Step 2: Processes

No two businesses are the same. This makes it difficult to generalise when it comes to cyber security policies, procedures and processes. However, below are four key principles to get you started. 

Assess your cyber security

You’ve implemented a few cyber security measures, but how do you know if they’re enough?

It’s important to take a step back and review your cyber security hygiene.

• Which of your systems and applications are vulnerable?
• Do you have policies for information security, incident response and acceptable usage?
• From eDM platforms to file sharing tools, what third-party systems do you use? Are they as secure as they claim? Third-party or supply chain attacks are becoming more common, so you need to stay vigilant.
• Is your software up-to-date?
• Do you have a recovery plan in place?
• Have you considered cyber liability insurance?

The Australian Cyber Security Centre’s (ACSC) Cyber Assessment Tool can help you manage cyber security for your business. It identifies your cyber security strengths, areas where your business can improve, and where to find help.

Avoid leaving it all to the IT team

Many businesses leave the responsibility for cyber security to the IT team or the external IT provider – but cyber security works best when finance professionals and technology experts join forces.

For example:

• tax specialists need to stay up-to-date with scams that circulate at tax time and work with IT specialists to defend against them.
• auditors need to consider the impact of data breaches in the audit of a financial report. Refer to How auditors can assess cyber security risks to find out more
• superannuation experts need to understand that super funds are a lucrative target for cyber criminals, and work with IT to mitigate the risks.

From business leaders, to employees and third-party service providers, every person is responsible for cyber security and should be trained in accordance with their role, responsibilities, and access level.

Depending on the size of your organisation, you might consider setting up (or outsourcing) a Security Operations Centre (SOC) to monitor, prevent, and respond to cyber attacks.

Focus on good data practice and password management

The average accounting firm employee has more than 20 app logins to manage across their working and personal lives.

You can use tools such as LastPass, 1Password or Dashlane to consolidate these logins into a single login. This allows your business to maintain control over where, when and from what device data is accessed and helps you to pinpoint the source of any breaches.

Ensure that users have complex passwords and change all devices from their default passphrases.

Good passwords or passphrases are long, unpredictable and unique. The Australian Cyber Security Centre suggests aiming for a password or passphrase that is at least 14 characters long. To aid with passwords that are used regularly, consider using a random mix of unrelated words as a passphrase so that they are memorable for the individual, but not easily guessed. Passwords should be unique and not re-used on other accounts. 

Cyber-criminals know that many people use the same password in various places. Even when the password is known to be compromised, many people do not change the password on all the sites they use. Users can check whether their password has been comprised with the haveibeenpwned or IntelligenceX websites.

Bolster your email security

Sending and receiving emails is a key business process in most accounting practices and it’s particularly vulnerable to cyber attacks. From fake invoices to phishing and ransomware, email is an attractive delivery method for many cyber criminals. To strengthen your defences, consider: 

• turning on multi-factor authentication
• protecting your domain names by renewing them regularly
• registering additional domain names to stop cyber criminals from using domain names that look like yours
• running cyber security awareness training for your employees to help them recognise and deal with suspicious emails.

The ACSC provides email security resources to help you get started.