Protecting your business from ID thieves
The COVID-19 pandemic has led to many challenges for small business operators, including a significant escalation in cybersecurity threats.
One of the fastest-growing of these threats is identity (ID) crime, with the Australian Competition and Consumer Commission’s (ACCC’s) Scamwatch finding ID theft in Australia increased by 234 per cent in 2021.
The scale of the problem is worrying, with a recent survey by the Australian Institute of Criminology finding that 19 per cent of respondents had experienced misuse of their personal information.
What identity criminals want
The explosion in ID crime is not just a problem for individuals, it’s a growing headache for businesses. This is due to the increasing amount of personal information they now hold, about their employees, clients and customers.
The ATO has been reminding small business owners that ID documents are like gold to tax scammers, who can use information such as a driver’s licence, passport and tax file number to steal tax refunds and super.
Cybercriminals can also commit fraud in your name, take over your business and submit amendments to your Business Activity Statements. This makes it vital to protect key information ID thieves target, such as employees’ personal information, business records containing personal information, BAS documents and myGovIDs.
Check your physical records are protected
Worrying about the physical security of your information may seem old-fashioned, but ensuring your business premises and systems are protected is vital.
ID criminals can obtain invaluable business and client details simply by breaking into your premises and photographing business records or employee details.
To combat this, fit physical barriers such as window and door locks, file copies of documents and ID information in lockable storage units, and ensure you install an appropriate alarm system to protect against intruders.
Securing your business online
Strong online security practices are also essential to protect information about your business, employees and clients from ID thieves.
If you hold financial records, confirm the identity of anyone requesting changes to their information and fully verify new payment details. Ensure your employees are trained to identify suspicious requests for personal information or emails that may link to fake websites built to capture passwords.
It’s also important to secure your email account through multi-factor authentication or a strong, unique passphrase.
Good online security also means changing all the passwords used in the business on a regular basis and ensuring they are not easy for potential thieves to guess. Updated security and anti-virus software needs to be installed on all devices used by the business and by any employees working from home.
When sourcing business software and support (such as payroll services), ask vendors about their system security, including where the data will be stored and their security certification and support services for data breaches.
Reporting cybercrime to the ATO
While your business’s reputation can take a real battering if you don’t have adequate protections for both your own and your clients’ ID information, there are also regulatory requirements when it comes to data breaches.
Businesses have an obligation to report all tax-related security issues to the ATO.
To help you manage your obligations to protect identity information, the ATO has an online security self-assessment questionnaire small businesses can use to check their performance in this area. This can help you identify which online security measures you are getting right as well as potential areas for improvement.
Businesses also have data breach reporting obligations under the Privacy Act. The Office of the Australian Information Commissioner has helpful tips on how to create a solid data breach response plan.
Protect your myGov ID
The government’s push for more online transactions means more and more personal and business information needs to be protected. If you or a key employee accesses the government’s online services on behalf of your business, you will need a myGovID.
This new digital identity key uses encryption technology to protect your identity when interacting with government agencies online. To strengthen the protection of your identity and business information online, you can now set up face verification on myGovID.
If you are aware or suspect your myGovID has been inappropriately accessed, you need to report it immediately.