Login
iscover
Every end of financial year (EOFY) season involves a rush of Australians wanting to get their tax returns completed quickly and with the best financial returns.
Newsletter
Preparing for EOFY tax scams with business and cyber resilience
02 June 2023
•
11 minute read
Too often the EOFY rush involves hastily clicking on links, giving personal information to the wrong person, or submitting documents to insecure portals or sites. One in four Australians experience a scam related to EOFY or tax matters, and these scams are not just limited to the June 30 date. In the months leading up to and following, scammers are leveraging a broad range of tactics such as texting links to fake ads offering the recipient a tax refund.
You’re out of free articles for this month
To continue reading the rest of this article, please log in.
Create free account to get unlimited news articles and more!
For businesses, the threats are just as severe. Yet, half of organisations lack a comprehensive approach to assessing cyber resilience. In response to the growing threats and need for businesses to take preventative measures, the recent federal budget included a $23.4 million investment into a Cyber Wardens program, which aims to train up to 60,000 wardens in SMBs within the next three years.
While this is a progressive step by the government, more needs to be done to ensure every business across Australia is equipped to mitigate the impact of cyber threats, particularly organisations managing Australians’ finances ahead of the EOFY period.
Every business has an opportunity to prevent cyber attacks with its people and processes
For financial institutions and accounting firms, prevention is critical. This starts with ensuring the prevalence of cyber attacks is recognised across the organisation, including at the Board level. Simultaneously, organisations need actionable roles for their people, alongside comprehensive processes that everyone can follow.
One of the simplest and most effective steps organisations can take is building a team of cyber champions, or in essence a version of the government’s proposed Cyber Wardens program but without any limits on the size or industry of the organisation. For SMBs, having at least one cyber champion is a good start, and for enterprises or government agencies there should be a cyber champion in every team or department.
Lacking cyber expertise is no excuse
As the government’s proposed program shows, cyber-savviness does not need to come hand-in-hand with extensive technical expertise or experience, nor does a cyber champion need to come from the IT, technology, or cyber security teams within an organisation. Basic education and training can be enough to equip a cyber champion with the knowledge needed to stop an attack before it happens.
Training up a cyber champion within a department can be as simple as educating them on a go-to list of questions they should be asking every time a new piece of technology is purchased or used within their department, and a short list of actions or scenarios where it is clear when and how a potential risk should be escalated or assessed internally.
While cyber threats are often assumed to come externally from an aggressive attack by someone in a hoodie in a bunker overseas, the reality is many risks come from employees skipping over seemingly complicated approval processes, subscribing to popular apps or products that may not meet compliance requirements, or not checking whether they actually need to use a third party tool or if the same outcomes could be reached with an approved tool already used within the organisation. It does not take a cyber security expert to ask these questions beforehand and prevent a potential large-scale shadow IT cyber threat.
Prepare for your crown jewels to get stolen
Over-complicating the issue of cyber security can lead to more negative than positive outcomes. Keep it simple and focus on basic cyber security needs rather than high-end technology aspects. Assess what are the most important pieces of information within the business – the crown jewels – and the systems surrounding that data.
Next, consider how the business would be impacted if those crown jewels were accessed, tampered with, or stolen. Build a strategy with actionable processes and clear roles and responsibilities based on how the business could bounce back quickly from an attack without impacting its critical business functions. Test your incident response plans and adjust rather than taking a ‘set and forget’ approach that could risk the plan becoming quickly outdated or irrelevant.
Finally, don’t stop there. Cyber criminals around the world are savvy, persistent, and increasingly well-resourced. While they may be targeting consumers and accountants at tax time today, they will quickly find another way to get Australians’ attention tomorrow. Keep your plans, cyber champions, and staff – all the way to the Board level – updated regularly to ensure everyone is ready for the next threat.
Prashant Haldankar is the chief information security officer at Sekuro
You need to be a member to post comments. Become a member for free today!
