Login
iscover
Boost self-defence measures and awareness in the wake of the Optus data breach, say digital security experts.
Newsletter
Accountants ‘should be on high alert for cyber threats’
07 October 2022
•
11 minute read
It is imperative accountants take measures to combat cyber criminals and “the threat is the threat is the threat” regardless of whether the attacker is a criminal, hobbyist, or state-based actor, say cyber security experts.
You’re out of free articles for this month
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
The implications of the recent Optus hack for all businesses and how they could bolster their cyber security was the subject of a webcast on Accountants Daily sister brand Cyber Security Connect featuring director Phil Tarrant, Major General (Ret’d) Dr Marcus Thompson, and cyber defence company ParaFlare chief executive Adam McCarthy.
Dr Thompson — who was the first head of information warfare for the Australian Defence Force and is now on ParaFlare’s board as a non-executive director — told Cyber Security Connect that “intuitively”, he would direct accountants to be alert to criminal behaviour in relation to cyber security, rather than state-sponsored activity.
However “the threat is the threat is the threat” regardless of who was the source and there was no one-size-fits-all assessment of the potential threats facing accountants and their businesses.
“[The nature of the threat] doesn’t change your approach to cybersecurity,” he said.
Cyber security and compliance will be a key focus at the Accountants Daily Strategy Day this year (held on 29 November and 1 December), where speakers will explain why accountants are vulnerable targets, and arm them with tools and strategies to mitigate cyber risk and protect their business and data.
Dr Thompson recommended a three-pronged defence system against cyber attacks for accounting businesses.
The first is self-defence, which would require practitioners to educate their employees to increase awareness and embed a culture of caution.
The second is passive defence, where system administrators assess how well businesses are complying with the mitigation strategies developed by the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC), which aim to prevent attackers from compromising systems.
Known as the “essential eight”, these strategies include:
- Application control
- Patch applications
- Configure Microsoft Office macro settings
- User application hardening
- Restrict administrative privileges
- Patch operating systems
- Multifactor authentication
- Regular backups
The third is active strategy where professional cyber security officers sit inside systems and actively detect, contain, and resolve threats to a business’ system.
“[It’s about] having all of those self-defence measures, and [increasing] your awareness. Don’t be that person who clicks on the link in a phishing email. Don’t be that person who finds a USB stick in the carpark, and out of idle curiosity, plugs it into the system,” Dr Thompson warned.
Understand your assets very quickly
Mr McCarthy advised business owners to focus on the fundamentals of cyber security by understanding what assets they own and the software that operates within their environment.
“If you don’t understand those two things, get really, really familiar with them really quickly,” he warned.
“Understand your systems, understand the way in which they communicate. Then you can go about protecting them.”
Once business owners do this, they can then extrapolate how their applications and software communicate across all the assets, he added.
The security breach at Optus — the second-largest telecom company in Australia — came to light on Thursday, 22 September, when it was discovered that around 10 million of its customers’ personal information was disclosed, including their names, dates of birth, phone numbers, email addresses, and in some cases, driver’s licence and passport numbers.
There have been reports that the breach allegedly occurred after Optus left an application programming interface (API) open to its customer database without requiring authorisation or any type of authentication.
An API is an interface that allows machines to talk to each other, and exchange and transfer information without requiring human-readable formats, and allows users to retrieve information, according to Mr McCarthy.
APIs must have availability, integrity, and confidentiality, with Mr McCarthy noting that failures occur where it is not confidential or connected.
“From all the reporting, the [Optus] API was either exposed by happenstance, or by poor design, poor control, or human error. We don’t know,” he said.
“Regardless, if you have access to an API at certain levels, you can do a lot of things with it. It’s very, very powerful.”
Because API security is complex and prevalent in every business that uses technology, understanding the inherent risks is critical, Mr McCarthy flagged.
“A business can’t operate in a vacuum and not assess their own risk,” Mr McCarthy warned.
Consulting other industry professionals and peers about their cyber security practices and how secure their APIs are would be helpful for business owners, he advised.
Businesses with chief information security officers should consult their peers to gain a deeper understanding, exchange ideas, and potentially adopt their practices where appropriate, he added.
“Talking with peers in the community, leveraging experts… and people in the field is really important,” he concluded.
To hear more about how you can protect your business against the growing risk of cyber penetration and cyber attacks, come along to the Accountants Daily Strategy Day 2022.
It will be held on Tuesday, 29 November at Grand Hyatt in Melbourne and Thursday, 1 December at Parkroyal Parramatta in Sydney.
Click here to book your tickets and make sure you don’t miss out!
For more information, including agenda and speakers, click here.
You need to be a member to post comments. Become a member for free today!
