You have 0 free articles left this month.
Register for a free account to access unlimited free content.
Powered by MOMENTUM MEDIA
accountants daily logo

Preparing for EOFY tax scams with business and cyber resilience

Tax

Every end of financial year (EOFY) season involves a rush of Australians wanting to get their tax returns completed quickly and with the best financial returns.

By Prashant Haldankar 13 minute read

Too often the EOFY rush involves hastily clicking on links, giving personal information to the wrong person, or submitting documents to insecure portals or sites. One in four Australians experience a scam related to EOFY or tax matters, and these scams are not just limited to the June 30 date. In the months leading up to and following, scammers are leveraging a broad range of tactics such as texting links to fake ads offering the recipient a tax refund. 

For businesses, the threats are just as severe. Yet, half of organisations lack a comprehensive approach to assessing cyber resilience. In response to the growing threats and need for businesses to take preventative measures, the recent federal budget included a $23.4 million investment into a Cyber Wardens program, which aims to train up to 60,000 wardens in SMBs within the next three years.

While this is a progressive step by the government, more needs to be done to ensure every business across Australia is equipped to mitigate the impact of cyber threats, particularly organisations managing Australians’ finances ahead of the EOFY period. 

Every business has an opportunity to prevent cyber attacks with its people and processes

For financial institutions and accounting firms, prevention is critical. This starts with ensuring the prevalence of cyber attacks is recognised across the organisation, including at the Board level. Simultaneously, organisations need actionable roles for their people, alongside comprehensive processes that everyone can follow. 

One of the simplest and most effective steps organisations can take is building a team of cyber champions, or in essence a version of the government’s proposed Cyber Wardens program but without any limits on the size or industry of the organisation. For SMBs, having at least one cyber champion is a good start, and for enterprises or government agencies there should be a cyber champion in every team or department. 

==
==

Lacking cyber expertise is no excuse

As the government’s proposed program shows, cyber-savviness does not need to come hand-in-hand with extensive technical expertise or experience, nor does a cyber champion need to come from the IT, technology, or cyber security teams within an organisation. Basic education and training can be enough to equip a cyber champion with the knowledge needed to stop an attack before it happens. 

Training up a cyber champion within a department can be as simple as educating them on a go-to list of questions they should be asking every time a new piece of technology is purchased or used within their department, and a short list of actions or scenarios where it is clear when and how a potential risk should be escalated or assessed internally.

While cyber threats are often assumed to come externally from an aggressive attack by someone in a hoodie in a bunker overseas, the reality is many risks come from employees skipping over seemingly complicated approval processes, subscribing to popular apps or products that may not meet compliance requirements, or not checking whether they actually need to use a third party tool or if the same outcomes could be reached with an approved tool already used within the organisation. It does not take a cyber security expert to ask these questions beforehand and prevent a potential large-scale shadow IT cyber threat. 

Prepare for your crown jewels to get stolen

Over-complicating the issue of cyber security can lead to more negative than positive outcomes. Keep it simple and focus on basic cyber security needs rather than high-end technology aspects. Assess what are the most important pieces of information within the business – the crown jewels – and the systems surrounding that data. 

Next, consider how the business would be impacted if those crown jewels were accessed, tampered with, or stolen. Build a strategy with actionable processes and clear roles and responsibilities based on how the business could bounce back quickly from an attack without impacting its critical business functions. Test your incident response plans and adjust rather than taking a ‘set and forget’ approach that could risk the plan becoming quickly outdated or irrelevant. 

Finally, don’t stop there. Cyber criminals around the world are savvy, persistent, and increasingly well-resourced. While they may be targeting consumers and accountants at tax time today, they will quickly find another way to get Australians’ attention tomorrow. Keep your plans, cyber champions, and staff – all the way to the Board level – updated regularly to ensure everyone is ready for the next threat. 

Prashant Haldankar is the chief information security officer at Sekuro

 

 

You are not authorised to post comments.

Comments will undergo moderation before they get published.

accountants daily logo Newsletter

Receive breaking news directly to your inbox each day.

SUBSCRIBE NOW