Quick Summary
- Cybercrime reports grew in 2023 to an average of one every 6 minutes
- Almost 50% of cyber-attacks target small businesses but 60% of small businesses don’t think they will be affected
- Key threats for Tax and BAS practitioners include email compromise, ransomware, and data theft
- TPB cybersecurity requirements emphasise protecting client data and maintaining compliance to avoid penalties
- Proactive measures, like multi-factor authentication, data backups, and employee training are critical to mitigating cyber risks.
Cybercrime is an escalating threat in Australia, affecting businesses of every size. For Tax and BAS practitioners, the implications are significant, particularly when considering the compliance requirements set by the Tax Practitioners Board (TPB). In today’s digital landscape it is essential that you understand the risks, legal obligations, and how to safeguard your client’s data.
The Rise of Cybercrime in Australia
The number of cybercrime reports filed in Australia rose 23% in 2023 to some 94,000, or an average of one report every 6 minutes. In 2024, the Australian Cyber Security Centre (ACSC) reported a 14% rise in the average cost of cybercrime reports across various business sizes:
- Small businesses: $46,000
- Medium businesses: $97,200
- Large businesses: $71,600.
This underscores the growing nature of cybercrime and its widespread impact across all sectors, including the financial services industry.
The Clear and Present Threat of Cybercrime for Australian Small Business
Almost 50% of all cyber-attacks target small businesses. Despite the rising threat levels, almost 60% of small business owners believe their business is too small to be targeted, and 51% of small businesses have no cybersecurity measures in place at all.
Key Cyber Threats to Tax and BAS Practitioners
Tax and BAS practitioners handle sensitive financial information on behalf of their clients, making them attractive targets for cybercriminals. There are four primary cybercrime types that affect businesses:
- Email compromise and Business Email Compromise (BEC) fraud
- Ransomware attacks, which restrict access to systems or data
- Theft of confidential data such as ID, banking and credit card details and financial data
- Online banking fraud.
In particular, business email compromise remains a key vector for cyber-attacks. Ransomware, one of the most destructive forms of cybercrime, continues to disrupt business operations.
Financial and Reputational Impact
The case study below shows how a breach of client data resulted in significant reputational harm, leading to a loss of client trust and potentially causing long-term damage to the practitioner’s business.
Case Study
In 2023, a small Sydney-based accounting firm fell victim to a Business Email Compromise (BEC) attack and $50,000 in client funds. The firm had no multi-factor authentication (MFA) or backup data processes in place, leading to both financial and reputational damage.
Implications for Tax and BAS Practitioners and TPB Requirements
As a key intermediary between their clients and the Australian Taxation Office (ATO), BAS practitioners must consider not only their own security but also how a cyber breach might impact their clients’ financial reporting and tax obligations.
Under the TPB’s Code of Professional Conduct, practitioners are required to:
- Act with integrity: Practitioners must take reasonable steps to prevent unauthorised access to sensitive financial data
- Maintain professional competence: Staying informed about the latest cyber threats and implementing appropriate security measures is essential
- Ensure confidentiality: Safeguarding client information against cyber-attacks is a legal and ethical obligation for BAS practitioners
Failure to meet these obligations could expose your clients to financial losses and lead to penalties or loss of TPB registration.
Proactive Measures for Tax and BAS Practitioners
To mitigate the risk of cyber-attacks, practitioners should adopt a proactive approach to cybersecurity. Some key strategies include:
- Implementing multi-factor authentication (MFA): MFA adds an additional layer of security, reducing the likelihood of unauthorised access
- Regular data backups: This simple step can minimise the impact of ransomware attacks
- Install a TLS Certificate: A Transport Layer Security (TLS) Certificate, also known as SSL, protects you and your clients against common cyber threats. They are inexpensive but costs can vary. Contact your domain or website hosting service
- Employee training: Many cyber-attacks are due to human error. Regular training on phishing and social engineering threats can help reduce the risk
- Compliance with TPB requirements: Ensuring that all cybersecurity measures meet the standards set by the TPB and other regulatory bodies is essential.
Your Cybersecurity Checklist
In a time where one cybercrime is reported every six minutes, the importance of staying vigilant and adopting robust security measures cannot be overstated.
Here is your checklist:
- Implement MFA across all platforms
- Regularly backup all sensitive data
- Install an SSL certificate for secure communication
- Conduct employee cybersecurity training regularly
- Review your cybersecurity compliance to TPB standards.
Sonya Farrawell, My CPE CEO