Can you prevent a hack?

Clarke McEwan Accountants

Can you prevent a hack?


In the wake of the Optus data leak, legislation before Parliament will lift the maximum fine for serious or repeated breaches of the Privacy Act from $2.2m to up to $50m. But there are no guarantees that even the strongest safety measures will prevent an attack. So, what does that mean for business and their customers?


Legislation before Parliament will lift penalties for serious or repeated privacy breaches, provide new powers to the Australian Information Commissioner, require entities to provide detailed data to the Information Commissioner to assess public risk, and give the regulator greater information sharing powers. In a statement, Attorney General Mark Dreyfus said, “When Australians are asked to hand over their personal data they have a right to expect it will be protected.” But the question is, can any business claim that customer data will be protected from hackers?


If a customer needs to disclose their personal information to your business to work with you, at the point the data is collected, your business is the custodian of that data. A duty of care exists from the moment the data is collected to the point the information is no longer required and destroyed.


The Privacy Act requires organisations to take “reasonable steps” to protect the data collected. ‘Reasonable’ steps “requires the existence of facts which are sufficient to [persuade] a reasonable person.” That is, in the event of a data breach, the business will need to prove the steps they have taken to protect client data.


Lessons from RI Advice


Australian Competition and Consumer Commission v RI Advice Group Pty Ltd was a landmark case. While specific to the obligations of an Australian Financial Services License (AFSL), it demonstrates that ASIC are willing to pursue not just companies that breach their duty of care but the directors and officers involved.


RI advice is a financial services company that, through its AFSL, authorised representatives to provide financial services. As you would expect, as part of providing financial services, the authorised representatives received, stored and accessed confidential and sensitive personal information. Between June 2014 and May 2020, nine cybersecurity incidents occurred at practices of RI Advice’s Authorised Representatives. Enquiries following the incidents revealed:


  • Computer systems which did not have up-to-date antivirus software installed and operating
  • No filtering or quarantining of emails
  • No backup systems or back-ups being performed; and
  • Poor password practices including sharing of passwords between employees, use of default passwords, passwords and other security details being held in easily accessible places or being known by third parties.


RI Advice took steps to manage their cybersecurity introducing a cyber resilience program, controls and risk management measures for its representatives including training, incident reporting, and contractual professional standard terms, but by its own admission, it took too long to implement.


RI Advice was ordered to pay $750,000 towards ASIC's costs. Handing down the decision Justice Rofe said, “It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”


Scams and how to avoid them


I got a text the other day “Hi Mum, I have broken my phone and I am using this number.” The “Hi Mum” scam has exploded with more than 1,150 Australians falling victim to the ploy in the first seven months of 2022, with total reported losses of $2.6 million. Once the scammer establishes contact, they start requesting money for an urgent bill or a replacement phone etc. For those with children or dependant family members, it is not that hard to believe. According to the Australian Consumer and Competition Commission (ACCC), two-thirds of family impersonation scams were reported by women over 55 years of age.


Another common scam is the lost or unable to deliver package texts and voicemail. With Christmas just around the corner, we can expect to see another escalation of this scam where tracking links purportedly from Australia Post, Toll, or Amazon etc., are used to instal malware. Once accessed, the malware will access your contacts and spread the malware and potentially access your personal information and bank details.


In July, the Australian Taxation Office (ATO) reported a new wave of ‘Tax refund SMSF scams’. The texts purported to be from the ATO stating that the individual had a tax refund and to click on the link and complete the form. Another scam purporting to be from the ATO advised that the recipient was suspected of being involved in cryptocurrency tax evasion and requested that they connect their wallet. At which point the wallet was accessed and any assets stolen.


The ACCC’s Targeting Scams report states that in 2021, nearly $1.8bn in losses were reported but the real figure is likely to be well over $2bn. 


 The largest combined losses in 2021 were:


  • $701 million lost to investment scams with 2021 figures significantly increased by cryptocurrency scams - more scammers are seeking payment with cryptocurrency and losses to this payment method increased 216% to $84 million.
  • $227 million lost to payment redirection scams.
  • $142 million lost to romance scams.


Protecting yourself from scams


Help educate older relatives. The over 55s are the most likely to fall victim to a scam.

  • Always use the primary website or app of your suppliers not a link from a text or email.
  • Don’t click on links from emails or text messages unless you are (absolutely) certain of the source. For email, if the sending email domain is not clear or hidden, hover over the name of the sending account to check if the email is from the company domain.
  • For Government services, use your MyGov account. Any messages to you from the ATO or other Government services need will be published to your MyGov account. Never click on links purporting to be from a bank, ATO or Government department.


Protecting your business from scams


Payment redirection scams, where the email of the business is compromised, caused the highest reported level of loss for business in 2021 at a combined $227 million.

Payment redirection scams involve scammers impersonating a business or its employees via email and requesting an upcoming payment be redirected to a fraudulent account. In some cases, scammers hack into a legitimate email account and pose as the business, intercepting legitimate invoices and amending the bank details before releasing emails to the unsuspecting business. Other times, scammers

 

 impersonate people using a registered email address that is very similar to one from a legitimate business.


  • Educate your team about threats and what to look out for, the importance of passwords and password security, and how to manage customer information. Phishing attacks, if successful, provide direct access into your systems.
  • Ensure staff only have access to the business systems and information they need. Assess what is required and close out access to anything not required. Also assess how customer personal information is accessed and communicated. Personal information should not be emailed. Email is not secure and it is too easy for staff to inadvertently send data to the wrong person.
  • No shared login details or passwords.
  • Complete a risk assessment of your systems and add cybersecurity to your risk management framework.
  • Develop and implement cyber security policies and protocols. Have policies and procedures in place for who is responsible for cybersecurity, the expectations of staff, and what to do in the event of a breach. Your policies should prevent shadow IT systems, where employees download unauthorised software.
  • Understand your organisation’s legal obligations. For example, beyond the Privacy Act some businesses considered critical infrastructure such as some freight and food supply operations are subject to the Security of Critical Infrastructure Act 2018. This might involve small businesses in the supply chain.
  • Use multifactor authentication on your systems and third-party systems.
  • Update software and devices regularly for patches
  • Back-up data and have backup protocols in place. If hackers use ransomware to lock your systems, you can revert to your backup.
  • If customer data is being shared with related or third parties domiciled overseas, ensure your customer is aware of where their data is domiciled and your business has taken all reasonable steps to enforce the Australian Privacy Principles. Your business is responsible for how the overseas recipient utilises your customer’s data.
  • Only collect the customer data you need to provide the goods and services you offer.
  • Ensure protocols are in place for accounts payable.
  • Don’t forget the hardware – laptops, computers, phones. 

A win for those carrying student debt

By Clarke McEwan September 9, 2025
20% reduction in student debt The reduction is expected to benefit more than 3 million Australians and remove over $16 billion in outstanding debt. The 20% reduction will be automatically applied to anyone with the following student loans: · HELP loans (eg, HECS-HELP, FEE-HELP, STARTUP-HELP, SA-HELP, OS-HELP) · VET Student loans · Australian Apprenticeship Support Loans · Student Start-up Loans · Student Financial Supplement Scheme. The reduction will be based on the loan balance at 1 June 2025, before indexation was applied. Indexation will only apply to the reduced balance. The ATO will apply the reduction automatically on a retrospective basis and will adjust the indexation that is applied. No action is needed from those with a student loan balance and the Government has indicated that you will be notified once the reduction has been applied. If you had a HELP debt showing on your ATO account on 1 April 2025 but you paid the debt off after 1 June 2025 then the reduction will normally trigger a credit to your HELP account. If you don’t have any other outstanding tax or other debts to the Commonwealth, then the credit should be refunded to you. The HELP debt estimator is a useful tool to get an idea of the reduction amount, please reach out if you need any help in working out eligibility. Changes to repayments The Government has also modified the way that HELP and student loan repayments operate, primarily by increasing the amount that individuals can earn before they need to make repayments. The minimum repayment threshold for the 2025-26 year is being increased from $56,156 to $67,000. The threshold was $54,435 for the 2024-25 year. Under the new repayment system an individual will only need to make a compulsory repayment for the 2025-26 year if their income is above $67,000. The repayments will be calculated only against the portion of income that is above $67,000. Repayments will still be made through the tax system and will typically be determined when tax returns are lodged with the ATO. For many people the change in the rules will mean they have more disposable income in the short term, but it will take longer to pay off student loans. The main exception to this will be when an individual chooses to make voluntary repayments.

Creating a more dynamic and resilient economy

By Clarke McEwan September 9, 2025
The Productivity Commission (PC) has been tasked by the Australian Government to conduct an inquiry into creating a more dynamic and resilient economy. The PC was asked to identify priority reforms and develop actionable recommendations. The PC has now released its interim report which presents some draft recommendations that are focused on two key areas: · Corporate tax reform to spur business investment · Where efficiencies could be made in the regulatory space (ie, cutting down on red tape) The interim report makes some interesting observations and key features of the draft recommendations are summarised below. Corporate tax reform The PC notes that business investment has fallen notably over the past decade and that the corporate tax system has a significant part to play in addressing this. The PC is basically suggesting that the existing corporate tax system needs to be updated to move towards a more efficient mix of taxes. The first stage of this process would involve two linked components: · Lower tax rate: businesses earning under $1 billion could have their tax rate reduced to 20%, with larger businesses still subject to a 30% rate. · New cashflow tax: a net cashflow tax of 5% should be applied to company profits. Under this system, companies would be able to fully deduct capital expenditure in the year it is incurred, encouraging investment and helping to produce a more dynamic and resilient economy. However, the new tax is expected to create an increased tax burden for companies earning over $1 billion. Cutting down on red tape The interim report notes that businesses have reported spending more time on regulatory compliance – this probably doesn’t come as a surprise to most business owners who have been forced to deal with multiple layers of government regulation. Some real world examples include windfarm approvals taking up to nine years in NSW while starting a café in Brisbane could involve up to 31 separate regulatory steps. The proposed fixes include: · The Australian Government adopting a whole-of-government statement committing to new principles and processes to drive regulation that supports economic dynamism. · Regulation should be scrutinised to ensure that its impact on growth and dynamism is more fully considered. · Public servants should be subject to enhanced expectations, making them accountable for delivering growth, competition and innovation. These are simply draft recommendations contained in an interim report so we are a long way from any of these recommendations being implemented. However, the interim report provides some insight into areas where the Government might look to make some changes to boost productivity in Australia. The PC is inviting feedback up until 15 September on the interim report before finalising its recommendations later this year.

Non-compete clauses: the next stage

By Clarke McEwan September 9, 2025
Back in March this year the Government announced its intention to ban non-compete clauses for low and middle-income employees and consult on the use of non-compete clauses for those on higher incomes. The Government has indicated that the reforms in this area will take effect from 2027. This didn’t come as a complete surprise as the Competition Review had already published an issues paper on the topic and the PC had also issued a report indicating that limiting the use of unreasonable restraint of trade clauses would have a material impact on wages for workers. Treasury has since issued a consultation paper, seeking feedback in the following key areas: · How the proposed ban on non-compete clauses should be implemented; · Whether additional reforms are required to the use of post-employment restraints, including for high-income employees; · Whether changes are needed to clarify how restrictions on concurrent employment should apply to part-time or casual employees; and · Details necessary to implement the proposed ban on no-poach and wage-fixing agreements in the Competition and Consumer Act. Treasury makes it clear that the Government is not planning to change the way the rules apply to restraints of trade outside employment arrangements (eg, on sale of a business) or change the use of confidentiality clauses in employment. If the proposed reforms end up being implemented, then this could have a direct impact on a range of employers and their workers. Existing agreements will need to be reviewed and potentially updated. However, it is too early at the moment to guess how this will end up, we will keep you up to date as further information becomes available.

Superannuation guarantee: due dates and considerations for employees and employers

By Clarke McEwan September 9, 2025
On 1 July 2025 the superannuation guarantee rate increased to 12% which is the final stage of a series of previously legislated increases. Employers currently need to make superannuation guarantee (SG) contributions for their employees by 28 days after the end of each quarter (28 October, 28 January, 28 April and 28 July). There is an extra day’s allowance when these dates fall on a public holiday. To comply with these rules the contribution must be in the employee’s superannuation fund on or before this date, unless the employer is using the ATO small business superannuation clearing house (SBSCH). The ATO has been applying considerable compliance resources in this space in recent years which can have an impact on both employees and employers. Employers To be eligible to claim a tax deduction on SG contributions the quarterly amount must be in the employee’s super account on or before the above quarterly due dates. The only exception to this is where the employer is using the ATO SBSCH. In that case a contribution is considered made provided it has been received by the SBSCH on or before the due date. Employers using commercial clearing houses should be mindful of turnaround times. Commercial clearing houses collect and distribute employee contributions and may be linked to accounting / payroll software or provided by some superannuation platforms. Anecdotally it seems that turnaround times for some clearing houses could be up to 14 days, so it is recommended that employers allow sufficient time before the quarterly deadlines when processing their employee SG contributions. If these deadlines are missed (yes even by a day!) that will trigger a superannuation guarantee charge (SGC) requirement which will result in a loss of the tax deduction and other penalties. The SGC requirements are outlined in the ATO link below: The super guarantee charge | Australian Taxation Office Employers do have the option to make SG payments more frequently than quarterly and this is something that employers will need to become used to if the proposed ‘payday’ superannuation reforms become law. This change is proposed to commence from 1 July 2026 and would require SG to be paid at the same frequency as salary or wages. There is some discussion on the payday super proposal at this link (noting that this is not yet law). The SBSCH will close at this time so employers using this service should start to consider transitioning to a commercial clearing house, please let us know you would like assistance with this. Employees It is recommended that you regularly check your superannuation fund statements and reconcile employer contributions to the amounts listed on your pay slips. Where SG contributions are not received on time (or at all!) employees are encouraged to discuss this first with their employer. Should this not result in a satisfactory conclusion, employees can consider bringing this to the attention of the ATO. There is some helpful discussion on this process at the following link .

RBA cuts rates to 3.60%: what this means for you

By Clarke McEwan September 9, 2025
In a widely anticipated move on 12 August 2025, the Reserve Bank of Australia (RBA) delivered a 25 basis point rate cut, lowering the cash rate from 3.85% to 3.60%, the third reduction this year. This rate is now at its lowest level since March 2023 signaling renewed monetary easing amid persistent economic fragility. Governor Bullock emphasised that the decision was unanimous and that larger cuts weren’t considered. She did however leave the door open for further action if conditions warrant it. The unanimous decision was made because: · Headline inflation has eased to 2.1% year on year and the RBA’s preferred trimmed mean measure sits at just 2.4–2.7%, comfortably within the desired 2–3% range. So, it’s now within target. · There’s still soft economic growth, quarter 1 saw GDP grow 0.2% and unemployment has gone up slightly to roughly 4.3%. This is a welcome move for many with flow-on impacts across a wide section of the community. Borrowing and mortgages: a borrower with a $600,000 mortgage can expect monthly repayments to fall by around $89, saving over $1,000 annually. Refinancing: the latest cut has triggered a wave of refinancing, Canstar estimates monthly savings of around $272 on a $600,000 loan, potentially taking years off the loan term and saving tens of thousands in interest expenses. Housing and lending: the cut may revive home buying sentiment, though the risks of swelling property prices remain. Borrowers and buyers alike are feeling the relief. Currency and markets: the Australian dollar did weaken moderately following the decision. On the ASX 200, financial stocks, particularly the Commonwealth Bank, took a hit as investors fretted over shrinking interest margins. While there are always winners and losers with a decision like this, for many Australians this is a positive change. Either way, please do reach out if we can help you understand how to best manage your debt, exploring refinance options, adjust pricing models or evaluating investment readiness.

The ABC's of Bookkeeping

By Clarke McEwan September 5, 2025
Why is good bookkeeping so vital for your financial management? We’ve got some top hacks for maximising your bookkeeping, and the options for outsourcing this job to the professionals. #SmallBiz #SMB #accounting #bookkeeping
More Posts