Earlier this month, the Office of the Australian Information Commissioner’s (OAIC) latest quarterly statistic showed that the legal, accounting and management services sector accounted for the third highest number of data breach notifications in the reporting period of July to September 2018.
With 245 total notifications from 1 July to 30 September, the legal, accounting and management services sector accounted for 14 per cent of the total number of recorded breaches across the period.
The sector showcased an even split between breaches arising out of human error and malicious or criminal attacks, with 17 apiece.
Speaking to Accountants Daily, Crowe Horwath partner Scott Goddard said it was reasonable to conclude that intentional disclosures were part of the human error statistics.
“The natural human tendency is to trust your colleagues, trust your fellow workers and that’s a natural human instinct and we are conditioned to an extent to focus on external threats presenting themselves in terms of criminal conduct,” said Mr Goddard.
“[But] we need to make sure that accountants are aware that these things can happen, there are significant consequences if they do and that it is important that we talk about it as an organisation on a regular basis that we take steps to keep vigilant for these sorts of indicators that might suggest that something untoward is going on.”
According to Mr Goddard, accounting firms need to have internal controls in place, and a response plan, should something go wrong.
“The most important thing for organisations is to maintain a strong system of internal control, strong management oversight, ensure that there are appropriate processes in place to authorise transactional activity,” said Mr Goddard.
“We have to remember that most of this sort of behaviour is done with an intent to extract some value from the organisation and that value could be intangible that people can on sell to another party for financial gain or it could be purely for the purpose of extracting cash or cash benefit out of the organisation
“The important thing is about balance – making sure that within an organisation they are having the conversation internally and they are evaluating their resistance to that sort of conduct, that they believe they have adequate business conduct arrangements in place – policies, procedures, systems and mechanisms to prevent it happening, detect it if it is occurring and that they have a strategy to respond to things responsibly and quickly in the event that something should happen.”
“The challenge for accounting firms today is going to be how are they going to respond [to] the regulators if there is a disclosure from an employee, for example, of confidential client information such as tax file numbers, bank account details, that they have already taken adequate steps to protect that information internally and that it was done with criminal intent and they have taken appropriate steps to investigate and triage it as quickly and expeditiously as possible and that they’ve been responsible to those parties by notifying them.”