As reported last week, the legal, accounting and management services sector provided the OAIC with the third highest number of data breach notifications in the reporting period of July to September 2018.
Cyber security experts are finding it’s often simple triggers, like being lax with password protections and combinations, that are foiling the defence of accounting firms.
“Accountants should look closely at the overall security hygiene of their business, which includes staff awareness and education, ensuring employees only have access to information required to perform their tasks, ensure automatic updates are on for all devices and employ a modern password standard for their active directory systems,” said Julian Plummer, managing director of Kamino Cyber Security and Midwinter Financial Services.
Firms like Illumin8, based in Victoria, mandate password manager platforms for employees. These are encrypted storage and generator services for passwords.
“The second you go cloud, you need to have a password manager,” said head of process at Illumin8, Shane Scott, and Accountech Live this week in Melbourne.
“When you are moving to cloud services, you have to make an effort to really be secure. Before, someone would have to be inside your network to compromise you – but with the cloud, they can do it from anywhere,” he said.
Firms are required to notify the OAIC and affected individuals where there has been an eligible data breach.
According to the OAIC, “a data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure”.
The scope for reportable breaches is wider than most realise. Unauthorised access which requires reporting is not necessarily in the realm of a devastating cyber attack — it could be an employee, an independent contractor, or an external third party.
You can learn more about how the new laws affect accountants here.