No place to hide
Accountants have been turning a blind eye to cyber security, but there are now legislative triggers which require tax and BAS agents to have a risk framework in place, and rethinking your practices is unavoidable.
New regulation put in place by the Office of the Australian Information Commissioner (OAIC) sees the introduction of the mandatory data breach notification (MDBN) scheme. The MDBN scheme, which commences on 22 February, will require entities that fall under the Privacy Act to take on the onus of protecting themselves against cyber attacks.
Cybersecurity and privacy expert Leah Mooney from law firm Minter Ellison warns that accountants, particularly those who own or work in smaller firms, may not be aware that the MDBN will apply to them. “Most SMEs don’t need to be concerned about the changes that are coming in next year, because the Privacy Act and the Australian Privacy Principles, as a general composition, will only apply to organisations with an annual turnover of over $3 million.
“However, there is a separate tax file number rule under the Privacy Act,” she further describes.
“Any recipients of tax file number information, regardless of their annual turnover, are compliant under those obligations.”
Ms Mooney points out that accounting firms who don’t earn more than $3 million but do handle tax file numbers, will have to comply with the MDBN, only insofar as it relates to tax file number information.
“Organisations that earn in excess of $3 million a year, will have to comply with both the Privacy Act, Privacy Principles, and also that tax file number rule,” she said.
While there’s always been a professional obligation for accountants to treat client personal information with care, the MDBN scheme now puts a legal imperative on organisations to take the steps necessary to safeguard that data from unwanted third parties and intruders.
Ian Taylor, chair of the Tax Practitioners Board (TPB), also highlights that accountants who fail to comply with the notifiable data breaches scheme may also be infringing on the Code of Professional Conduct around their obligations to client confidentiality.
In cases of a notifiable data breach, Mr Taylor says that the Board may take into consideration the steps that the practitioner has actioned in preventing the data breach in the first instance.
Mr Taylor draws a parallel between the reasonable steps in preventing a notifiable data breach to securing a physical workplace.
“It’s like saying a practitioner goes on leave, locks up the office, locks up the computers, locks up the safe, puts all papers in the safe. But somehow, someone breaks into the office and accesses information,” he said.
“It’s the same analogy; if you’ve done everything possible in the first place to stop the cyber attack, it’s like somebody breaking into your office,” Mr Taylor said.
“We take a favourable view in those circumstances.”
However, where practitioners have not taken appropriate action to minimise their cyber attack risk in the case of a notifiable data breach, then the TPB may take a different view.
“As a general guideline, we’re emphasising the fact that we believe practitioners need to take reasonable steps to ensure that they are protecting themselves, their practice and their clients from potential cyber attacks,” Mr Taylor says.
Where are accountants going wrong?
Whether cloud or desktop-based computing, the main areas where accountants are going wrong in their defence systems revolve around a common thread — they are often the simplest mistakes. The first, and most common, revolves around credentials, i.e. usernames and passwords.
According to Ed Blackman, chief technology officer at accounting software company Reckon, a prominent method of identity fraud stems from stolen credentials.
“One of the biggest problems that we see are “phishing attacks”, where somebody attempts to gain access to somebody’s credentials.
“[Attackers] are able to send you an email purporting to be somebody that you know, asking you to access a document or a system which is actually a fraudulent system that you enter your credentials in to,” Mr Blackman said.
“Once you do that, they’ve got your username and password and they then go and access your system,” he said.
This is of particular concern for accountants who use AUSkey to access the ATO’s Tax Agent Portal, which contains sensitive information such as tax file numbers and bank details.
“People can break into those systems and can essentially modify those details,” Mr Blackman reports.
“They’re able to compromise an AUSkey, or through identity fraud assign themselves an AUSkey, then they can lodge a return and arrange for the refund to be sent into their own accounts.”
Another prevalent pathway to cyber attacks, Mr Blackman identifies, is through email accounts which unlock a portfolio of systems.
“A common way that’s happening at the moment is people gaining access to Office 365 accounts, and once they do that, they’ve got access to all of your emails,” he said.
“As soon as they’ve got access to your emails, they can do a number of things,” Mr Blackman describes.
“Firstly, trawl through it all and get additional information that they can then use to prosecute an identity fraud.”
He adds, “They can also find things like invoices. They can grab those invoices, change the bank account details and send them on again.”
“[Invoice fraud] is certainly one that we’ve been told about by our clients,” says Mr Blackman.
“We’ve assisted them in their inquiry and have been able to confirm that it’s a breach of their systems rather than ours.”
Despite the deceptive nature of cyber crime, some accounting firms are still lapsing in their defence systems by treating the issue as white noise, with many believing that it wouldn’t happen to them.
Tony Greco, IPA’s general manager of technical policy is reminding agents that they are high risk because of the data that they have in their systems such as tax file numbers and bank account details.
“The case has changed in business conditions, these hacking organisations are getting quite clever,” he says. “It’s only a matter of time before someone tries to attack their systems,” he said.
Furthermore, smaller accounting firms by their very nature are more vulnerable to cyber attacks because they have less resources and people available to allocate to the problem.
The danger, Mr Greco worries, is that accountants may not take the precautions necessary to ensure data safety until it’s too late. “Busy accountants may decide not to give cyber security much focus until someone in their network has had an unfortunate instance, or client data has been compromised and they’re subject to a litigation case against the firm, or their system has been brought down,” he says.
Safeguarding against cyber attack however, isn’t necessarily complicated.
In Mr Greco’s experience, “preventative measures here can go a long way to ensuring that they don’t have that unpleasurable event happen to their practices.”
Building cyber resilience
In light of the mandatory data breach notification scheme, there are a number of practical and technical solutions that accounting firms can implement to improve their cyber security.
Review current security systems
As a starting point, it’s worthwhile for accountants to look over what they currently have in place in terms of security for computer systems. Simple, common sense changes can go a long way in improving a firm’s security position.
In particular, accounting firms should review password practices, an important area where firms may currently be lax for the sake of convenience.
Access should be limited to the minimum amount of people required and passwords should be strong and secure. Reckon’s Mr Blackman advises that passwords should ideally be long to make it difficult for algorithms to crack.
Where possible, accountants should also consider multi-factor authentication (MFA), a form of log in that requires two levels of identification i.e. a password and an SMS token. Some accounting software such as Reckon already have two-tier authentication capabilities that practitioners are not aware of.
Mr Blackman advises, “For some of our products, we’ve already got MFA available for certain log in methods, but it’s something that we will be working on to make available for all systems next year.”
Develop a cyber breach response plan
In lawyer Leah Mooney’s experience, it is essential for accounting practices to prepare a framework in case of a cyber breach. “Once there is a data breach, things happen very quickly,” she explains.
“If you’re not prepared and you haven’t thought about what might happen, it becomes very difficult to manage the breach and it can then be harder to manage your client expectations following on from that.”
Ms Mooney says that there are plenty of resources, both free and paid, available to assist small-to-medium sized accounting practices in the event of a data breach. The point that she stresses is that it is crucial to identify who could help prior to problems occurring.
“I recommend that [accountants] be ready to pull in advisers as promptly as possible, whether it’s their solicitor or the OAIC, there are other governmental organisations such as CERT Australia who can help in the immediate aftermath of a breach,” she says.
“It’s much harder to throw that together if you haven’t thought about it and haven’t got yourself a data breach response plan.”
Get the right insurance coverage
TPB’s Ian Taylor said in addition to standard professional indemnity insurance which covers third-party losses such as client financial loss, another way practitioners can protect themselves is to consider taking out additional cover to assist with first-party losses.
“In other words, these are the losses that the actual practitioner suffers,” he says.
Mr Taylor lists potential costs that agents can suffer as a result of a cyber attack.
“It could be reputational, it might include paying a ransom to get back data, or getting your systems back online. It could have a flow-on effect to other clients, for example if your systems go down the day before a significant lodgement date with the ATO,” he says.
There are resources available to help practitioners understand the MDBN scheme, as well as furthering their professional knowledge around cyber security.
Ms Mooney from Minter Ellison advises that the OAIC is a helpful place to begin.
“The OAIC has said that for the next 12 months that it will be seeking to play an educator’s role and seeking to assist organisations to comply with their obligations, rather than focusing on compliance,” she says.
Nationally, the IPA offers training and IPA technical publications constantly give updates in relation to cyber security. The TPB is also encouraging accountants to educate themselves by modifying their continuing professional education (CPE) policy to include courses or work that is related to cyber security.
TPB chair Ian Taylor says, “If a person attends a cyber security seminar, we’ll now accept that as part of their ongoing professional education because we want them to be aware of their obligations to protect themselves and their practices the best that they can.”