It’s true that some cyber-attacks are silent and can remain undetected on your system for a long time. Practices may identify breaches by the following:

• Anti-virus detection software.

• Implementation of a data loss prevention tool.

• Monitoring your network traffic for spikes or unusual usage. For example, if someone uses your network out of business hours.

• Regularly monitoring your AUSkey for unauthorised access.

• Regularly reviewing your bank statements for unusual activity (your financial institution may also contact you directly).

• Unusual or unexpected changes to your client lists.

• Concerned clients contacting you about unusual activity or access.

• Staff members reporting unusual activity on your systems.

• Notification from your software provider.

• Media reports.

Some reputable anti-virus suppliers provide lists of compromised hacked accounts from reported data breaches and the Dark Web. See this list for the best sources. 

If you experience a breach of client data, you should: 

• contact the Office of the Australian Information Commissioner (OAIC) for assistance regarding the breach 

• contact the Australian Taxation Office so they can apply measures to protect your business, staff and clients where necessary

• inform any of your clients affected by the data breach

• contact your software provider 

• take steps to secure the information in your business. 

For more information refer to our Notifiable Data Breaches Scheme guidance.

Screen sharing (and other) software can make your computer vulnerable. The best way to protect yourself from this risk is to ensure that any software (including screen sharing software) you install comes from a reputable software vendor, and to ensure you have an up-to-date virus checker and anti-malware software installed.

Phishing and spear-phishing is a method of stealing confidential information by sending fraudulent messages to a victim, through email or message platforms. Phishing campaigns can be sent via email, SMS, social media, instant messenger or phone. They can look extremely convincing, often imitating legitimate messages from trusted senders in government or business. Their aim is to trick you into giving up your personal information.

Phishing attacks are among the most common method used by malicious cyber actors to target Australians. While phishing messages are commonly sent out in their thousands, spear-phishing campaigns are typically aimed at a particular group of recipients and may even use publicly available information to deceive you into thinking the communication is legitimate.

A Virtual Private Network (VPN) can be a great way of providing security over an untrusted Wi-Fi connection, but it is critical to know that the VPN itself may have visibility to your actions on the web, so they need to be trustworthy. 

See Using Virtual Private Networks for more information. 

The most valuable tip from our perspective is to be proactive!

As a minimum, we consider the following to be best practice:

• install and maintain anti-virus software on your workplace computers

• deploy firewalls on your workplace computers and/or workplace networks

• ensure that your computer operating systems and programs always have the latest security patches

• protect client records or files using encryption, where possible

• consider using a second form of authentication (for example SMS) to protect your online accounts, where possible.

Complex, long passwords are best, made using a combination of letters, numbers and symbols. However, passwords are not enough to keep you protected. You should also ensure you:

• manage passwords safely 

• turn on 2-factor authentication, wherever it’s available

• make sure the sensitive websites you visit (online banking, online shopping, etc.) use an encrypted connection

• have different passwords, don’t use the same one for all applications

• keep your browser and software updated.

Anti-virus solutions differ in effectiveness and by the range of malware types they cover. We recommend you consider anti-virus software that provides:

• protection and detection capabilities for malware, adware and spyware

• comprehensive anti-virus scanning 

• a site adviser so your browser alerts you when visiting a suspicious or dangerous website

• malware protection with an integrated firewall. 

Before choosing an anti-virus product, consider reviews from reputable and trustworthy sources.

It’s important to carefully check proof-of-identity documents and to question discrepancies in information provided to you.

You have an obligation under Code item 9 to take reasonable care in ascertaining a client’s state of affairs.

We strongly recommend you perform identity checks for:

• all new clients 

• existing clients, in particular when personal information has been altered or information relating to tax affairs is inconsistent with information you already hold (and have previously verified) about their tax affairs

• all representatives of clients (whether they claim to represent new or existing clients).

You can use the following details to check your client's identity:

• tax file number (TFN)

• full name

• date of birth

• current residential address

• current contact telephone number

• current bank details

• employment details (including the employer's address and phone number) where applicable.

Cookies are small text files, or bits of information left on your computer by websites you have visited, which let them 'remember' things about you. They may also be used to store your preferences and settings for particular websites, which means your experience can be customised based on your past behaviour. 

From a security perspective, cookies are unlikely to be used maliciously against you as they don’t contain code that can be executed.

We would recommend you:

• Don’t open messages if you don’t know the sender. 

• Be suspicious of messages that aren’t addressed directly to you, or don’t use your correct name. 

• Think carefully before clicking on links or opening attachments. 

• Contact the person or business separately to check if they have sent the message. 

• Before you click a link, hover over it to see the web address it will take you to. If you don’t recognise or trust the address don’t click on it.

• Make sure your anti-virus software is up-to-date on all devices used to access email. 

When a scam email contains personal information, this is what we would call a targeted phishing scam. It's best to protect yourself from malware using malware detection software, to rule this out. Fraudsters are also getting more sophisticated, sometimes using social media and other sources to gain enough information to coax you into giving up more personal information, bank account details or money. It's important to ensure your privacy settings on social media are set appropriately in order to limit the amount of personal information you share.

For personal email services we recommend updating your mail preference to ‘exclusive’ (this functions differently on each mail provider, so check with your mail provider for assistance). This will ensure that you can only receive email from known sources and all else is deleted or goes to junk.

With increasing digital communication there’s a heightened risk dealing with information in an online environment, particularly with clients you have not physically met. For any online or electronic transaction, you still need to take appropriate steps to be satisfied that the:

• client is a genuine taxpayer

• client is who they say they are and the identity has not been stolen

• information they are providing to you is correct and can be substantiated.

Personal information includes a broad range of information, or an opinion, that could identify someone. What is personal information will vary, but it may include:

• an individual’s name, signature, address, phone number or date of birth

• sensitive information

• credit information

• employee record information

• photographs

• internet protocol (IP) addresses

• voice print and facial recognition biometrics (because they collect characteristics that make an individual’s voice or face unique)

• location information from a mobile device (because it can reveal user activity patterns and habits).

See OAIC’s website for more on ‘personal information’ under the Privacy Act 1988.

Sensitive information is personal information that includes information or an opinion about an individual’s:

• racial or ethnic origin

• political opinions or associations

• religious or philosophical beliefs

• memberships or associations

• sexual orientation or practices

• criminal record

• health or genetic information

• some aspects of biometric information.

See OAIC’s website for more on ‘sensitive information’ under the Privacy Act 1988.

The benefits of having a cyber specific insurance policy in addition to the professional indemnity insurance coverage we recommend, will vary according to the specific needs of your business and the range of cover offered by providers. Generally, cyber insurance covers for events such as third party cyber liability, first party hacker damage, cyber extortion, data breach notification costs and public relation costs. While we do not recommend specific policies, we do strongly suggest you assess your need for cyber insurance and consider whether you need additional cover to assist with first party losses arising from a cyber-attack.

Cyber insurance cover is not a requirement of the TPB, however we do recommend you assess your individual practice’s needs. Tax practitioners hold large amounts of confidential information about clients which may be accessible electronically. Data is an increasingly valuable resource that is likely to be targeted or inadvertently disclosed through security breaches. 

In addition, most practices are reliant on the ongoing availability of computer systems and networked technology for their day to day activities. This means that the consequences of a cyber-attack resulting in computer systems being damaged or taken offline could be severe.

A cyber insurance policy may assist with first party losses arising from a cyber-attack. Such losses can include:

• business interruption losses due to a network or system shutdown, or a ‘denial of service’ attack

• reputational damage and the costs of managing a reputational crisis

• the costs of:

  • rectifying harm done, including forensic investigation costs, repairing and restoring systems that have been damaged by malicious acts, and re-creating lost intellectual property

  • improving cyber security and undertaking forensic investigations to identify the source of a cyber-attack

  • extortion, such as paying ransoms to hackers in order to return, unlock or ‘un-corrupt’ valuable company data

  • costs associated with complying with regulatory requirements, such as mandatory data breach notifications. 

For more information see our professional indemnity insurance explanatory paper for tax and BAS agents.