April 17, 2018 | Jamie Norton, Chief Information Security Officer, ATO
The Cyber Security Review, led by the Department of the Prime Minister and Cabinet, found that cybercrime is costing the Australian economy up to $1 billion annually in direct costs alone. Some analysts suggest criminal data breaches could cost businesses as much as $8 trillion over the next five years, largely due to higher levels of connectivity without a proportionate level of investment in security.
The Australian Taxation Office (ATO) works with the Attorney-General’s Department, the Australian Competition and Consumer Commission, the Department of Human Services, the Australian Securities and Investments Commission and other government regulatory agencies and departments to combat the growing threat of identity theft and cybercrime.
On 22nd February 2018 the government implemented the Notifiable Data Breach Scheme (NDBS), administered by the Office of the Australian Information Commissioner (OAIC). The NDBS requires entities with obligations to secure personal information under the Privacy Act 1988 to notify individuals when their personal information is involved in a data breach that is likely to result in serious harm. These entities must also advise the OAIC of those breaches.
In their first quarterly report published 11 April 2018, the OAIC advised they had received 63 breach notifications in the six weeks since launch. Human error was the cause of the largest number (51%) of eligible data breaches reported to the OAIC in this period.
This suggests that while technical security solutions are necessary for ensuring data security, it’s important to not rely on them alone. Effective cyber security requires business to have sound employee training, policies and procedures. These elements should also be considered in the context of ‘digital supply chains’ within the business, as often business data is shared with third parties.
How do I prevent becoming a victim of cybercrime?
To help prevent businesses from becoming victims of cybercrime, the ATO has developed tips for businesses in consultation with the Cyber Security Working Group – comprised of tax practitioner industry groups and other industry partners.
Simple steps like ensuring passwords are strong and secure and not leaving information unattended are essential. Multi-factor authentication adds an extra layer of security on accounts and makes it harder for hackers to compromise. Protecting traditional mail is important too – ensure mail is secure using a PO Box.
System access should be removed from people who no longer need it, for example former employees. It’s also important to secure private Wi-Fi networks and be careful when using public Wi-Fi networks. Avoid making transactions while using public or complimentary Wi-Fi, since this may put your information at risk.
Make sure business devices have the latest security updates installed and run weekly anti-malware scans. Make regular offline backups of important data, which is not only good practice in the event of a disk failure but also helps to minimise the impact of Ransomware. Additionally, avoid clicking on links in email, downloading programs, opening unsolicited emails and attachments, or using USBs or external hard drives from unfamiliar sources, since these could contain malware that can infect your business’ computers without being noticed.
Your business may have a social media presence; be careful with the information you make available using these tools including keeping any personally identifying information private and be aware of who you are interacting with. Scammers may take information that is publically available and use it to impersonate people or processes within your business. For example, scammers may send scam emails to trick staff into providing valuable information or releasing funds. It is good practice to regularly monitor business accounts such as bank accounts, digital portals and social media, for unusual activity or transactions that look suspicious.
What do I do if I’ve been a victim of cybercrime?
If your data is lost or compromised, it can be very difficult and costly to recover. If you have suffered a cyber incident, act quickly and seek support as soon as possible to reduce the impact on your business and its clients.
If you have experienced a breach we recommend that you:
If you or your clients are concerned about the security of other personal information and the wider impact of identity compromise, we recommend you speak with IDCARE on 1300 432 273.
While large government agencies such as the ATO play a significant role in keeping Australia’s data secure, we can’t do it alone. Creating a cyber safe Australia is everyone’s business and in everyone’s best interest.
Additional cyber security advice can be sought at https://www.asd.gov.au/publications/index.htm