Secure your business Step one: Introduce passphrases

Why your firm needs to introduce passphrases

The common thinking with passwords has generally been; the more symbols and alphanumerics, the more secure it is. We are now finding that this is irrelevant as we’re seeing passwords containing different symbols and alphanumerics being breached more and more frequently. The reason why is that characters don’t matter, its all about size. And the longer your password is, the less likely your firm is to be hacked.

Brute Force Hacking
In recent years there has been a rise in sophisticated bots which can break into accounts without even requiring the password. All these bots need is a username and then they’ll try a random combination of passwords until they eventually break through. The characters that passwords contain has little impact on these bots, the most effective way to counter them is by setting a longer password.


The above table shows the length of time it takes for one of these bots to crack a password.
Is your firm using something like Admin123? That would take less than a second to hack.
If the password is a longer phrase it dramatically increases the time taken to hack. So if you’ve got a 16 character password you’re safe until the end of the world.

How this happened to an accounting firm
We recently heard about this happening to an accounting firm’s Mailchimp account (this is used by some firms for client email automation). The hacker put the admin email address into Mailchimp then set the brute force bot to run. The accounts password was just 7 characters, so the hacker was in in under a second.

The Mailchimp account contained the contact details of all their clients, which meant that the hacker could send out a mass email instantly. In under 5 minutes the hacker sent an email out to all of the firm’s clients containing ransomware, and before any of the firm were alerted to the hack, 4 of their clients had been infected.

How to prevent this happening to your business
One step your firm can take today for free is to make your team use unique passphrases for every application. The difference between passwords and passphrases is there in the name; instead of using a single word, you use a phrase. Like with any password its best to set this up as something personal or easy to remember so you could use a phrase like this for the following apps:

Xero – Myfavouritecolourisblue
Email – Iliketalkingtomyclients
Facebook – Idontliketalkinginperson

The essential point is that the longer the password is, the more difficult it is to crack. Yes it may be annoying typing those extra 10 characters, but those 5 seconds could save your firm from being breached.

If you want to learn more about how you can secure your business, and how Practice Protect can help you manage passwords easily, then you can book a Cyber Security Consultation with one of our experts here.

This article was written by Jon Melloy, Technical Marketing Lead at Practice Protect, who’s sole focus is protecting accounting firms’ reputations with tools, policies and education to keep data safe without sacrificing convenience.

Visit Practice Protect here


Too Much Two Factor Yet?

Why are my apps implementing two factor authentication?

The ATO is currently rolling out it’s ‘operational framework’ which means software that lodges or contains superannuation and/or payroll data must mandate two factor authentication. You may have already seen the tip of the iceberg on this from Xero, who are ahead of the curve, but the rest of the industry is set to follow in 2019 which presents a challenge for software vendors and accounting firms alike.

What is two factor authentication?

The traditional single factor form of authentication is using a password but in recent years with this relying heavily on the memory and personal password management habits of individuals, is no longer enough. Two Factor or two step authentication “2SA” means a user is asked for two separate pieces of information to validate their identity and access the respective app. The second is typically a code presented on a mobile phone app or by SMS that changes every thirty seconds. A user enters the code after entering their password making it far more difficult for a hacker to steal both pieces of information and trigger a breach.


You can’t argue with easy!

While in reality it is simple enough and something we’ll all need to get used to, it may add a level of ‘clunky’ in the eyes of the busy user whose primary focus in the moment is their forthcoming deadline. More importantly, the other consideration is from an IT administration and policy perspective. Setup needs to be standardised and can often involve requiring a staff person’s personally sensitive information during setup. Not to mention when a device is lost, damaged, forgotten or not accessible for whatever reason a fiddly authentication process that could include frustrating phone calls to software vendor help desks can be triggered.

We’re currently at the tip of the iceberg on this right now with apps that lodge the first to implement however as super and payroll apps are next there’s sure to be a series of others that follow. The challenge for accountants, bookkeepers and their cyber security partner will be how to ensure this remains simple for their users and avoiding a situation where each separate app requires a separate token login creating frustration for their team.

This article was written by Jamie Beresford, CEO of Practice Protect, whose sole focus is protecting accounting firms’ reputations with tools, policies and education to keep data safe without sacrificing convenience.

Visit Practice Protect here

Downsizing contributions into superannuation

More information hereFrom 1 July 2018, the Australian Government will introduce the Contributing the proceeds of downsizing into superannuation (downsizing) measure. This measure is part of a package of reforms to reduce pressure on housing affordability in Australia.

This measure applies to the sale of your dwelling (your home), which was your main residence, where the exchange of contracts for the sale occurs on or after 1 July 2018.

If you are 65 years old or older and meet the eligibility requirements, you may be able to choose to make a downsizer contribution into your superannuation of up to $300,000 from the proceeds of selling your home.

Your downsizer contribution is not a non-concessional contribution and will not count towards your contributions caps. The downsizer contribution can still be made if an individual has a total super balance greater than 1.6 million.

Your downsizer contribution will not affect your total super balance until your total super balance is re-calculated to include all your contributions, including your downsizer contributions, on 30 June at the end of the financial year.

The downsizer contribution will also count towards your transfer balance cap, currently set at $1.6 million. This cap applies when you move your super savings into retirement phase.

You can only make downsizing contributions for the sale of one home. You can’t access it again for the sale of a second home.

Downsizer contributions are not tax deductible and will be taken into account for determining eligibility for the age pension.

If you sell your home, are eligible and choose to make a downsizer contribution, there is no requirement for you to purchase another home.


Eligibility for the downsizer measure


You will be eligible to make a downsizer contribution to super if you can answer yes to all of the following:

  • you are 65 years old or older at the time you make a downsizer contribution (there is no maximum age limit)
  • the amount you are contributing is from the proceeds of selling your home where the contract of sale was exchanged on or after 1 July 2018
  • your home was owned by you or your spouse for 10 years or more prior to the sale
  • your home is in Australia and is not a caravan, houseboat or other mobile home
  • the proceeds (capital gain or loss) from the sale of the home are either exempt or partially exempt from capital gains tax (CGT) under the main residence exemption, or would be entitled to such an exemption if the home was a CGT rather than a pre-CGT (acquired before 20 September 1985) asset
  • you have provided your super fund with the downsizer contribution form either before or at the time of making your downsizer contribution
  • you make your downsizer contribution within 90 days of receiving the proceeds of sale, which is usually the date of settlement
  • you have not previously made a downsizer contribution to your super from the sale of another home.

More information here

Budget 2018 update – Superannuation insurance opt-in rule for younger and low-balance members

The Government will change the insurance arrangements for certain cohorts of superannuation members from 1 July 2019. Under the proposed changes, insurance within superannuation will move from a default framework to be offered on an opt-in basis for:

  • members with low balances of less than $6,000;
  • members under the age of 25 years; and
  • members with inactive accounts that have not received a contribution in 13 months.

These changes seek to protect the retirement savings of young people and those with low balances by ensuring their superannuation is not unnecessarily eroded by premiums on insurance policies they do not need or are not aware of. The Minister for Revenue and Financial Services, Kelly O’Dwyer, said around 5 million individuals will have the opportunity to save an estimated $3 billion in insurance premiums by choosing to opt-in to this cover, rather than paying for it by default.

The changes also seek to reduce the incidence of duplicated cover so that individuals are not paying for multiple insurance policies, which they may not be able to claim on in any event. Importantly, these changes will not prevent anyone who wants insurance from being able to obtain it. That is, low balance, young, and inactive members will still be able to opt-in to insurance cover within super.

In addition, the Government said it will consult publicly on ways in which the current policy settings could be improved to better balance the priorities of retirement savings and insurance cover within super.

Date of effect

The changes will take effect on 1 July 2019. Affected superannuants will have a period of 14 months to decide whether they will opt-in to their existing cover or allow it to switch off.

Source: Budget Paper No 2 [p 36]; Minister for Revenue and Financial Services, media release, 8 May 2018

Budget 2018 update – Additional funding for Single Touch Payroll to assist small businesses

Single Touch Payroll will commence for employers of over 20 people on 1 July 2018.

The Government will provide an addition $15 million over 3 years from the 2018-19 income year to the ATO to support the modernisation of payroll and superannuation fund reporting.

Single Touch Payroll will commence for all remaining employers in 1 July 2019.

The funding will be used to support small businesses with fewer than 20 employees during the transition to Single Touch Payroll Reporting from 1 July 2019.

Source: Budget Paper No 2 [p 185]

Budget 2018 update – ATO consolidation of small inactive super accounts to get more proactive

The Government will strengthen the ATO-led consolidation regime by requiring the transfer of all inactive superannuation accounts with balances below $6,000 to the ATO to protect them from further erosion.

The ATO will expand its data matching processes to proactively reunite these lost and low balance super accounts with the member’s active account, where possible. This measure will also include the proactive payment of funds already held by the ATO. The majority of accounts transferred to the ATO are expected to be reunited in the year they are received.

The new ATO system is expected to send $6 billion of super back to 3 million members’ active super accounts in 2019-20.

Date of effect

These changes will take effect from 1 July 2019.

Source: Budget Paper No 2 [p 35]; Minister for Revenue and Financial Services, media release, 8 May 2018

Budget 2018 update – Personal superannuation contributions – improving notice of intention to deduct

The Government announced measures aimed at improving the integrity of the notice of intent (NOI) processes for claiming deductions for personal superannuation contribution. An additional $3.1 million of funding will be provided to the ATO to develop a new compliance model for deducting personal super contributions, and to undertake additional compliance and debt collection activities.

The Government said some individuals currently receive deductions on their personal superannuation contributions but do not submit a NOI, despite being required to do so under s 290-170 of the ITAA 1997. This results in their superannuation funds not applying the appropriate 15% tax to their contribution. As the contribution has been deducted from the individual’s income, no tax is paid on it at all, the Government said.

Currently, a notice under s 290-170 of the ITAA 1997 must be given to the super fund by the time the person lodges her or his income tax return for the year in which the contribution is made or, if no return has been lodged by the end of the following income year, by the end of that following year. This requirement is even more important from the 2017-18 income year given that individuals up to age 75 can now deduct personal contributions, regardless of whether they earn 10% or more of their income from employment (provided that the other requirements are satisfied).

The ATO will also modify income tax returns to alert individuals to the NOI requirements with a tick box to confirm they have complied. The ATO is expected to provide guidance to individuals on how to comply if they have not yet done so. This seeks to ensure that any deductible contributions are appropriately taxed by superannuation funds and enable the ATO to deny deductions to individuals who do not comply with the NOI requirements.

This measure is expected to have a gain to revenue of $430 million over the forward estimates through increased compliance and collections from business owners and other non-employees.

Date of effect

1 July 2018.

Source: Budget Paper No 2 [p 39]

Budget 2018 update – SMSF member limit to increase from 4 to 6 – law to be amended

The Budget confirmed that the maximum number of allowable members in new and existing self-managed superannuation funds (SMSFs) and small APRA funds will be expanded from 4 to 6 members from 1 July 2019. This measure was originally flagged on 27 April 2018 by the Minister for Revenue and Financial Services, Kelly O’Dwyer.

The proposed increase to the maximum number of SMSF members seeks to provide greater flexibility for large families to jointly manage retirement savings.

Given the growth in the sector to date, Ms O’Dwyer said the measure will ensure SMSFs remain compelling retirement savings vehicle.

The Government is expected to ask the Tax Office to work with industry on the design and implementation of this measure. It is not expected to have a revenue impact.

Date of effect – 1 July 2019. – Source: Budget Paper No 2 [p 40]

Budget 2018 update – Reportable payments system extended: security providers, road freight transport and computer design

The Government will extend the taxable payments reporting system (TPRS) to the following industries:

  • security providers and investigation services;
  • road freight transport; and
  • computer system design and related service

This will extend the TPRS requirements already applying to the building and construction industry.

The TPRS requirements will also be extended, from 1 July 2018, to the cleaning and courier industries under measures contained in the Treasury Laws Amendment (Black Economy Taskforce Measures No 1) Bill 2018 (see 2018 WTB 6 [148]).

Date of effect

The reporting requirements will apply from 1 July 2019 (ie next year), with the first annual report required in August 2020.

Source: Budget Paper No 2 [p 22]

Budget 2018 update – Black Economy – increase in ATO funding

The Government will provide $318.5 million over 4 years to implement additional strategies to combat the black economy.

As part of this, the Tax Office will:

  • implement new “mobile strike teams”;
  • increase its audit presence;
  • start a Black Economy Hotline (that will allow for the community to report black economy and phoenix activities);
  • improve government data analytics and data matching;
  • increase information sharing between government enforcement agencies; and
  • enhance educational activities.

By way of background, the Tax Office currently receives funding through a terminating program called the “Black Economy Taskforce: one year extension of funding for ATO audit and compliance activities” – which ceases on 30 June 2018.

The Budget papers state that feedback from industry, business and community stakeholders “supported additional resourcing to the ATO in recognition of the enforcement challenges due to the size and clandestine nature of the black economy”.

There are no details in the Budget papers and media release as to the increased audit presence. The media release does indicate, however, a desire for a more visible and targeted enforcement.

The revenue expectations linked with this expenditure are certainly impressive, namely $3 billion over the forward estimates period (ie the next 4 years).

Date of effect

The funding will commence on 1 July 2018.