Step 2: Processes

No two businesses are the same. This makes it difficult to generalise when it comes to cybersecurity policies, procedures and processes. However, below are four key principles to get you started. 

Assess your cybersecurity

You’ve implemented a few cybersecurity measures, but how do you know if they’re enough?

It’s important to take a step back and review your cybersecurity hygiene.

  • Which of your systems and applications are vulnerable?
  • Do you have policies for information security, incident response and acceptable usage?
  • From eDM platforms to file sharing tools, what third-party systems do you use? Are they as secure as they claim? Third-party or supply chain attacks are becoming more common, so you need to stay vigilant.
  • Is your software up-to-date?
  • Do you have a recovery plan in place?
  • Have you considered cyber liability insurance?

The Australian Cyber Security Centre’s (ACSC) Cyber Assessment Tool can help you manage cybersecurity for your business. It identifies your cybersecurity strengths, areas where your business can improve, and where to find help.

Avoid leaving it all to the IT team

Many businesses leave the responsibility for cybersecurity to the IT team or the external IT provider – but cybersecurity works best when finance professionals and technology experts join forces.

For example:

  • tax specialists need to stay up-to-date with scams that circulate at tax time and work with IT specialists to defend against them. Check out the ACSC cyber safety at tax time resources
  • auditors need to consider the impact of data breaches in the audit of a financial report. Refer to How auditors can assess cybersecurity risks to find out more
  • superannuation experts need to understand that super funds are a lucrative target for cyber criminals, and work with IT to mitigate the risks.

From business leaders, to employees and third-party service providers, every person is responsible for cybersecurity and should be trained in accordance with their role, responsibilities, and access level.

Depending on the size of your organisation, you might consider setting up (or outsourcing) a Security Operations Centre (SOC) to monitor, prevent, and respond to cyber attacks.

Focus on good data practice and password management

The average accounting firm employee has more than 20 app logins to manage across their working and personal lives.

You can use tools such as LastPass, 1Password or Dashlane to consolidate these logins into a single login. This allows your business to maintain control over where, when and from what device data is accessed and helps you to pinpoint the source of any breaches.

Bolster your email security

Sending and receiving emails is a key business process in most accounting practices and it’s particularly vulnerable to cyber attacks. From fake invoices to phishing and ransomware, email is an attractive delivery method for many cyber criminals. To strengthen your defences, consider: 

  • turning on multi-factor authentication
  • protecting your domain names by renewing them regularly
  • registering additional domain names to stop cyber criminals from using domain names that look like yours
  • running cybersecurity awareness training for your employees to help them recognise and deal with suspicious emails.

The ACSC provides email security resources to help you get started.

Stay aware of new threats

Check the Australian Cyber Security Centre website regularly