.
That is how many accountants respond when asked about the threat of cyber crime, according to Julian Plummer. The managing director at Midwinter Financial Services, who recently launched a cyber division known as Kamino, says this overconfidence is troublesome, considering accounting firms and tax agents are few of the biggest targets.
“Accountants are a honeypot because of all the information they hold on their clients,” Mr Plummer says. “They have multiple clients with cash, which makes them a very good target.”
If the threat alone was not enough, accountants now also have to make sure they comply with new mandatory laws that require firms to report data breaches to the Office of the Australian Information Commissioner (OAIC) as well as to the clients whose information had been hacked.
According to the OAIC, “a data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure”. The new scheme applies to businesses with an annual turnover of $3 million. However, smaller firms are still subject to the new laws if they store certain sensitive information, such as tax file numbers.
Individuals and corporations that fail to comply with the notifications rules risk being fined up to $360,000 and $1.8 million, respectively. The bigger consequence, however, would be the reputational damage that follows, Mr Plummer says.
“If an accountant has just been hit by a large data breach, and all of your information is now publicly available via Google or being traded on forums, you’re going to lose trust in that accountant,” he says. “Once a client loses trust in that accountant, you’ve lost them.”
But just because the threat exists does not mean a data breach has to happen. In fact, there are several steps that accountants can take that minimises their risks substantially. Mr Plummer believes many accountants lack the basic tools and safeguards that can protect their businesses.
“We did a survey that shows a large number of accountants and advisers, about 45 per cent, had a data breach last year, and a large number of them were spear phishing emails,” he says.
“That suggests to me that there is a lack of basic security procedures and policies within those practices, because that shouldn’t be that high.”
One of the most important steps that accountants can take to lower their risk is to stop using the same password for every application, especially for email, says Jamie Beresford, chief executive of security solution provider Practice Protect.
He gives an incident where an accountant had her password breached sometime in her life. But because she used the same password for several years, including for her work email, hackers got access to her mailbox.
“They were then able to very quickly go through her sent items, go through all the emails that were sitting in her mailbox and find out that she was, in fact, an accountant,” Mr Beresford says.
“After two weeks, they sent an email to all of her clients, saying, ‘Hey, I’ve got some financial statements prepared early for you. Click here’. Three of the clients clicked on it and they had an impact. They had files corrupted.
“But here’s the kicker: there’s five years’ worth of email in that individual’s mailbox. Now, they have to troll through all five years of correspondence and find out who could potentially have been impacted, whose data could potentially be in there, and let them know.”
Mr Beresford adds that saving passwords in a web browser is not a safe move.
“Google Chrome and Firefox both save passwords in clear text. You don’t need physical access to that machine that they are saved on because, behind the scenes, these browsers are saving them to other devices,” he says.
“So, let’s say you saved all your passwords on your work computer and you’re very comfortable that no one has physical access to that machine. However, any passwords that you’re saving are being synchronised to your phone, your tablet, your kid’s computer potentially.”
Mr Plummer would also agree that using the same password is highly risky. His advice? Stop using passwords entirely. Instead, Mr Plummer recommends using a password manager such as LastPass, which can store several passwords for different applications in an encrypted database. All the user needs to do is remember the “master password” for the tool itself.
“Make sure everyone on your team has a [password manager]. No one should ever be typing a password ever again,” he says. “You wouldn’t believe how much that helps and it is so simple.”
Another important step that accountants can take is to start tracking access to their applications. Mr Beresford says many accounting apps are now cloud-based in some capacity, which makes them more convenient to use, but also more at risk.
He adds that tracking access can also minimise the damage from any data breach incidents.
“Generally speaking, what tends to happen in a firm or to a tax agent is they have a suspected breach but they can’t then find out who was affected or how. In that situation, they have to assume that they were breached and notify every client,” he says.
“However, if you have some tracking in place, in the event that you have a breach, you can actually go back and look through logs and say, ‘Okay, we haven’t had a breach’, or, ‘Hey, it’s isolated to these four clients’. You can isolate the issue and prevent it from becoming a real damage to your reputation globally.”
Mr Plummer says accountants can start tracking access with intrusion detection systems, which can log intruders and show their IP addresses and what systems they gained access to. Without this, it is possible some accountants will not know if their data has been breached.
“How do you know you’ve been hacked? They don’t write you a thank-you letter,” the managing director says.
But safeguarding a business with tools such as trackers and password managers will be useless if staff members are not also trained on how to deal with suspicious emails. Mr Plummer says his company often sends out fake emails to staff to train them on how to spot spear phishing.
“It’s a simulated test we give to our employees,” he says. “After a round of that, they quickly understand what is real and what isn’t and what a spear phishing attack looks like.”
Mr Plummer also says it is important to limit what access to data employees have.
“No one should have access to everything. Everyone should have access to their own bits. That way, a hacker can’t make their way,” he says. “It makes it difficult for them to move from one server to another.”
This step is especially important if there is, or ever was, a disgruntled employee in the business. Boaz Fischer, chief executive at CommsNet Group, which specialises in identifying and mitigating insider threats, recommends firms monitor tools used by employees.
“Monitor use of applications and access to data across the organisation, but also monitor users, privileges and behaviours in order to spot unauthorised use by employees or compromised users,” he says.
“Use security technologies to gain visibility and understanding of the behaviour indicating misuse or breach of personal data. For example, the control of removable media such as USB.”
Meanwhile, accounting firms who use outsourced contractors should be confident in their practices and have agreements in place, Mr Beresford says.
“Companies often have outsourced contractors, so either offshore or people working for them who aren’t on their payroll. They have IT companies that have access to their information. If one of those entities happens to have a breach, or they have sloppy password hygiene or practices, the accounting firm needs to have an agreement in place with them to make sure that they are responsible and liable,” he says.
“Otherwise, the tax agent is the one that has got to front up to the privacy commissioner.”
One of the aspects of the new breach laws revolves around having a response plan in place, which, according to Mr Beresford, has two parts to it: communication and remediation.
“There’s a communication process that needs to take place. Basically, you’ve got to let everyone know,” he says. “The other one is remediation. What are you going to do about changing your passwords? Who are you engaging with to help you with that? Depending on how widespread the breach is, you’re going to need to speak to a cyber security lawyer in that scenario.”
Mr Fischer offers four steps that a good response plan should take. These include containing the data breach to prevent further compromise of data; assessing the breach by gathering facts and evaluating risks; notifying individuals and the commissioner, if required; and reviewing the incident to consider what actions need to be taken to prevent future breaches.
“In general, entities should take data breach or suspected data breaches seriously and move immediately to contain, assess and remediate the incident. Breaches that may seem initially immaterial may be significant when their full implications are assessed,” he says.
“Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, an entity may take additional steps that are specific to the nature of the breach.
“At any time, entities should take remedial action, where possible, to limit the impact of the breach on affected individuals. If remedial action is successful in preventing a likely risk of serious harm to individuals, the scheme notification obligations may not apply.”
Mr Plummer notes that firms that take these preventative measures are looked upon favourably in the industry. He says accountants need to be “obsessed” with safeguarding their businesses.
“Accountants are experts at risk. So, what’s stopping them?”