Keeping your business cyber safe

Man with sleeve tattoo scrolling smart phone and laptop wearing headphones

The Cyber Security Review, led by the Department of the Prime Minister and Cabinet, found that cybercrime is costing the Australian economy up to $1 billion annually in direct costs alone.  Some analysts suggest criminal data breaches could cost businesses as much as $8 trillion over the next five years, largely due to higher levels of connectivity without a proportionate level of investment in security.

The Australian Taxation Office (ATO) works with the Attorney-General's Department, the Australian Competition and Consumer Commission, the Department of Human Services, the Australian Securities and Investments Commission and other government regulatory agencies and departments to combat the growing threat of identity theft and cybercrime.

On 22 February 2018 the government implemented the Notifiable Data Breach Scheme (NDBS), administered by the Office of the Australian Information Commissioner (OAIC).  The NDBS requires entities with obligations to secure personal information under the Privacy Act 1988 to notify individuals when their personal information is involved in a data breach that is likely to result in serious harm.  These entities must also advise the OAIC of those breaches.

In their first quarterly report published 11 April 2018, the OAIC advised they had received 63 breach notifications in the 6 weeks since launch. Human error was the cause of the largest number (51%) of eligible data breaches reported to the OAIC in this period. See Notifiable data breach statistics for more reported figures and insights.

This suggests that while technical security solutions are necessary for ensuring data security, it’s important to not rely on them alone.  Effective cybersecurity requires business to have sound employee training, policies and procedures. These elements should also be considered in the context of 'digital supply chains' within the business, as often business data is shared with third parties.

How to prevent becoming a victim of cybercrime

To help prevent businesses from becoming victims of cybercrime, the ATO has developed tips for businesses in consultation with the Cyber Security Working Group – comprised of tax practitioner industry groups and other industry partners.

Simple steps like ensuring passwords are strong and secure and not leaving information unattended are essential. Multi-factor authentication adds an extra layer of security on accounts and makes it harder for hackers to compromise. Protecting traditional mail is important too – ensure mail is secure using a PO Box.

System access should be removed from people who no longer need it, for example former employees. It's also important to secure private Wi-Fi networks and be careful when using public wi-fi networks. Avoid making transactions while using public or complimentary wi-fi, since this may put your information at risk.

Make sure business devices have the latest security updates installed and run weekly anti-malware scans. Make regular offline backups of important data, which is not only good practice in the event of a disk failure but also helps to minimise the impact of Ransomware. Additionally, avoid clicking on links in email, downloading programs, opening unsolicited emails and attachments, or using USBs or external hard drives from unfamiliar sources, since these could contain malware that can infect your business's computers without being noticed.

Your business may have a social media presence; be careful with the information you make available using these tools including keeping any personally identifying information private and be aware of who you are interacting with. Scammers may take information that is publically available and use it to impersonate people or processes within your business. For example, scammers may send scam emails to trick staff into providing valuable information or releasing funds. It's good practice to regularly monitor business accounts – such as bank accounts, digital portals and social media – for unusual activity or transactions that look suspicious.

What to do if you've been a victim of cybercrime

If your data is lost or compromised, it can be very difficult and costly to recover.  If you have suffered a cyber incident, act quickly and seek support as soon as possible to reduce the impact on your business and its clients.

If you have experienced a breach we recommend that you:

  • If the breach involves tax or superannuation data contact the ATO as soon as practicable on 1800 467 033 Monday to Friday, 8am to 6pm so that we may apply measures to protect your business, staff and clients where necessary
  • review this guidance material on the Office of the Australian Information Commissioner (OAIC) website to ensure you comply with any obligations you may have under the Privacy Act 1988, including the Notifiable Data Breaches Scheme (NDBS)
  • inform impacted clients and staff of the data breach
  • contact your software provider if you suspect the breach may have originated in one of their service offerings
  • consider what information was accessed during the breach and take steps to safeguard this where necessary – for example, you may need to cancel your AUSkey, or change passwords and logins to prevent further misuse
  • take steps to secure the information in your business by ensuring all security software and controls are up to date
  • review systems access and remove it for people who no longer require it
  • continue to follow security best practice to reduce the risk in your business and reinforce these practices with your staff.

If you or your clients are concerned about the security of other personal information and the wider impact of identity compromise, we recommend you speak with IDCARE on 1300 432 273.

While large government agencies such as the ATO play a significant role in keeping Australia's data secure, we can't do it alone.  Creating a cyber-safe Australia is everyone's business and in everyone's best interest.

See Australian Signals Directorate publications for more cybersecurity advice.