Step 3: Technology

To build solid cyber defences in your business, you’ll need to dedicate resources to training your employees and implementing cyber-resilient processes. But people and processes aren’t the only defences. You also need to have the right technology in place.

A cyber security incident can have devastating impacts on businesses of all sizes, but there are some simple technical solutions that can help you mitigate that risk. 

Here are four quick technical fixes that involve minimal effort from your employees, while creating maximum frustration for cyber criminals.

Basic security standards are a must

Accountants and finance professionals rely heavily on technology to perform basic business functions and carry out day-to-day operations. This can expose businesses to additional cyber vulnerabilities.

According to the Australian Cyber Security Centre (ACSC) the average cost of a reported cyber crime to a small business in Australia in 2022-23 was around A$46,000 and for a medium-sized business the average cost was $97,000. Some basic measures you can take in your business to improve cyber security include:

• using an up-to-date virus scanner on all your computers and servers
• having password managers for all employees
• ensuring you have email security through Office 365 or a separate tool
• making sure your wireless internet networks are password protected and secure
• not opening email attachments from sources you don't trust
• being very careful about free applications you download from the internet
• keeping software up-to-date, including your operating system. Many cyber attacks, such as BlueKeep, exploit vulnerabilities in older versions of your software or operating systems. Having automatic updates switched on can ensure you're always using the most current versions.

Back-up your data

Cyber attacks often target client data for financial gain. When client data is compromised, businesses may not only experience financial loss, but also reputational and relationship damage.

In today’s digital-driven world it's not a matter of ‘if’ your business will be attacked, but whether you've already been attacked – or will be – without knowing it.

To help prepare your business to recover quickly from a cyber attack, you could consider implementing these simple steps as part of your recovery plan.

• Take regular copies of your important files and store them on a portable device, such as an external hard drive or USB.
• Keep the portable device somewhere safe and disconnected from your computer (don’t keep a USB with backup files plugged in to your computer).
• Regularly test that your back-ups are working and accessible from the portable device.

Know what to ask your IT person

Many accounting firms and small businesses don’t have the time or the resources to dedicate to cyber security. While some cyber security problems can be avoided with simple technical solutions, having someone with technical know-how that understands your business is crucial for your cyber security.

You should ask your IT person the following:

1. Can all our company devices be updated automatically?
2. Do we have anti-virus software, ransomware protection and host firewalls installed on all laptops?
3. Will two-factor authentication (2fa) be installed on all company devices?
4. Are all of our company’s existing applications up-to-date, and how do we ensure that they continue to be?
5. Are we subscribed to alerts from the ACSC so our employees can be notified about critical vulnerabilities and cyber threats?

Manage third-party risk

Almost all accounting firms have now embraced cloud-based software as a service (SaaS) solutions. Accounting-software providers realise they may never recover from a successful cyber attack, so they invest heavily in sophisticated security.

If a cyber hacker does manage to breach the cyber defences of one of your SaaS providers, there could be consequences for your firm, including scrutiny from regulators and/or clients.

Important questions your firm should consider asking SaaS providers on how they manage third-party risk include:

• who has access to the firm’s data?
• how is data access controlled?
• do you have data back-ups?
• how long is our data stored for?
• where is the data hosted?
• is our data encrypted in transit and at rest?
• do you ensure data is deleted upon termination of our contract?
• will we be notified of any breaches, and if so, what is the minimum time for us to be notified?

You can refer to the requirements for digital providers outlined by the Australian Taxation Office (ATO) for details on the minimum level of security a digital service provider needs to meet in order to access ATO digital services.