How to secure your accounting data to help prevent third party breaches

In the past month, an estimated 3 million hack attempts targeting ATO systems were carried out.

The speed, scale and changing nature of identity fraud attempts to secure business and personal data are listed as the top concern of ATO.

The fraud attempts, where cybercriminals seek to obtain personally identifiable data from a number of physical and digital sources, are increasingly sophisticated and criminals are a deft hand at bringing it all together to conduct identity fraud.

The ATO has immense amounts of data it receives every year from 4.3 million small businesses. This explains why tax agents and accountants are now a lucrative data source for online criminals.

This article highlights the growing cybersecurity threats facing businesses and individuals, and how Ignition is working in tandem with its partners to address this threat. Plus, we’ll look at steps you can and should be taking to verify clients.

Today’s dynamic, highly mobilised, and distributed workforce has an ever-increasing vector of exposure to criminals. Data security for employees who have access to business and client data is critical, now more than ever. Importantly, the recent swathe of high-profile attacks has made cybersecurity top of mind for business leaders needing to protect their IP and their people.

In recent attacks, malware had been sitting on systems for many months collecting data, monitoring activity, and evaluating the right time for an attack. With many business systems connected and interconnected, the rampant rise in cyber crimes (the Australian Centre for Cybersecurity received 76,000 reports, which is likely to be a conservative figure) is driving up significant costs to the economy.

According to Deloitte’s report, ‘CyberSmart: Enabling APAC Businesses’, cyber spending in APAC is expected to grow faster than the global average with a projected AU$31 billion to be spent by 2026.

Cyberattacks on SMBs are now a truly disruptive force. Having the security you need can help your accounting practice stay out of the news, putting barriers in the way of would-be attackers and working to safeguard your operations and reputation – but if not, the damage to your operations and reputation can be devastating.

Innovation is not the sole domain of business: criminals are investing significantly to find ways to penetrate SMB business systems. Cybercriminals are forming professional organisations with partnership networks, resellers and call centres. They’re investing in innovative technology to outsmart individuals and organisations.

Cyber security is often referred to as an arms race, for a good reason. For companies, it's about remaining vigilant against an attack and managing risk in a cost-effective way, so they can continue going about business.

Recent hacks such as the ones carried out on Optus and Medibank are a case in point. These events highlight that no business is safe. The financial and potential legal impact to those clients whose data has been exposed is still being uncovered. Ultimately, we don’t yet know the long-tail ramifications of these breaches.

Historically, large-scale crises like this have led to developments in behavioural detection, artificial intelligence and machine learning to try and stay at the forefront of this ever-present challenge. It’s also resulted in modernised policies and new ways of working.

As all SMB businesses increasingly become digital businesses, the ATO and the Tax Practitioners Board developed client verification guidelines for tax practitioners. The guideline is to be read in conjunction with the Tax Practitioners Board’s Practice Note – Proof of identity requirements for client verification.

The guidelines also advise against retaining identification documents, as this may increase the risk of being targeted by criminals. Under the guideline, tax agents must verify two proofs of ID. The exception is when a primary photographic proof of identity document, such as a driver's licence, can be verified using the visual method.

By performing these tasks, tax agents and accountants are required to evolve their cyber strategy and seek tools to stave off attacks. In this escalating threat and compliance landscape, starting by protecting your employees will have an impact on your clients.

Incredibly, most people do not have multi-factor authentication (MFA) for their emails. And according to Microsoft an even larger number use the same password for their frequently visited sites and accounts.

Criminals are familiar with this approach to passwords – and it has also become somewhat of a standard for tax agents and accounting firms to have as their first line of defence against client information.

Regardless of whether it’s online or on the street, criminals know and prey on human behaviour and when it comes to passwords, humans are predictable. The volume of password attacks has soared to an estimated 921 attacks globally every second – a 74% rise in one year, according to the latest Microsoft Digital Defense Report.

The best line of defence is to ensure your password is encrypted through a password manager – the more random and unique the better. MFA is now a must as a second security step.

At least 12 million Australians have had their data exposed by hackers in recent months. It’s not uncommon for tech-savvy CPAs, who are running their own firm to want to scale fast and use software to enable their business and teams. But it pays to be aware that the amount of technology in use can make your company more vulnerable. The increased number of entry points to your business creates more risk.

The Ignition team is in constant contact with customers. It comes as no surprise that more experienced accounting firm owners we talk to – typically employing 20 people or more – are using around 40 SaaS platforms to conduct business. Password management software often isn’t on the list.

At Ignition, we partner with industry leaders including Xero, Intuit, Google, and Microsoft – each offering password management solutions including Single Sign On (SSO).

You may have noticed SSO and not thought much of it. SSO allows you to use one set of login details to access more than one application. Our customers and their teams can use SSO to conveniently access Ignition apps. This reduces the reuse of usernames and passwords across apps, minimising risk.

Additionally, Two-Factor Authentication or 2FA provides an additional level of security to your Ignition account by using a one-time password from your chosen authentication app or mobile phone. It is designed to ensure that you're the only person who can access your account, even if someone else knows your password.

We advise customers to have the authenticator app on a separate device rather than their main computer or laptop. They have the ability to install an app on a smart device and use technologies such as Authy, Microsoft Authenticator and 1Password to access their online accounts.

SSO is about your teams’ gaining access to their resources with a single sign-on authentication. Two-factor authentication uses just two of these methods to authorise a user's login attempts, whereas MFA (mentioned above) uses two or more of these checkpoints.

When it comes to payments, Ignition takes away the risk of accountants and their teams manually obtaining client credit or debit details and entering these into other payment gateways and merchant services. The platform does this by providing an easy-to-use and safe interface for clients to enter their payment details directly.

Credit card and direct debit details are never stored by Ignition. All sensitive payment details are transmitted directly to our payment providers over Secure Sockets Layer (SSL) encrypted connections and are not logged or stored in Ignition systems. An SSL certificate is a digital certificate that authenticates a website's identity and enables an encrypted connection.

Any attempts deemed as unauthorised access to a customer’s account will not receive access to a customer’s card or payment information. Importantly, any attempts to redirect funds require new business verification checks from Ignition’s Fraud and Controls team.

There are consequences for all businesses that fail to protect against or manage cyber incidents.

The ACSC Annual Cyber Threat Report, July 2021 to June 2022, says the Federal Court of Australia has found financial planning firms have breached their financial services licence obligations by having inadequate cybersecurity systems.

While the judgement did not set a legal standard for Australian Financial Services licensees or other organisations, it’s a reminder that companies should consider their cyber protection, detection and response as part of their responsibilities.

Ignition takes data security seriously. Learn more about Ignition Security and how we’re working to keep your sensitive information secure.

Ignition makes it easy to be organised and detail-oriented, so you can focus more on relationship-building with your clients. Set yourself up for success with the right tools. Watch an online demo of Ignition today and see why thousands of accountants use our client and engagement platform to help run their firms.