Cyber security tips for your practice
Content Summary
- Practice management
This article was current at the time of publication.
In Australia alone, a new cybercrime is reported every 10 minutes.
A single attack costs a business an average of A$275,000. From invoice fraud to data theft and phishing scams, cybercriminals are becoming more sophisticated in their methods. And while no organisation is immune to outside risks, it’s the people inside your business who pose the greatest cyber threat – and defence.
The latest data from the Australian Competition and Consumer Commission (ACCC) shows Australians have lost more than A$19 million to invoice fraud this year, while phishing scams, which occur when cybercriminals impersonate a trusted person or entity via email or SMS, have come at similar cost. In New Zealand, 22 per cent of incidents reported to the country’s cyber security authority, CERT NZ, included some form of financial loss, with a combined total loss of NZ$20 million last year.
People are your weakest link
Graham Chee CPA, founder of accounting practice Local Knowledge and co-founder and Managing Director of cybersecurity firm BCyber, describes people as the “weakest link” in cyber security.
“It’s generally unintentional,” he says. “They might just click on a link in an email, but that’s like leaving the door open for criminals to get in.”
Rising cyber risks
Successful cyber attacks typically involve a business owner or one of their employees clicking on a fake link in an email or paying a dodgy invoice.
ACCC’s Scamwatch data shows that small and micro businesses lost the most money to invoice fraud in 2022. Also known as payment redirection scams or business email compromises, they are a fake payment request sent by someone acting as a regular and trusted supplier or vendor.
“Say you receive an invoice from Officeworks, but the bank account details have been changed on the bottom of the invoice,” says Chee. “That’s a classic case of invoice fraud.”
Chee adds, that while phishing emails have been around for a long time, cybercriminals are starting to impersonate people and companies in new ways.
“People are replicating and impersonating websites, and AI is only making things worse at the moment because it can pick up anybody's online profile out there and replicate it,” he says.
“The latest one … is impersonating the Australian Taxation Office (ATO). They’ll contact you and say, ‘oh, you need to send us information’ and people do it without questioning, because they think it’s the ATO and they are frightened of getting in trouble from the tax office.”
Data theft poses a huge risk to accountants, adds Chee.
“When people think about cybercrime, they think of ransom attacks, but in the case of accounting firms, it’s the access to your data that is most valuable to cybercriminals,” he says. “They are much more likely to want to get into your system and steal your data, rather than lock you out until you pay a ransom.
“Accountants are regarded as the gatekeeper to the ATO and the gatekeeper to the client. And the low-hanging fruit for any cyber attacker is the tax records, because they hold so much valuable data – tax file numbers, bank details, date of birth, everything.”
Protecting your business
CPA Australia’s cyber security hub has a range of resources to help you to protect your business from cybercrime. It includes a section on mastering the human element of cyber security. It notes that the first step is to raise awareness of the risks and to create a cyber security-conscious workplace culture, where employees query payment and order requests that seem unusual, change their passwords frequently and view cyber security as their responsibility, not just something the IT team manages.
“Cyber security is widely considered to be an IT issue, but it’s a people issue,” says Chee.
“Accountants need to talk to their staff in general about the threats that are out there. Don't just assume that if you send someone on a cyber [security] course that they’ll become the cyber guru. It needs to be part of normal day-to-day conversation about what’s happening out there and to remind people to be on the alert for it.”
Chee advises that if the bank account on an invoice has changed, you should call the supplier to check that the invoice is genuine.
“The other part is ensuring that all your accounts are reconciled, because [cybercriminals] usually say, ‘oh, this account is outstanding, can you pay it or we’re going to cut your credit’.
“It’s about in-practice education and learning, rather than just sending people off on a course,” adds Chee.
“You also need to keep your ear to the ground about scams that are out there, and always remember that if anything doesn't seem normal, then it's probably not normal.”
Fraud fresh off the street
A final warning, cyber-criminals don’t just operate remotely. Here’s a real-life story from a CPA public practice.
“A stranger walks into reception and announces, ‘I'm a new client and slightly early for my appointment, but I forgot to print of this important document for my first meeting. Could you please print this USB’. The receptionist of course says ‘no worries’ and loads USB, prints and hands back USB.
The stranger, then says, ‘oh no, something urgent has come up, I'll need to cancel and reschedule’ and leaves.
The USB had essentially uploaded trojan horse that had penetrated the firm’s systems.”
Major cyber risks and how to avoid them
Password hacks
Passwords should be changed frequently and never shared. Password managers, such as Last Pass or 1Password, can also create and securely store strong, unique passwords for employees.
Phishing emails
The aim is usually to encourage the recipient to click on a dangerous link or to reveal sensitive information. The best way to avoid phishing scams is to never click on a link from someone you don’t know.
Invoice fraud
Check any requests to change payment details with your supplier before making payments and be wary of requests for urgent payments.
Malware
Malware is short for “malicious software” and is designed to damage or disable IT systems and can give attackers access to data. Ransomware is a common form of malware. It can be avoided by having up-to-date security software installed, running regular anti-virus scans and avoiding the use of storage devices such as USBs from unfamiliar sources.
Discover more
Rising salaries create an accounting wage expectation gap
Economic headwinds such as inflation are increasing operating costs for accounting firms
- Practice management
article·Published onWhy NZ businesses need to invest in small business technology
Urgent need for investment in digital technology and cyber security
- Practice management
article·Published on
MY FIRM. MY FUTURE.
Supporting your business through strategic planning, skills development, business recovery and cybersecurity
- Practice management
Your client service approach
Tips to assist you in understanding your clients' needs, and strategising your approach to meeting them
- Practice management
Practice management
Resources for the day to day of practice management, including growth and benchmarking
- Practice management
Starting your practice
Before starting your own practice there are some key considerations and obligations to take into account
- Practice management
