I did a podcast with Jamie Beresford from Practice Protect for SMSF Adviser yesterday. And it reminded me of a number of things I think our clients should be aware.
1. Reported data breaches since the commencement of the new data privacy and security laws 12 months months ago have increased by 35%.
2. The ATO has introduced its “Operational Framework that affects all software suppliers that lodge electronically with ATO.
3. And the big one: the world has changed – the security of your client data has become a HUGE risk for your business.
The first is Multi Factor Authentication (MFA). Over the past few months you will have seen all the major cloud software providers, who have software that lodges with the ATO electronically have introduced MFA. MFA is compulsory for all these businesses (including BGL) from 1 April 2019. BGL released MFA for CAS 360 and Simple Fund 360 in December 2018. Up to 31 March 2019, it is not mandatory. From 1 April 2019 it will be mandatory. You will need, once each month, to confirm your identity with either a SMS to your phone or by using the Google Authenticator. This helps to secure your access to your BGL applications.
The second part of the ATO’s Operational Framework requires software suppliers to be ISO 27001 compliant. BGL, like other software suppliers, is going through the process to gain ISO 27001 Certification. While I am personally not a fan of ISO, in today’s online world I think it is important organisations institute best practice around their own data and client data. ISO Certification goes some of the way to achieving this.
One of the other things that Jamie and I discussed yesterday was security around your internal systems. While it is great have MFA for your BGL and other accounting applications, you really should have MFA for ALL of your applications. And I know this is a pain.
BGL introduced MFA for our Gmail many years ago. This helps to secure our email and hopefully ensures we do not have email data breaches. I would be really concerned with the security of my data if one of my software suppliers had an email data breach. What does this say about their systems ? But having MFA on ALL your applications is becoming more and more important everyday. And the easy way to do this is with Security Assertion Markup Language (SAML). SAML is a standard protocol for web browser Single Sign-On (SSO). SAML completely eliminates all passwords and instead uses cryptography and digital signatures to validate identities for logins to your SaaS applications. If you would like to know more about SAML and how to introduce this technology in your business, speak to Practice Protect.
Another area of concern is remote logins. Old versions of the remote login products do not support MFA and have many security flaws. If you are not using the latest versions of Citrix or Remote Desktop, make sure you upgrade ASAP.
And my last comment is on passwords. If I used ron1234 (I don’t by the way) as a password, it would be pretty weak. If I use R0n1234= (notice I have replaced “o” with “0” zero, suddenly my password is a lot stronger. Use strong passwords EVERYWHERE. Many people have a strong password for their internet banking and what they think are “important” sites but a weak password for “unimportant” sites. Don’t fall into this trap! The weak password on your “unimportant” sites can lead to a hacker getting your password for your “important” sites.
So that’s my rant for this week. I hope you find it useful.
Simple Fund 360
- Password Policy for Simple Fund 360
- Multi-Factor Authentication (MFA) for Simple Fund 360
- Overview of Simple Fund 360 Infrastructure and Controls (Security, Hosting and Backups)