NDB legislation requires businesses to report any breaches of that data to the individual and to the Office of the Australian Information Commissioner (OAIC) or risk financial and civil penalties. GDPR, despite being a European-based piece of legislation, applies to any Australian firms that do business with organisations or people in Europe, or European citizens.
Therefore, these laws are likely to apply to many Australian accounting firms. It’s also important to note that accountants and other financial professionals are likely to be relentlessly targeted by cybercriminals because of the high objective value of the information they have access to. With significant access to and knowledge of clients’ financial details, accountants provide a highly-lucrative target. It’s therefore exceptionally important for accountants and other financial professionals to have a clear understanding of their obligations under these laws, as well as their moral and ethical obligation, to adequately protect their clients’ data. Preventing information theft should be prioritised.
When people’s information is accessed or stolen from their accountant or financial planner, the ramifications can reverberate for many years to come. Since cybercriminals can steal personal banking and wealth information, they can use this not just to steal currently-available funds but also to conduct identity fraud. Cybercriminals can use their victims’ personal information to take out fraudulent loans or claim government benefits they’re not entitled to.
The effect of this can be significant and isn’t limited to the financial losses. Clearing up cases of identity theft can take years in some cases. While it’s relatively easy to change credit card details, for example, it can be harder to clear up a bad credit rating due to loans that were taken out without the person’s knowledge. A bad credit rating can affect the individual’s ability to access finance in the future, which can be lifechanging.
The NDB scheme applies to all government agencies and businesses already required to comply with the Privacy Act, which includes businesses and not-for-profit organisations with an annual turnover of more than AU$3 million. It also covers any business that collects and stores personal information such as education records, tax file numbers, or health records.
This means financial planners, accountants, and other financial professionals are likely to be subject to the scheme. It’s therefore essential to understand what’s required to comply.
The most important approach in complying with any data breach requirements is to focus cybersecurity efforts on preventing information breaches from happening in the first place. In addition, there are five key steps that accountants and other financial professionals should take to avoid falling foul of these privacy requirements.
1. Map the data
Understanding where data resides across the organisation is the first key to protecting it. Businesses often keep data in disparate locations such as CRM systems, planning software, emails, and more. To protect it, accounting firms need to know where it is, who has access to it, what protections are already in place, and what security vulnerabilities need to be addressed.
2. Secure the organisation
Keeping this data secure is essential for compliance with the legislation so it’s worth implementing the strongest possible security controls. It’s also important to remember that many data breaches happen because of human error or malicious activity from insiders, so education and constant vigilance are also essential.
Educating people about their shared security responsibilities can help mitigate many threats. This includes ensuring they know not to click on email links, not to plug unknown devices into the network, and not to share passwords. To be effective, education needs to be comprehensive, consistent, and regular.
3. Prevent breaches
There are four key steps to preventing breaches through cybersecurity:
- Gain full visibility into all traffic across the network, ensuring nothing is left unseen.
- Reduce the attack surface by only allowing specific applications and denying everything else.
- Prevent known threats through granular management of all types of applications, and analyse all allowed traffic for exploits, malware, malicious URLs, and other dangerous or restricted files or content.
- Prevent unknown threats through global information sharing and automated responses that get on top of the risk before it has a chance to proliferate. Behavioural analytics empowers organisations to quickly find and stop the stealthy unknown network threats. By analysing network, endpoint and cloud data with machine learning, it’s possible to accurately identify targeted attacks, malicious insiders, and malware. Security analysts can rapidly investigate threats and block attacks before the damage is done.
4. Test, review, and improve
Businesses must continually review and test security measures because threats are constantly evolving. What worked yesterday may not work next week in light of new threat vectors, so it’s important to treat information security as an ongoing and never-ending battle.
Cybercriminals are smart, sophisticated, resourceful, and highly driven. With this in mind, attacks are inevitable and it’s how the firm responds to them that makes the difference. Planning the response is crucial to ensure everyone in the firm knows their role and is prepared to act at a moment’s notice. This includes understanding the process for notifying affected individuals and the OAIC, and mitigating the attack. Following a well-considered plan can stop the breach before it affects too many people, minimising the damage.
By following these five steps, accounting firms can help protect their clients’ data and avoid falling foul of data protection regulations. Importantly, demonstrating a commitment to data protection can also help build client confidence, which can become a competitive differentiator for firms.
Philip Dimitriu, director of systems engineering, Australia and New Zealand, Palo Alto Networks