By My CPE Pty Ltd | October 2025
October is Cyber Security Awareness Month – a time to pause, reflect, and strengthen your digital defences. It serves as a timely reminder for BAS agents and all professionals to review how information is protected, ensure systems are up–to–date, and reinforce good cyber hygiene across their practices.
Whether it is embedding Cyber policies and procedures in your QMS, updating passwords, enabling multi-factor authentication, training staff to spot phishing attempts, or simply backing up critical data, small proactive steps can make a significant difference.
Cyber threats evolve rapidly, but so too can your awareness and resilience. Use this month to commit to a culture of security, safeguarding not only your business, but also the trust your clients place in you.
As a BAS (Business Activity Statement) agent in Australia, you hold privileged access to clients’ financial, taxation and business data. This makes your practice a high-value target for cyber criminals. A breach can damage your reputation, cost real dollars, and even put your registration at risk.
In this blog, we explore the current threat landscape in Australia, relevant statistics, recent incidents, and then share clever yet practical tactics (hacks) that BAS agents can adopt to strengthen their defences.
The Current Cyber Threat Landscape in Australia
Key Trends and Threats
- Rising volume and sophistication of attacks: Australia’s Annual Cyber Threat Report 2023–24 (by ASD / ACSC) describes a deteriorating strategic environment, with cyber adversaries becoming more persistent and technically advanced.
- State-sponsored and espionage threats: Foreign cyber actors are actively targeting Australia’s critical infrastructure, government, and private sectors.
- Information stealer malware: Criminals are deploying malware designed to quietly harvest credentials, tokens, and system data to gain deeper access.
- Business Email Compromise (BEC) and phishing: Impersonation of clients or senior staff, or tricking agents to approve fraudulent payments, remain favourite tactics.
- Credential compromise: Many attacks leverage weak, reused or leaked credentials.
- Regulatory and legal exposure: Laws and expectations around data protection, reporting obligations, and “due diligence” are tightening.
Striking Incidents in Australia
- Qantas breach (2025): Up to 6 million customer records were exposed via a third-party contact centre.
- Unnamed (2025): A contractor working for the NSW Reconstruction Authority uploaded personal and health data of approximately 3,000 flood victims into ChatGPT without authorisation. This demonstrates risk in third-party contractor work and the use of AI tools without strong data handling governance.
- Optus data breach (2022): The personal details of millions of Australians were stolen, including names, dates of birth, addresses, and more.
Hard Numbers/Statistics
- The ACSC reported that over 1,100 cybersecurity incidents were handled in 2023–24.
- The Australian Cyber Security Hotline (run by ACSC) received more than 36,700 calls in that year, a 12% increase from the prior period.
- From January to June 2024, 527 data breach notifications were lodged — up 9% from the second half of 2023.
- The average cost per cybercrime incident for small businesses is tens of thousands of dollars (the TPB cites that average costs increase significantly with size).
- These numbers underscore the real and growing risk for small professional firms, including BAS practices.
Why BAS Agents Are Attractive Targets
- Access to sensitive data
You handle clients’ TFNs, bank account details, payroll, business financials, client identities. A breach can lead to identity theft, fraud or extortion.
- Trust and liability
Clients expect confidentiality. A breach undermines trust and may lead to legal claims or regulatory scrutiny.
- Often lean IT/security
Many small professional practices underinvest in cybersecurity compared to larger firms. This makes them “soft targets.”
- Chain of compromise
Even if your systems are secure, if a client or connected system is compromised, attackers may pivot through you.
- Regulatory expectations
The TPB expects agents to undertake cybersecurity awareness training and to protect client data.
Given these factors, deliberately strengthening your security posture is no longer optional.
Clever Hacks: Practical Smart Defences for BAS Practices
Below are actionable tactics you can adopt — the “clever hacks” — to raise your security without excessive complexity or cost.
Hack / Tactic | Description | Why It Helps |
Use a password manager + unique, strong passwords | Use a reputable password manager (e.g. Bitwarden, 1Password) and ensure no password is reused. | Prevents lateral credential attacks in case one login is compromised. |
Enable multi-factor authentication (MFA / 2FA) | Wherever possible (email, cloud software, ATO or Xero), require a second factor (SMS, authenticator app, hardware token). | Even if credentials leak, preventing login thwarts much of the risk. |
Device hardening and patching | Keep OS, software, browser, antivirus, and plugins up to date automatically. Disable unnecessary services or features. | Many attacks succeed via known vulnerabilities with available patches. |
Network segmentation / isolated admin workstations | Use separate machines or virtualisation for “sensitive tasks” (e.g. connecting to ATO) vs general web use. | If one device is compromised from web browsing, the critical one remains safer. |
Use a secure VPN / limit remote access | If you or staff access systems remotely, do so only via a trusted VPN or secure gateway, not direct port forwarding. | Reduces exposure to brute force or scanning attacks. |
Least privilege and role separation | Ensure that users (staff, contractors) have only the minimal permissions they need; avoid shared accounts. | Compromised accounts do less damage. |
Logging, alerts and anomaly detection | Enable logs of activity (file access, login attempts) and set alerts/triggers (e.g. abnormal login times). | You can detect suspicious behaviour early. |
Regular backups, offline and air-gapped | Backup client and financial data frequently; keep an offline or air-gapped copy (disconnected from the network). | In case of ransomware or data corruption, you have recoverable data. |
Phishing drills and staff awareness | Periodically simulate phishing emails and train your staff (or yourself) to recognise suspicious ones. | Many breaches begin by clicking a malicious link or opening a Trojan email. |
Documented incident response plan | Have a simple playbook: who to call (ATO, TPB, ACSC), what to isolate, and how to communicate to clients. | Reduces confusion and damage when an incident happens. |
Limit the use of admin/root accounts | For day-to-day work, use non-admin accounts; only elevate privileges when absolutely needed. | Reduces the risk of malware running with full system control. |
Use encryption | Encrypt sensitive files or databases at rest; use TLS for all communications; enforce email encryption when sending sensitive info. | Even if data is stolen, encryption provides a strong barrier. |
Secure mobile/ remote devices | Enforce device PIN / biometric, remote wipe capabilities, full disk encryption on laptops, and secure backups. | Many compromises start via lost devices or insecure remote connections. |
Vendor/client risk management | Vet and require minimal cybersecurity standards from software vendors, cloud providers or connected services (e.g. accounting software integrations). | Weak links in the chain often lead to compromise. |
Use threat intelligence/alerts | Subscribe to ACSC, Cyber.gov.au alerts, and any tax-sector-specific security bulletins. Respond quickly to advisories. | You gain early warning of relevant new threats (e.g. new malware targeting tax practices). |
Many of these are not expensive; the barrier is simply discipline, consistency and design.
Example – A Realistic Attack Scenario and Mitigation
Scenario
A BAS agent receives an email purportedly from a client, asking for a change in their bank account for receiving funds. The email looks plausible, uses the client’s name, and even includes earlier email threads. The request is urgent. The agent updates the client bank details and lodges a BAS with a refund due. Later, it is revealed the email was a BEC attack; the funds were diverted to a fraudster’s bank account.
How the “hacks” mitigate this risk
- Staff awareness and phishing training: The agent or staff member is alert to mismatches (e.g. “new account not in past history”).
- Independent verification: A policy to always phone the client on known number to confirm banking detail changes.
- Logging/alerts: If a bank detail change is made, an alert or audit trail triggers a review.
- Least privilege and role separation: The staff member approving payments may not have the authority to change bank accounts.
- Incident plan: If suspicious, freeze payments, report to authorities, and notify insurer/clients immediately.
This is a type of “social engineering/business email compromise” attack, notoriously successful and often low-cost to perpetrate.
Compliance, Reporting and Regulatory Considerations
- Notifiable Data Breach (NDB) Scheme: If client personal information is involved and the breach is “likely to result in serious harm,” you have reporting obligations to the Office of the Australian Information Commissioner (OAIC).
- TPB expectations: Cyber security awareness, professional training, safeguarding of client data, and remembering failures may impact registration.
- ATO / Agent linking changes: The ATO’s new client-agent nomination process is a security measure designed to reduce identity risk.
- Contracts and policies: Ensure your engagement letters or service agreements with clients include data security clauses, limits on liability, and obligations in case of a breach.
- Cyber insurance: In many sectors, appropriate cyber insurance is becoming a norm to mitigate financial risks associated with breaches.
- TPB warning to BAS/tax agents: The Tax Practitioners Board acknowledges that tax practitioners (including BAS agents) may be specifically targeted for their access to sensitive personal and financial data.
Understanding these obligations helps you not only defend, but respond appropriately if something goes wrong.
Culture and Mindset: The “Soft” Part of Security
It is not enough to have tools — your practice must cultivate a security mindset:
- Assume breach potential: Instead of “if we’ll be attacked,” think “when we will be attacked.”
- Regular review and audits: Quarterly (or more frequent) security audits (even self–audits) help catch gaps.
- Promote a “pause and verify” culture: Encourage staff to pause when asked to make a significant change or transaction, and verify via independent channels.
- Ongoing training: Cyber threat tactics evolve. Regular refresher training for yourself and any assistants/staff is essential.
- Client communication and expectations: Educate clients about security best practices (e.g. safe document sharing, avoiding unsecure email).
Call to Action and Next Steps
- Conduct a security gap assessment of your practice: run through the list of “hacks” above and see which are missing.
- Prioritise fixes (start with MFA, password manager, backups, and phishing awareness).
- Draft a simple incident response plan and test it (tabletop exercises).
- Subscribe to ACSC/Cyber.gov.au updates and industry bulletins to stay ahead of new threats.
- Review your client agreements to ensure proper clauses on data protection, breach responses, liability, etc.
With disciplined implementation, many of the major risks can be materially reduced — protecting both your practice and your clients.