You’ve heard it all before: change your passwords, make them difficult to guess … blah, blah, blah.
But it’s time for us all to take data security seriously. Cyber criminals are targeting Tasmanians and their businesses of all types and sizes. If you’re not looking after your – and your customers’ – data, you could well be the next victim.
Multi-factor authentication: deadlock security
The most common ways most people and businesses are hacked are related to poor password security. For example, using easy to guess or common passwords, and sharing passwords.
Multi-factor authentication (also known as two-step authentication, MFA or 2SA) requires multiple pieces of information to be supplied at log in. For example, a username and password plus a uniquely generated code which is usually sent to a different device (e.g. your smart phone), or security questions.
This makes it much harder for a hacker to gain access, even if they get your password, as they don’t have the second factor. It’s like putting a deadlock on your front door.
Xero users need two-step authentication
Xero has been offering two-step authentication for several years. The ATO and Xero see this measure as so critical that, from 1 March 2018, it will be mandatory for accountants to use 2SA to access Xero. (Don’t stress, we’re already using it!)
Xero’s 2SA is also available for businesses and we urge you to start using it.
While no security measure is guaranteed, Xero has never had a data breach reported from a user with 2SA enabled. The ATO’s backing of this security measure also gives us confidence that it is a worthwhile – no, necessary – security measure for all businesses to implement.
Learn more about Xero’s two step authentication here: Why two-step authentication is essential for your business
Beyond the log in: what else can you do?
We’re going to assume you already use strong, unique passwords and you don’t share them with anyone … right?
So what else can you do?
Following are a few relatively easy measures that we have put in place at Synectic, which we urge you to implement yourself. If you own or run a business, training your staff on these data security measures is also critical.
1. Set up multi-factor authentication wherever it is available
- Find out which programs and apps offer MSA/2SA and use it wherever possible. We can’t stress this enough
- Apply MSA/2SA to your email account today. The humble inbox is a very common way for hackers to get to sensitive data.
- Apply 2SA to your Xero login today. This is an easy measure and is super important for the security of your data and that of your customers and suppliers.
2. Learn to spot a phishing or scam email
- Fake emails aim to get sensitive information from you. Educate yourself and your team about spotting these dodgy emails.
- Be on the lookout for clues such as incorrect spelling or grammar, calls for urgent action, or an unusual sender’s email address.
- Learn more about what to look for here: Email fraud – how to protect yourself and your business
- Keep an eye on known issues from your software suppliers, including Xero’s security noticeboard.
3. Confirm any unexpected requests
- Don’t respond to or action email requests (even if you believe the sender is someone you know well) or phone calls from a third party (e.g. claiming to be a bank or the ATO) for a payment, authorisation or personal information.
- Confirm the request by phone or in person directly with the correct person (for example your supplier, customer, bank or accountant).
- We have witnessed a close call where cyber criminals gathered enough information from an inbox to mask themselves as a well-known associate and put together a convincing request for a transfer of funds to be authorised. Where it not for the staff member’s vigilance, the funds would have gone to a fraudulent account.
4. Do not open unknown attachments or hyperlinks
- You know this in theory but make it a habit to check all hyperlinks before opening them. Simply hovering over the link (without clicking) to see the address it will direct you to.
- If a hyperlink address looks unusual and/or you were not expecting it, don’t click it.
- If you are not expecting and/or do not recognise an attachment, don’t open it.
- Confirm the attachment or hyperlink with the sender, in person or by phone.
5. Check any payment bank account changes
- Even if an invoice is familiar, confirm any payment bank account changes by phone or in person to make sure the change is genuine.
- Scammers have been known to obtain copies of invoices from inboxes, change the payment bank account numbers to a fraudulent account, then send the invoice (which still looks legitimate in every other way) with a false explanation as to why the amount needs to be paid to the new bank account.
Read more about protecting your information with these tips from the ATO: Top cyber security tips for business.
And please, never hesitate to phone or drop in to a Synectic office in Devonport, Launceston or Hobart to confirm the legitimacy and security of anything you receive from us.