The Office of the Australian Information Commissioner (OAIC) has published its first full quarterly statistical information about notifications received under the Notifiable Data Breaches (NDB) scheme, since it commenced on 22 February 2018.
Between 1 April and 30 June 2018, the finance, legal, accounting and management services industries accounted for a combined 56 out of 242 notifications of data breaches, just below the health service sector.
Of those breaches, 29 were due to malicious or criminal attack, 24 due to human error, and three owing to system faults.
Speaking to Accountants Daily, Julian Plummer, managing director of Kamino Cyber Security and Midwinter Financial Services, said the numbers showed the relative attractiveness of accountants as targets for data breaches.
“Accountants have a huge amount of data for their large numbers of clients, so attacking an accountant gives the hacker access to a larger scale of information as opposed to attack[ing] an individual person,” said Mr Plummer.
“The other side is that accountants are generally underprepared when it comes to information security and in large part this can be attributed to not fully understanding their obligations under the new laws.
“What was interesting is the high amount of human errors that led to data breaches – this leads me to believe that accounting practices that suffered from a data breach had poor levels of security hygiene and lacked basic staff training. Policies for sending out personally identifiable information should be a part of the information security policy, and this is a basic thing to get right.”
Further, Mr Plummer believes with the rise of accounting firms picking and choosing different applications for different processes, more breaches will be likely to be reported before the industry starts to take the issue more seriously.
“Things are only going to get worse before they get better,” said Mr Plummer.
“Consider the increasing number of accountants that are currently “picking their own stack” of applications with the intention of integrating them via API. This is going to only lead to more data being produced, dramatically increas[ing] the attack surface area of the practice.
“A mistake we see quite often is an accountant thinking that installing a virus monitoring tool will take care of everything. It won’t,” he added.
“Instead they should be investing in an information security policy, a layered security approach and the training of staff to increase awareness.”
The Tax Practitioners Board (TPB) has warned the industry that failure to comply with the NDB scheme could result in possible sanctions from the body, on top of severe penalties issued by the OAIC.