Cybersecurity

ASIC Cyber resilience good practices 

The following good practices enable organisations to operate highly adaptive and responsive cyber resilience processes. We encourage all organisations to discuss, share and consider their application to improve their cyber resilience preparedness.  More information

ATO Top 5 tips for data security for small business owners

As a small business owner, protecting your systems from cyber security threats is essential. There are some simple things you can do to keep your business and client data safe from cybercriminals.’

1. Install all software and app updates.
2. Turn on automatic updates.
3. Use multi-factor authentication (MFA) where possible.
4. Use strong passphrases that are difficult to guess.
5. Teach yourself and your staff how to prevent, recognise and report cyber incidents.

Review the other ATO top cyber security tips for businesses for more ways to secure your devices.

Guidance for consumers impacted by the Latitude Financial Services data breach

Following the recent Latitude data breach, ASIC has produced consumer guidance. The guidance includes contact phone numbers and relevant inks if you are affected by the breach.

View the full guidance here.

Following the recent Optus data breach, the ACCC has produced a fact sheet to help you avoid scams. This document includes practical advice aimed at preventing those who have been impacteded.

View the full fact sheet here.

AFS Licensees and Cybersecurity

AFS licensees must adequately manage cybersecurity risks as part of their licence obligations.

Adequate technological systems, policies and procedures should be in place to ensure sensitive consumer information is protected and to minimise the risk of consumer harm.

ASIC will take enforcement action when an AFS licensee does not meet these obligations.

Read more >

How to prepare for a cyber security incident

Cyber criminals will often target tax practices because they hold large amounts of client information.

That’s why it’s important to have a data breach response plan in place.

The Office of the Australian Information Commissioner (OAIC) provides guidance on creating a solid data breach response plan. For example, it should include:

• clear escalation procedures and reporting lines for suspected breaches
• processes that outline when and how affected individuals are notified
• a record-keeping policy to ensure breaches are documented
• strategies to identify and address any data handling weaknesses that could have contributed to the breach.

Your data breach response plan should also include contacting the ATO on 1800 467 033 so we can put protections in place for your clients.

More information

Cybersecurity has become a significant issue in professional practice and both the Tax Practitioners Board (TPB) and Australian Taxation Office (ATO) have published security tips to assist practitioners protect the security and confidentiality of their client information.

Strengthening client verification guidelines

‘In developing this guideline, the ATO has consulted with the Tax Practitioners Board (TPB) and the tax profession to ensure consistency and alignment. This guideline should be read in conjunction with the TPB’s Practice Note TPB(PN) 5/2022External Link – Proof of identity requirements for client verification.’

• Strengthening client verification guidelines

The TPB has developed the following documents:

• Cyber security - Back to basics;
• Be cyber aware – protect your practice from cyber-attacks;
• Be cyber aware – Frequently Asked Questions;
• Preventing Data breaches - Questions and answers; and
• Protect your practice from cyber attacks.

The ATO has developed the following documents:

• How to protect your business;
• Top cyber security tips for individuals; and
• Top cyber security tips for business.

Australian Cyber Security Centre

Small Business Cyber Security Guide

The ACSC has created a guide to help small businesses protect themselves from the most common cyber security incidents – Small business cybersecurity guide.

The Australian Cyber Security Centre has published the below information on:

Protect yourself

Protect yourself against ransomware attacks. Protective measures are simple, cost-effective and immediately beneficial. Protective measures can prevent ransomware from occurring in the first place. There are many easy actions you can take now.

What to do if you're held to ransom?

The Australian Cyber Security Centre guide to identify, remove and protect yourself against ransomware has simple steps to follow if you are a victim of ransomware. The first section will teach you how to identify ransomware and stop it from spreading. The second part will help you avoid another ransomware attack.

Useful Articles

• ‘Want to sleep well at night? Get the Cyber basis right’, Public Accountant, January-February 2022, page 37
• ‘Ten Best Practices for data security’ Public Accountant, January – February 2022, page 56

What best describes your current situation?

The Australian Cyber Security Centre have created guidance for businesses that have been hacked.

Select which one of the below has happened to you and you will be provided with a series of questions to determine your circumstance and then you will be provided with appropriate guidance.

Which of the below has happened to you?

• ‘My information has been stolen or leaked’
• ‘I opened a suspicious email or message’
• ‘I cannot access my files and someone is demanding I pay them’
• ‘I can’t access my account or I’ve noticed unusual account activity’
• ‘I received a suspicious call from someone that wants to access my device’
• ‘I accidentally used a fake website’
• ‘My device is not behaving like it usually does’
• ‘Someone claims to know my password or passphrase…’

If one of the above has happened to you, visit this Australian Cyber Security Centre.

Could not find what you were looking for? Call the ACSC hotline on 1300CYBER

If you are concerned that your identity has been compromised or you have been a victim of a scam, contact your bank immediately and call IDCARE on 1800 595 160.

The following websites can help you protect yourself and stay informed

1. Identity theft | Moneysmart
2. Identity fraud | OAIC

‘Top three things to protect yourself’

1. ‘Update your devices to protect important information’
2. ‘Protect your accounts with multi-factor authentication’
3. ‘Back up data regularly to the cloud or an external hard drive’

Source: ACSC, October 2022

Prevention is better than cure - assess your cyber risk! - TPB Webinar

‘With recent data breach incidents across Australia, we can see how vulnerable businesses can be to cyber-attacks! You don’t want to be in a situation dealing with the aftermath these attacks create, so take steps to prevent attacks in the first place! Learn how to assess any potential cyber risk to your business and what steps you can take to protect your practice and client information’. Join TPB ‘Board member Debra Anderson and Jimmy Tzimopoulos, Assistant Commissioner from the Australian Taxation Office’s Cyber Governance & Operations who will share some valuable advice.’

Professional Practice Manual (PPM) module on Cybersecurity

The IPA PPM has a module on Cybersecurity. To access Module 12 of the PPM on  ybersecurity, please click here.