Poor usernames and passwords are the first line of attack. If one of your service providers have been subject to a widespread attack such as companies like LinkedIn, Adobe and others have experienced it is likely that your username and password combinations that you had for those services can be obtained by the crooks and used to break into your accounts on other services. If you’re not sure go to https://haveibeenpwned.com/ to check whether your username or email address has possibly been compromised.
Of course the obvious also applies. Use different passwords for different services. Use passwords that are difficult to break. It’s all a hassle but in this day and age, one has little alternative.
Using two-factor authentication is also important. It should be turned on where available for every service that you use. Two-factor authentication involves sending a code to your mobile device which means you need to have the device as well as a password to gain access. However, it’s not infallible. The crooks are managing to find ways of redirecting SMS messages by hacking telcos and other means. For this reason, many companies are now using their own mobile apps to manage two-factor authentication rather than relying on SMS.
Accounting firms are a very attractive target for the crooks due to the sensitive financial and private client data that are held on firms’ systems. Much, if not all, the information needed to successfully steal an identity can be found in client data.
Cloud accounting systems are another point of vulnerability. Access to an accountant’s cloud accounting dashboard might deliver access to many clients’ accounting ledgers with the treasure trove of employee records held in the payroll systems. Firms need to be extra vigilant in ensuring access is secure as possible.
These are just some of the things to consider. Come to ATSA on October 16-17 to hear a number of speakers discuss this increasingly important topic. Click here to find out more.
Nothing is 100% secure. So the next thing you need is a plan. You need to have your client communications ready. How would you communicate with your clients if a breach occurred? What would you tell them to do? What in turn should they be saying to their employees? You need to have templates ready to go at a moment’s notice.
There are a number of guides and services to assist you should a breach occur. The Australian Government’s Office of the Information Commissioner has a guide “Data breach notification — A guide to handling personal information security breaches” which can be found here https://www.oaic.gov.au/agencies-and-organisations/guides/data-breach-notification-a-guide-to-handling-personal-information-security-breaches.
There is also this guide on notifiable data breaches https://www.oaic.gov.au/engage-with-us/consultations/notifiable-data-breaches/ as well as this support service for people concerned about identity theft and cybersecurity generally http://www.idcare.org/.
Training of your team is also critical to ensure that they know what to look for and what they should do if they suspect a problem has occurred.
There are many other things you need to consider including keeping software up to date, securing mobile devices, strong backups of data, malicious software scanning and more. It is critical you are across all of these issues.
Cyber Insurance is another key component of your risk management plan.
Come to ATSA in Sydney on October 16-17 to hear from the experts and ensure you’re on top of it all. ATSA, of course, delivers much more with over 70 sessions and over 65 exhibitors providing you with the opportunity to ensure that you’re keeping your practice at the forefront of leveraging technology.