New ATO digital security standards: services using cloud based payroll urged take note
The Australian Taxation Office (ATO) has implemented security standards relating to business owners offering cloud based payroll services – including early childhood education and care (ECEC) providers, Inside Small Business has reported.
Those using cloud based payroll systems are now required to offer two-factor authentication for users to access relevant payroll applications, with article author, Wendy Blanch, highlighting the importance of implementing stronger cybersecurity systems in light of the Federal Government’s Notifiable Data Breach (NDB) scheme.
The Sector reported in 2018 that private education providers, including ECEC sites, were in the top five groups for reportable breaches in which personal data was compromised, making Ms Blanches’ advice especially pertinent for the sector.
Two factor authentication is also known as multi factor authentication (MFA), provides an additional layer of security for users as they log in to applications. Traditional protections, such as logging in with a password or pin number to a banking application, are given an extra layer – perhaps by being sent a code through SMS or email. By having two “gates” for information to pass through, there is less likelihood of sensitive information being compromised.
Speaking with Inside Small Business, Ms Blanch said the two factor authentication system will be familiar to many users, as the system is common in many banking and Government applications. She said that whilst MFA is an optional feature for many cloud based payroll systems, it is important for ECEC services managing a cloud based payroll to be aware that it is now a requirement for make MFA available to employees.
The change will affect all services hosted by digital service providers (DSP), which includes all cloud based payroll systems, Ms Blanch said, adding “From third-party payroll systems through to internal business departments and business owners, anyone who logs onto a cloud-based payroll system will be affected by the new regulations.”
She went on to say that, whilst not mandatory, MFA is highly recommended for client controlled services and DSP staff without access to tax and superannuation related information, saying it was an important distinction to make.
The deadline for changes to be made, Ms Blanch said, was 30 September 2018, with mandated use from 31 December 2018, meaning changes should be truly embedded in all services using cloud based payroll.
ECEC services who failed to comply with the changes, Ms Blanch said, can attract fines of up to $2.1 million. If a service is currently using DSP, with cloud based payroll, Ms Blanch suggested the person responsible for maintaining the system should ensure the option for MFA was activated.