9 ways to protect your practice and clients from a cyber attack
At a glance
During the 2020-2021 financial year, the Australian Cyber Security Centre (ACSC) received more than 67,500 cybercrime reports, the equivalent of one attack every eight minutes.
This was almost 13 per cent higher than the previous year, in large part due to the increased number of people relying on the internet to work, communicate and access services remotely.
Accountants are particularly attractive prey to cyber criminals, given the high amount of sensitive client data they keep on file, such as bank account details and tax file numbers.
Unsurprisingly, the finance sector consistently ranks as one of the highest-reporting industry sectors under the Notifiable Data Breaches (NDB) scheme.
For this reason, accounting practices have a responsibility to put in place some basic, but important, cyber security safety measures – both to safeguard their clients’ data and also protect their business from the reputational and financial fallout of a breach, explains Drew Fenton CPA at Fenton Green.
“In my view, this is the biggest risk any business is facing now,” he says.
“We have a cohort of bad people trying to steal your data for profit, so my strongest recommendation is to get yourself a good IT consultant to advise you and then, as a back-up, take out cyber insurance.”
Simple steps to strengthen your cyber defence
Aside from transferring exposure via cyber liability insurance – and outsourcing IT to a “reputable, well-resourced tech firm” – Fenton urges practices to rigorously enforce the ACSC’s “Essential Eight Maturity Model” to enhance their cyber resilience.
In particular, he suggests focusing on the following measures:
- Install a firewall and ensure all devices are equipped with the latest anti-virus protections.
- Keep all systems and software up to date and install patches as soon as they become available.
- Back-up data regularly (daily if possible), store copies offline (so the network can be restored after an attack with minimal disruption) and test back-ups regularly.
- Enable multi-factor authentication on all staff devices to prevent unauthorised access.
- Train employees on cyber security, breaches and scams.
- Use a password management system to create long, complex passwords, and change them regularly.
- Encrypt personally identifiable information.
- Establish protocols around the use of business computers (stipulating, for example, that they should only be used by employees); likewise, limit system access only to people who need it.
- Prepare a cyber incident response plan, outlining staff members’ roles in the event of a breach, including all legal and regulatory obligations.
With self-reported losses from cybercrime in Australia totalling more than A$33 billion in the last financial year – and business email compromise alone costing on average A$50,600 per event – Fenton encourages practices to maintain a regular line of communication with their insurer to minimise the impact of what he believes to be an “inevitable” attack.
Not only can specialist cyber insurers share valuable insights regarding the latest scams and how to avoid them, but they can also ensure firms are complying with the terms of their cyber liability policy, which may include using specific anti-virus software, or implementing certain security measures.
Fenton adds, “Without question, insurers have a significant wealth of knowledge in this area, and our recommendation is always to go back and ask your broker or insurer for advice.”
