To comply with Code item 6, tax practitioners must not disclose information relating to a client (or former client) to a third party unless they have obtained the client’s permission, or they have a legal duty to do so. 

Information refers to knowledge acquired or derived about a client, directly, and includes giving a third party access to client information. A ‘third party’ is any entity other than the tax practitioner and the client and would include a third party software provider.

Before giving a third party software provider access to any information relating to a client’s affairs you must inform the client about the disclosure and obtain their permission. In this situation, you should specify what information will be disclosed, and who and where the disclosure will be made.

Cyber insurance cover is not a requirement under the Code of Professional Conduct. However, we recommend you consider additional features to your professional indemnity insurance policy, including fraud and protection against cyber threats, including losses that an agent may suffer from a cyber-attack. 

As registered tax practitioners, you hold large amounts of confidential information about your clients which may be accessible electronically. Data is an increasingly valuable resource that is likely to be targeted or inadvertently disclosed through security breaches.

In addition, most practices are reliant on the ongoing availability of computer systems and networks for their day-to-day activities. This means that the consequences of a cyber-attack resulting in computer systems being damaged or taken offline could be severe.

Spear phishing is a cyber-attack method that hackers use to steal sensitive information or install malware on the devices of specific victims. Spear-phishing attacks are highly targeted, hugely effective, and difficult to prevent.

A brute-force attack is where malicious or criminal actors use automated software to generate a large number of consecutive guesses as to the value of the desired data, for example passwords.

Spoofed hyperlinks and websites are malicious websites that look identical to a legitimate site, but the URL (web address) may use a variation in spelling or a different domain. For example, the URL ends in '.net' instead of '.com.'

Ransomware is a particular form of malicious software, which causes computers to be locked up by a criminal hoping to get you to pay a ransom, to restore your access to your own data. Ransomware is often introduced to your environment by otherwise friendly services like email. 

Unfortunately, cyber-crime is no different to other types of crime. We can reduce the risk, but we cannot eliminate it. As time has shown, we cannot be complacent by depending on a single form of defence, it’s important for tax practitioners to ensure they have mitigated their risk effectively.

This depends on your circumstances. However, if you're like many tax practitioners and you use a Windows based computer, you can enable encryption on your local computer by enabling ’BitLocker’. Note this is only available on some versions of Windows and you'll also need to consider the encryption of any online storage you might have separately.

Always be careful when someone asks you to plug in a USB. Ensure the source is trustworthy!

myGov is managed by Services Australia. Your privacy is protected by law when using myGov and it has strong security processes and protection. It is best to refer to their website for more details.

Yes, OneDrive uses encryption when communicating and storing your files. However, it is worth ensuring you're using the Australian hosted OneDrive, so you are also protected by Australian privacy and cyber laws.

Some software providers are naturally going to be more secure than others. It's certainly worth doing research when choosing. We recommend, choosing providers who commit to hosting your data within Australia, rather than offshore. Also consider the availability of multi-factor authentication to login and other elements of the Essential Eight.

Generally, no. Switching browsers and applications does not increase risk if your machine and application is patched and updated with the latest security updates.

There are a number of options for antispam software available, which use a variety of techniques to identify potential spam and phishing emails. It may be that your antivirus software isn't filtering for spam or phishing emails and is just scanning for known viruses.

We recommend you refer to the Guidelines for cyber security incidents on the Australian Cyber Security Centre website. The guidelines provide ways you can detect cyber security incidents. Many password managers also have features that enable you to check if any of your credentials have been compromised and published on the dark web. 

Security patches are perhaps the single most important digital security tool, right up there with scanning filters and antivirus software. A security patch is simply a piece of code deployed to a device to fix, upgrade, or update the device's software programs. It is essentially a bandage for vulnerable computer software. That's why any given software typically has many security patches released over its lifetime. Choosing not to update your software means that you're leaving security holes for hackers to exploit, holes that a security patch would otherwise have filled. By swiftly deploying all the necessary security patches, you can reduce the likelihood of data breaches.

We would recommend checking out the Australian Signals Directorate’s ‘Have you been hacked?’ resource.

business.gov.au has some information on how to create a cyber security policy to protect your business and plan how you would respond if an incident occurred.

Most cloud software providers regard this as critical to establishing their suitability with their customers, so it's likely you'll see documentation on their website. Of course, you wouldn't expect to get a detailed description of their security defences, as this would place them at risk, so if you have detailed questions, we'd suggest you be as specific as possible and contact their help desk.

See our Practice note on cloud computing if you need more information.

Yes, use of a reputable cloud based provider can be a great strategy to help protect your clients and their data. However, remember it is only one part of a defence strategy. Use of multi-factor authenticator to protect your own computer which accesses the cloud service is also critically important.

We would recommend you review the Australian Signals Directorate’s information on how to report and recover from a data breach.

The Essential Eight cyber mitigation strategies are broken down into 3 maturity levels, beginning at level 1. Level 1 is the easiest place to start when seeking to protect your business from cyber threats. It focuses on malicious actors who want to gain access to, and likely control of, a system. Generally, malicious actors are looking for any victim rather than a specific victim and will opportunistically seek common weaknesses in many targets rather than investing heavily in gaining access to a specific target. Malicious actors will employ common social engineering techniques to trick users into weakening the security of a system and launch malicious applications. Depending on their intent, malicious actors may also destroy data (including backups).

Check out the Australian Cyber Security Centre's Small Business Cyber Security Guide. It includes basic security measures to help protect your business against common cyber security threats.

Antivirus is just one part of the defence against cyber security risks. Check out the Australian Cyber Security Centre's Essential Eight to find other recommended mitigations against cyber risk.

There are a number of antivirus tools for Mac users. We cannot recommend any one product. However, it will be worthwhile to have a good look on google and review each product for your circumstances.

A virtual private network or VPN is used to secure communications between computers. It won't protect any stored data on your computer though. Learn more about VPNs.

Yes, use of overseas services does create additional risk because these services are not typically regulated by Australian privacy laws. It's worth checking the details of any overseas services you're using.

It is also important to consider your Code of Professional Conduct obligations when sharing client information with a third party. Under Code item 6 you must not disclose any information relating to a client’s affairs to a third party without your client’s permission. See our confidentiality information to learn more.

While there is no way to permanently stop spam, there are a few simple ways to reduce the amount of spam you receive, including:

• Keep your email private.
• Turn off read and delivery receipts and automatic processing of meeting requests.
• Review the privacy policies of websites before signing up.
• Watch out for check boxes that are already selected when you share information online. For example when online shopping.
• Opt out of marketing updates.
• Block senders you don’t know.
• Don't reply to spam. 
• Use a spam filter in your email.
• Set up a rule to filter spam.
• If a company uses email messages to ask for personal information, don't respond by sending a message – contact them over the phone.
• Don't forward chain email messages – you are increasing overall email volume by forwarding them and you may be furthering a scam. You can also lose control over who sees your email address.

Generally, blocking scam emails is the more effective option than just deleting them, especially if you consistently receiving emails from the same email address.