6 Ways Accountants Avoid Optus-Like Data Breaches

As you’ll (hopefully) have heard by now, your Optus data was hacked (ex-customers, too).

In one of the worst data breaches in Australian history, varying degrees of personal data of some 10 million Aussies are now in the hands of the dodgy, dark-web-lingering, nefarious types. Hackers.

So, what now?

Well, the sheer scale of the leak is such that those whose information was accessed may represent only the tip of the iceberg in terms of those that may be impacted. For example, accountants, who’ve long been regarded as gatekeepers of personal and confidential information, are now, more than ever, under threat of client identity theft and fraud. In many cases, the data accessed by the hackers included more than 100 points of ID.?

As an accountant, your clients are now more likely to be targeted by scam activity, which puts your firm at risk in managing their financials. If we consider accountants to be the first line of defense, what should they do as a minimum to limit the firm (and client) data from becoming vulnerable to access?

Here are six tips on managing this very real risk:

Rule 1: Don’t send your client data to a third party

If you’ve ever shared your clients’ data with a third party, you’d better make sure you have all your ducks in a row. This might mean reviewing your engagement letters, privacy policy, GDPR rules, and the Privacy Act. The issue with sharing personally identifiable information (PII), or worse yet, financial information that is more confidential, is that you’re exposed to the security protocols of a 3rd party you have no control or oversight over.?

Worse yet, sharing client data without the client’s express consent is not only bad practice, but it is also in direct conflict with the consumer data rights protocols and industry body guidelines such as the Tax Practitioners Code of Conduct.

Also, who is at fault in the event of a breach? If you’ve given your client data to a third party, for example, in preparing a quote or “service” for your clients, you may have engaged in as many breaches as you have clients. It equates to throwing your most valuable asset into the abyss, especially now that this third party’s cyber security is impossible to assess. Think ISO qualification, a penetration test certificate, data breach and security protocols, firewall procedures - you might have no visibility over any of these measures when handing your client data to a third party.

Rule 2: Keep your data secure

Sounds obvious, right? Believe it or not, some third-party service providers will insist on entering your office, taking control of systems, extracting data, printing their clients’ financial information, and then walking out the door with a USB stick carrying detailed client information. Your firm should have a blanket policy that prevents third parties from insisting on this way of working. Beyond that, accounting firms should implement mandatory hardware encryption to enable remote wipe features in the event of third-party access.

Access can be shared using advanced technology such as zero-trust and advanced encryption but personal information and financial information should never be shared together.

Rule 3: Maintain cybersecurity measures and protection

Cyberattacks on accounting firms, how do we prevent them? A firewall is a great start, ensuring it’s up to date with the latest patches, of course. To limit malicious software (“Malware”) from taking hold of your practice, put in place antivirus software. This serves as another layer for controlling collateral damage if a malicious link, file, or website is accessed by your team (or your clients).

Consider “zero trust architecture” when designing and implementing your IT systems. It will go a long way in managing the reach of cyberattacks from affecting your entire network. Having these additional layers of security and verification means that your network traffic, devices, and users are pre-vetted according to your firm’s designated “least-privilege rules”. As an accountant, your status as a “trusted advisor” is about as stable as the IT infrastructure your firm promotes, maintains, and promises in protecting its information.

Rule 4: Manage employee negligence

If you’re stressed about your team leaking client information, you’re not alone. It’s a leading cause of breaches, and therefore needs to be managed with training for staff, clear policy, and Data Loss Prevention (DLP) solutions that behave like watch guards of the movement of sensitive information.

One example might be a staff member being asked to send an email with an attachment that holds all the client names, entity names, turnover details, postal addresses, and phone numbers. Sound familiar?

It’s a common practice that could incur fines for each client whose information is compromised. By utilizing content scanning and contextual filtering, DLP software gives accounting firms the edge when it comes to controlling the movement of data - often client data - if ever it falls outside of best practice or firm policy. DLP tools can also block the attempted transfer (as opposed to simply raising the alarms) of PII and other sensitive data. It may be the copy in an email that your practice manager is trying to send to a third party or a file they’re trying to upload to the cloud.

Rule 5: Secure any devices in your control

Your firm needs to secure all organisational devices. If your staff is copying PII and client data into USBs or hard drives, this represents a big risk to the company. The fact that some accountants still use USBs to transfer data to third parties is surprising given the number of data leaks that have occurred in recent years.

Again, DLP products manage the likelihood of this occurring by leveraging device-control features that let you block USB ports and Bluetooth connections, and predetermine company-issued devices. When appropriate, you could reset passwords or devices remotely to prevent third-party access to client information.

Rule 6: Train your team

Your client's data is already with the hacker. If your team clicks a link allegedly sent by a client, this could give hackers access to your client's financial information. In duping your team to click into a malicious link or infected attachment, these bad actors can install a program in your network that lives there, undetected, collecting information. These “phishing” exercises, without proper precaution in place, eventually lead to a bite. Importantly, it’s the zero trust architecture, antimalware tools, and Trusted Platform Module infrastructure that help to contain the potential damage of these attacks.

Final thought

As a rule, don’t share your data with third parties. If you have to, do your due diligence on their security. When working with partners, expect more. If they’ve not innovated in providing data handling protection measures, look elsewhere. Update your computer systems, and put in place multi-factor authentication, virus software, and firewalls. As Niek Dekker of Eftsure portends with respect to the #Floptus debacle:

“it's a hack that might change the way Australians do business.”

Other useful tips:

1. If accountants are approved to send business data via email, use ZIP with password protection, then send passwords via other methods, such as SMS or direct call or Password Management tools.?
2. Additionally, for file transfer, it is better to use SFTP (secure file transfer protocol) to transfer data other than email directly.
3. Never store credentials or sensitive information such as TFN or other identifiers on paper or digital documents, such as word documents or spreadsheets.
4. Use password management software such as LastPass to centralize and leverage random password generation
5. Subscribe to the Australian Cyber Gov alert to get the latest cyber threats news