How does ATO’s new digital security standards impact your cloud-based payroll system
As the Australian digital economy continues to grow and diversify, new safety requirements are being adopted in an effort to protect users. The Australian Taxation Office (ATO) recently implemented new security standards that will have important implications for business owners and anyone who offers payroll services.
Better authentication systems provide an unobtrusive way to protect anyone who manages their workforce and makes payments over the Internet. So all digital service providers (DSPs), with cloud-based payroll systems are now required to offer two-factor authentication for users to access relevant applications.
What is Multi Factor Authentication (MFA)?
According to the Australian Government’s Notifiable Data Breach (NDB) Scheme introduced in February 2018, identity theft is rising and people are not doing enough to protect their data. This is one of many reasons why it’s important to make appropriate changes to how you conduct business online.
The NDB scheme raised the importance of implementing stronger cybersecurity systems, including greater privacy and authentication systems. Two-factor authentication, also known as MFA, provides an additional level of security for users as they log into applications. Rather than relying on a single level of security by inputting a username and password, users will now be prompted with a secondary verification code or method which can be sent via a standard SMS or email delivery system.
Two-factor authentication systems have already been adopted by many banking and government organisations in Australia, but the MFA process will provide a second level of security for cloud-based, STP compliant payroll systems. While MFA is an optional feature for products and services controlled by the client, all cloud-based payroll systems are now required to make it available.
Who is affected by this change?
As an important part of the NDB scheme and the new ATO rules, all services hosted by DSPs, which includes all cloud-based payroll systems, are now required to adopt MFA.
From third-party payroll systems through to internal business departments and business owners, anyone who logs onto a cloud-based payroll system will be affected by the new regulations. This is likely to include payroll companies, business owners, and individual employees who use employee self-service payroll systems.
While not mandatory, MFA is also recommended for client-controlled services and DSP staff without access to tax or superannuation related information.
This is an important distinction to make.
With client-controlled services; including desktop software or software hosted by the client on their own premise, along with infrastructure as a service (IaaS) or platform as a service (PaaS), the additional level of authentication is optional, but highly recommended, to avoid possible data breaches.
In contrast, MFA is mandatory for products and services controlled by the DSP. This includes end users who access taxation or superannuation products and services, and DSP staff who have access to applicable products and services. This includes software as a services (SaaS), gateways, and sending service providers.
Regardless of the payroll system architecture in question, MFA may be activated by everyone or selectively to individual users based on their role within an organisation. Additional verification and authentication provides a safer environment for users along with a much-needed protective layer for sensitive systems.
ATO deadlines
MFA rules have been adopted by the ATO in response to the rapid growth of digital services across Australia. All products and services hosted by DSPs were required to implement MFA by 30 September 2018, and mandate its use by 31 December 2018.
Failure to comply with the NDB scheme can attract fines of up to $2.1 million. The more robust authentication systems recently adopted by the ATO is an important piece of the puzzle in an attempt to protect users and businesses by improving data security, reinforcing accountability, and encouraging higher security standards through better products and services.
What do I need to do?
MFA is recommended for all applicable products and services, and should be made available wherever practical. But if you are a business using DSPs, with cloud-based payroll systems, ensure the systems have given you the option to use a two-factor authentication login process. As it is now a mandatory requirement of the NDB scheme and ATO to offer you this additional level of security/
When it’s not possible to implement MFA for services controlled by the client, businesses should consider alternative security arrangements such as account lockout and resetting practices, and integrated pass-phrase management.