It’s never been more important for your practice to be aware of prioritising online security and safety, and ensuring everyone in the organisation is adhering to best practice guidelines. This is no longer a ‘nice to have’, it’s a basic necessity of running a business.
If we can take anything from the recent news of high profile cases of data theft from the likes of Sony, Microsoft and Yahoo, and the multiple phishing and invoice scams, and account compromises, it is that when it comes to cyber security, businesses need to take practical steps to minimise the risks of being hacked. Typically the reasons businesses have been hacked are directly related to poor security, such as sharing logins or common passwords.
Statistics from online security software vendor Norton show that cybercrime costs Australians more than $1.2 billion a year. More than 3.7 million people in Australia have been victims of online crime, and Norton says that the country ranks as the eighth most impacted in the world by ransomware. Australia’s national CERT has also reported that 7,283 cyber-security incidents affected major Australian businesses in the 2016-2017 financial year, with 284 of these incidents involving systems of national interest and critical infrastructure.
Adding an extra lock on the door
Keeping your clients and your own sensitive data secure is critical. However, it is difficult to ensure that every single member of your team is using appropriate security procedures (such as not sharing logins or common passwords). To help your practice maintain these secure practices Xero is extending the use of Xero login to Xero Practice Manager and Xero Tax.
Additionally, we’ll soon make two-step authentication (2SA) mandatory across our partner products (including Xero HQ) for all Australian practices to comply with an Australian Tax Office mandate.
Two-step authentication adds another layer of security for practices and we encourage our accounting and bookkeeping and small business customers to use two-step or multi-factor authentication (2SA/MFA) wherever it is available. This is particularly important for your email account, which is usually the means to hackers being able to reset your passwords for other sites. Two-step authentication is an extra layer of security that requires a password and username and a second unique code to be generated on a second device, making it more difficult for unauthorised people to access your data. While there are no guarantees in security, Xero has never had an account compromise reported for a user with 2SA enabled.
The Australian Tax Office (ATO) is introducing a new operational framework for software developers and for accountants and bookkeepers who use software to interact with the ATO. This new framework requires accountants and bookkeepers to use multifactor authentication when they login. This means any staff member of an Australian practice needs to have 2SA implemented in Xero by March 2018 to comply with the ATO Operational Framework. From March, if you don’t have 2SA, you won’t be able to access Xero Practice Manager, Xero Tax or Xero HQ.
To get your practice ready for this requirement, Xero will have optional 2SA in Xero for accountants and bookkeepers from late January. You can start to get your practice ready for 2SA now by ensuring everyone in your practice is using a unique login and not sharing passwords.
We know there are some practices that use shared logins which will not be supported by the required implementation of 2SA. We understand that this will require these practices to amend their subscriptions. If you need assistance to amend your subscription, please contact: email@example.com.
Xero takes security seriously and it is important that we are continuously implementing world class security standards and monitoring and detection services. Our customers hold sensitive and personal data on behalf of their clients and keeping everyone’s data secure is a top priority. Therefore we fully support the ATO’s requirement for 2SA on software that interacts with their tax system. It is the right thing to do to help protect client data.