Data defense: 10 tips for tax security

Despite progress by the Internal Revenue Service and its Security Summit partners against identity theft, cyber-crooks’ evolving tactics continue to threaten the tax community and the data of taxpayers.

The numbers are apparently encouraging. In 2018, the IRS received 199,000 identity theft affidavits from taxpayers, compared with 677,000 in 2015, the third consecutive year this number declined. The number of confirmed ID-theft returns stopped by the IRS declined 54 percent, from 1.4 million in 2015 to 649,000 in 2018.

“The IRS, the states and the private sector tax industry have taken major steps to protect taxpayers and their data – but a major risk remains regardless of whether you’re the sole tax practitioner in your office or part of a multi-partner accounting firm,” warned IRS Commissioner Chuck Rettig.

Tax professionals can get help with security recommendations in IRS Publication 4557, “Safeguarding Taxpayer Data,” and “Small Business Information Security: the Fundamentals” by the National Institute of Standards and Technology. Publication 5293, “Data Security Resource Guide for Tax Professionals,” provides a compilation of data theft information available on IRS.gov.

In the meantime, the Security Summit partners have created a “Taxes-Security-Together” checklist for tax professionals, which starts with deploying their “Security Six” measures, and that adds a number of other protective strategies.

p19hov8en014i214se1r26vr415u1e.jpg

Security Six No. 1: Anti-virus software

There are a variety of anti-virus packages on the market that will periodically conduct automatic scans of your files and documents to detect malware, spyware, viruses and other malicious code. Since hackers are constantly coming up with new malware, anti-virus software vendors continually update their defenses — and you need to make sure that you accept those updates as soon as possible on a regular basis.
p1ahh75qifrq419cpepdamp17988.jpg
Background of open red padlocks for security

Security Six No. 2: Build firewalls

Beyond scanning for malware that may already be in your systems, you want to create a shield around that includes hardware in the form of external devices positioned between your computers and the internet, and software that runs on your systems to protect against malicious traffic.

Note, though, that firewalls won’t prevent every attack — particularly since so many are enabled by human carelessness within your network.
p194qc8qb1h8r1ah3vc0nd2pdld.jpg

Security Six No. 3: Two-factor authentication

Check to see if the software vendors who provide your email, tax prep and other systems allow you to employ two-factor authentication, and if they do, use it. Essentially, it requires users to prove themselves twice before getting access to a system, first by providing a credential like a username and password, and then through a second step, which is often a security code sent to a mobile phone. This significantly raises the bar for hackers looking to crack a system.
14backup.jpg

Security Six No. 4: Back up files

This is important for a number of reasons, but for security purposes, having backups of critical files on external servers will give you and your clients options if you are ever subject to ransomware or other attacks that try to deny you access to your data and systems.
p1aseqr1m61g9vhjrivq4mq1ggch.jpg
Portable Hard Drives Backup System. Two Portable Hard Drives on the Laptop Closeup Photo.

Security Six No. 5: Encrypt drives

Drive encryption can be achieved in a couple of different ways, but the important point is to make the data on a computer unreadable and inaccessible to unauthorized people.
p1alccl6iu1c4kq7k10fg1fbn17fo6.jpg

Security Six No. 6: VPNs

For firms with staff who work remotely or otherwise outside the office, they should establish encrypted virtual private networks that give them a more secure connection to the internet. Public WiFi networks are notoriously insecure, but even an individual’s home network access is much less secure than it should be, and VPNs make a major difference.
p1apne1eqv1pm5147viqd1omo1nb69.jpg

Create a data security plan

Federal law requires all “professional tax preparers” to create and maintain an information security plan for client data. The security plan requirement is flexible enough to fit any size prep firm, and tax pros should focus on key risk areas such as employee management and training, information systems and detecting and managing system failures.
p1afk42fia1lbclrlc9qv84qpe8.jpg
E-mail symbol printed on a piece of paper hooked on a fishing hook. Phishing and data protection concept.

Educate yourself and be alert to key email scams

In addition to being on the lookout for IRS alerts on the latest e-schemes, learn about spear phishing emails (emails ostensibly from a known or trusted sender to you to reveal confidential client information) and beware ransomware malware, designed to deny access to a computer system or data until a ransom is paid.
p1b379r1dt13oq1sadujh1pnm2l1g.jpg
Businessman searching virus in a laptop

Recognize signs of client data theft

If clients receive IRS letters about suspicious tax returns in their name, or more returns are filed with a practitioner’s EFIN than submitted, or if clients receive tax transcripts they never requested — chances are suddenly good that somebody’s got their hands on your client data.
p17pr9rs40e0410j3ckt1io31hrm9.jpg
Laptop wrapped in police tape on black background

Move fast on a data-theft recovery plan

If you think you’ve been hacked, contact the local IRS Stakeholder Liaison immediately. Assist the IRS in protecting clients’ accounts and contract with a cybersecurity expert to help prevent and stop future thefts.
MORE FROM ACCOUNTING TODAY