The volume of sensitive data changing hands between clients and practices leaves them vulnerable to hacking.
Why tax time turns accountants into cyber targets
You may have heard that the recent Optus cyber attack was “the biggest hack in history”. Yet did you know that accountants face a higher risk of a similar attack during tax time?
Accountants are one of the six sectors most targeted by cyber attacks, according to the Australian Cyber Security Centre. Cyber crime costs small accounting practices an average of $39,000 per year. The cost is about $88,000 for medium-sized practices and $62,233 for large practices.
The centre also reported that, on average, there is one cyber attack in Australia every seven minutes and attacks are up by 13 per cent compared with last year.
In my experience, accounting practices are prime targets for cyber attacks because they hold vast amounts of sensitive financial and personal data about their clients, including bank account information, financial records, tax identification numbers, payroll information, copies of identity documents and investments data.
At this time of year, most accountants are inundated with data from clients. As this data flows back and forth, often in unprotected form, the vulnerabilities are significant.
If your team were to be hacked, would your business survive the loss of consumer trust and potentially millions of dollars in massive government fines?
Regulators start to bite
Last week, APRA hit Medibank with a huge fine – $250 million – as punishment for the breach of data in October 2022. Regulators of other industries will be preparing corresponding penalties to similar breaches.
Ask yourself how that sort of penalty would affect your ability to remain in business.
At tax return time accountants need to protect the personal information for which the industry is temporary custodian.
Where, when and how they transfer and store this information are big questions for any accountancy firm wanting to safeguard their clients’ data and to avoid the wrath of regulators if breached.
It only takes one weakness in a large network to compromise the entire system. Hackers have long used simple, connected devices like a standard office printer to penetrate the most advanced networks. Gaining remote access to the printer enabled them to breach the computers and servers on the same network, including all the data contained therein.
Protection is possible
But accountants can protect themselves. The first step is to give your entire team training in cyber security awareness. Awareness provides an excellent return on investment, with small businesses seeing an average return of 69 per cent. Nine out of ten data breaches are made possible because of human error, and training dramatically reduces the likelihood that someone on your team will make such a mistake.
Awareness training is cost-effective and can take as little as an hour. That’s a small investment that pays large dividends.
The next step for accountancy businesses is to work towards alignment with a top-quality cyber security framework such as ISO27001 or NIST. A good cyber security adviser can make this easy and tailor the frameworks to your unique business context. They can help you identify and address vulnerabilities by undertaking a risk assessment.
Cyber threats are a significant and increasing risk, and the best actors in the accountancy sector are already taking steps to prepare themselves. I encourage you to begin to do the same and to start your journey to cyber maturity.
Dr Edward Phelps is director at Secure Konnect Cybersecurity.
Comments powered by CComment