How to protect your practice and clients from cyber attacks

Content Summary

Sonashki Babbar | July 2021

This article was current at the time of publication.

The COVID-19 pandemic has brought a rash of cybercriminals out of the woodwork. 

In March 2020, phishing campaigns and pandemic themed malicious cyber activity ramped up, according to the 2020 Australian Cyber Security Centre’s Annual Cyber Threat Report

The report notes, “throughout the pandemic, there was an increase in reported spear phishing campaigns and an increase of COVID-19 themed malicious cyber activity”.

On the upside, CPA Australia’s 2019–2020 Small Business Survey found that more than half of businesses that reported strong growth in 2020 had reviewed their cybersecurity protection in the previous six months. 

Kieran Doyle, cyber risk specialist and Partner at law firm Wotton + Kearney, says phishing is the predominant cyberthreat for small-to-medium accounting firms and sole practitioners. 

“Cybersecurity is very important to consider for all sole traders because there’s a risk [to] reputation and [of] losing clients, and also from a legal perspective, they can get into trouble if they don’t adhere to cyber laws in Australia and New Zealand,” Doyle says.

Prevention strategies

A key prevention strategy is migrating your office-based server to a cloud-based system. Office-based servers might receive security updates every six to 12 months, but cloud systems update their antivirus software and security on a minute-by-minute basis.

Because a cloud backup can make it easier to recover from a cyber attack, it’s important to educate yourself on the security features your service provides. 

Cyber insurance

Cyber insurance offers smaller practices extra resources to cover liability following a data breach, notes Drew Fenton, Director of insurance broker Fenton Green

“The insurance company has a number of consultants ready to assist you if something goes wrong with technical support,” Fenton says. 

“There is also public relations expertise to assist with messaging clients, [and solicitors to assist you if there is a liability matter back on the other side of the breach.]”

Data encryption

Data can be encrypted in-house if you have your own network, but Miller says it’s easier using a cloud provider. He also suggests inbuilt email security features that encrypt emails for client communication.

Secure mobile devices

“If your office uses a lot of phones and staff interact with business applications [via] a phone, you might want to consider mobile device management [MDM] that carves out space on a mobile phone just for business work,” he adds. 

For emails, Alastair Miller, Principal Advisory Consultant in the New Zealand office of Aura Information Security, suggests a security gateway that cleans out spam and malicious attachments. “These companies will hopefully block any email that looks suspicious [and therefore] stop you from clicking on harmful links.”

Educate yourself and staff

Doyle says: “Hackers often prey on the element of trust in human interactions. It is important to create awareness of cybersecurity risks and train staff to better understand the latest risks and [different] types of phishing attacks. 

Good password hygiene is a must. Make sure you and your team are not reusing the same or predictable passwords.

First steps in the advent of an attack

1. Call in the experts. Doyle advises: “Get an expert as soon as you can because you need to understand the extent of the damage hackers have [caused].

“You have to find out whether they’ve taken data and possibly whether they have communicated with your clients.”

2. Don’t engage with hackers. Miller notes: “If you pay them, you just give them more opportunity to go and either attack someone else or you end up on the list of people who are willing to pay.”

3. Call your insurance provider. “The greatest advantage of having a cyber insurance policy is that you gain access to a team of experts who can [assist] with getting the client the right help to recover from an incident,” Doyle says.

4. Notify authorities. Privacy law requires that businesses inform relevant authorities as soon as practically possible after a cyber breach.

Miller says: “New Zealand and Australia have breach notification rules that include the amount [and type] of data being stolen that’s harmful to individuals.”

Tyler Wise CPA will be giving his advice on cyber management at the Public Practice Virtual Conference on 19 August.