Mandatory Breach Legislation and 2SA: How Prepared Are You?
Protecting Client Data In The Cloud
Nick Sinclair, CEO, The Outsourced Accountant
Jamie Beresford, Managing Director, Practice Protect
This webinar discusses the following topics:
- Mandatory breach legislation
- Xero’s Two-Step Authentication (2SA)
- What accounting firms need to know
- What your offshore team needs to know
Cyber Fraud Is On The Rise
- There is a 35% increase in reported breaches each year
- Cybersecurity breaches have been on the rise for the past three years now
- These can be considered the glory days of cyber criminals
- Small businesses with less than 20 staff are most susceptible to breaches
How Has The Government Responded To The Threats?
In the poll we posted during the webinar, close to half (46%) of the participants admitted they haven’t implemented anything yet while 20% does not even know what the legislation is.
The Mandatory Breach Reporting Legislation aims to make the custodians of data (accounting firms) responsible for in protecting client information. Under this law, which takes effect on February 22, 2018, firms will need to report any instance of breach to the Privacy Commissioner and their clients by putting it into writing.
Note: this is not going to be a good conversation with your clients because it runs the risk of losing their trust. In addition, it can have a negative impact on your reputation since word can get out in social media, print, etc.
We wanted to know if firms are ready for the mandatory breach legislation, which rolls out this March and found that almost half (46%) have made the necessary research but haven’t implemented anything yet.
It’s quite interesting how very few (3%) are prepared with the Two-Step Authentication while 20% of firms have no idea what the legislation is about.
Revamping Policy Issues For Better Protection
Firms need to know that the risks for cyber hacks are not rooted from I.T. issues. In fact, this is more about the policies of firms. The switch to browser-based cloud accounting has changed the game in the way in which data is accessed. This is also one of the reasons why cyber hacks have become prevalent.
Firms can have the best firewall and security measures to protect the network but since people can access your data through browsers, it’s easy to acquire information regardless of location.
All somebody needs is your password.
The cloud has made it difficult for firms to keep the required level of password hygiene. There are too many passwords due to having too many accounts to maintain.
Fact: People have at least 20 different accounts across their business and personal lives. Having these many accounts will make people use passwords that are easy to remember.
The Big Browser War
Not many people are aware that risks for data breach is a browser issue. The war between the big browsers are not helping make this easier, either. How?
Since they’re competing for your business, they will offer ways to make your lives easier. One of them is password management. Browsers can save passwords so it’s easier for users to access their accounts.
What users are unaware of is, anyone who knows which settings to configure to see your passwords.
Other practices that can compromise your private data:
- Synchronized passwords on various devices can pose a risk. When an employee logs in with their browser ID at the office, the passwords they use can be synced with the other devices they have logged on in the past (i.e. tablets, mobile phones, etc.)
- Hackers infecting your computer with malware
Xero’s Two-Step Authentication (2SA) Process
The Australian Taxation Office has released a new operational framework to all application vendors that integrate with their systems that hold sensitive data.
Xero has mandated this and will officially take effect on March 1, 2018. Under this policy, team members will now be required to use an authentication code in addition to their password.
The roll-out means shared accounts will no longer work. Firms are highly recommended to make the necessary changes prior to March 1.
For clients who are using Xero, here are some tips:
- Perform the necessary changes days, even weeks ahead. You don’t want your entire team doing it all on the same day.
- Get on top of your password control guidelines.
- Find ways to centralise your password policy.
Question & Answer
Q: What are some of the common questions that you have received regarding the new rules at Xero and the new legislation coming into effect in two weeks’ time?
A: Questions about the actual data and how the legislation impacts that. If a firm has a revenue of more than 3 million, they aren’t included in the legislation unless they’re holding tax phone numbers which includes accounting firms.
Q: Do clients need to arrange the two-step process from their end?
A: Yes. All users [have to] so their clients will be mandated as well.
Q: If a client fails to implement the Two-Step process are we exposed to liability for any breaches?
A: They won’t be able to access their Xero files.
Q: Even if it’s not mandatory for MYOB, can we still set this up for our team members here at TOA?
A: MYOB might not have this available yet but if they do, we’ll certainly look into that.
Q: Does Practice Protect work on remote desktop log-ins?
A: It does.You can protect your server. It provides a single set of log-in to all your applications so you can restrict IP address and protect yourself against international access to your accounts.
Q: What is the difference between Practice Protect and LastPass? Is one better than the other?
A: LastPass is more of a password management tool. It hasn’t been built for security from the ground up, but we advise you to do your own research.
Q: Do you recommend cyber insurance?
A: Most definitely. It represents strong value for money.
Q: Our provider has a log-in to our system to help fix bugs and issues. Will this be an issue?
A: If they have their own log-in then they will need to set up 2SA just like everybody else.
Q: What is the biggest risk for our clients and people in the accounting industry?
A: Identity theft. If you have a tax file number, you can lodge a fake tax return, assume someone’s identity and take over their bank accounts.
Q: Should we merge the XPM log-in and how long will it take?
A: You should be getting a prompt when logging in to XPM. We strongly recommend that you go ahead and do this in your own time rather than wait for March 1st. Once you merge those log-ins you will be mandated to set up your two-step authentication. The whole process may take 10 to 15 minutes, so be prepared for that.
Q: What are your thoughts on third parties (i.e. non-employees, IT personnel) with access to your system?
A: There is certainly a level of confidentiality. The one thing we can’t control is the way your firm manages your passwords.
The Desktop 2SA Solution
The advent of technology has been absolutely wonderful for the industry. It has made remote work possible. But it carries one risk. Your staff now has access to your IP, database, client list and other vital business information.
This is risky when you look at it from a security point of view. Anyone who’s using a local wifi connection can get hacked. We highly suggest clients implement a policy where the staff can only access the system through certain IP addresses and locations.
Password management is becoming more and more crucial as the accounting technology is starting to shift to the cloud, so it’s of vital importance to look at your security management.
TOA has rolled out a clean desk policy as part of strengthening its data security. We are also working with Practice Protect to ensure all computers are installed with the security measures. Right now, there are more than 420 Xero users in our office and we will be sending out guides in the coming weeks about this.
What Do Firms Need To Do For Their Offshore Team?
Nothing. The TOA team will be taking care of installing all the necessary software in preparation for March 1. We have also sent out an electronic direct mailer last week which detailed the step-by-step process that we are following.
For Your Onshore Team, Here’s Our Recommendation
For attendees who would like to receive a template for the third party access policy, we strongly suggest you head on to http://www.practiceprotectonline.com and sign up for an accounting security consultation.
A cloud security consultant will help determine the right agreement for your firm.
To get industry updates, expert tips and best practices for your accounting practice delivered straight to your inbox, sign up to The Ledger by clicking here.
If you are an accountant, bookkeeper or finance firm looking for solutions to capacity restraints, call our offshoring specialists at 1300 896 522 or click here to download our blueprint on how to build a global accounting team.