The IRS, state tax agencies and the tax industry today urged tax
professionals to make data security an everyday priority, noting a few simple
steps can go far in protecting taxpayer information from cybercriminals.
Cybersecurity experts often refer to the 90/10 rule. This rule states that
10% of cybersecurity is reliant upon technology; 90 percent is up to users. The
IRS currently is receiving reports of tax professional data breaches at the
rate of three to five a week, a level that requires immediate attention.
Making daily security a priority is part of the “Don’t Take the Bait”
campaign, a 10-part series aimed at tax professionals. The IRS, state tax agencies
and the tax industry, working together as the Security Summit, urge
practitioners to work to protect their clients and themselves from
cybersecurity threats. This is part of the ongoing
Protect
Your Clients; Protect Yourself effort.
“Tax professionals should not overlook the importance of protecting their
systems and their data,” said IRS Commissioner John Koskinen. “Cybercriminals
are increasingly targeting the tax community, and tax practitioners play a
critical role in helping safeguard their client data as well as their own.
Taking a few critical steps can help tax professionals avoid a devastating
situation for their business and the taxpayers they serve.”
Data security within a tax professional’s office is only as strong as the
least-informed employee. And, security awareness must extend beyond the office
into homes. The IRS is aware of situations where a data breach of a tax
preparer’s office began at the home of an employee working remotely.
Tax professionals – as well as the Security Summit partners – are matching
wits and skills with highly-sophisticated, well-funded, technologically-adept
criminal syndicates from the United States and around the world. Anyone who
handles taxpayer information has an obligation under federal law to protect
that information from unauthorized disclosure, improper disposal and outright
theft.
Tax professionals should conduct ongoing education of office employees to
combat daily threats, including spear phishing emails, business identity theft,
account takeovers, ransomware attacks, remote takeovers, business email
compromises and Electronic Filing Identification Number (EFIN) thefts.
Protecting Clients
and Businesses by Making Data Security a Daily Priority
Practitioners also should review the
NIST
small business guide to learn not only what technological steps should be
taken but also what everyday steps all employees should take. NIST, or the
National Institute of Standards and Technology, a division of the U.S. Department
of Commerce, has been helping small businesses with information security since
2001. NIST also has recommendations on everyday activities tax professionals
and employees can do to help keep businesses safe and secure. Some of these
include:
- Be careful of email
attachments and web links
- Do not click on a link
or open an attachment that you were not expecting. If it appears
important, call the sender to verify they sent the email and ask them to
describe what the attachment or link is. Before you click a link (in an
email or on social media, instant messages, other webpages), hover over
that link to see the actual web address it will take you to. Train
employees to recognize phishing attempts and who to notify when one
occurs.
- Use separate personal
and business computers, mobile devices and accounts
- As much as possible,
have separate devices and email accounts for personal and business use.
This is especially important if other people, such as children, use
personal devices. Do not conduct business or any sensitive activities
(like online business banking) on a personal computer or device and do
not engage in activities such as web surfing, gaming, downloading videos,
etc., on business computers or devices. Do not send sensitive business
information to personal email addresses.
- Do not connect personal
or untrusted storage devices or hardware into computers, mobile devices or
networks.
- Do not share USB drives
or external hard drives between personal and business computers or
devices. Do not connect any unknown / untrusted hardware into the system
or network, and do not insert any unknown CD, DVD or USB drive. Disable
the “AutoRun” feature for the USB ports and optical drives like CD and
DVD drives on business computers to help prevent such malicious programs
from installing on the systems.
- Be careful downloading
software
- Do not download
software from an unknown web page. Be very careful with downloading and
using freeware or shareware.
- Watch out when providing
personal or business information
- Social engineering is
an attempt to obtain physical or electronic access to business
information by manipulating people. A very common type of attack involves
a person, website or email that pretends to be something it’s not. A
social engineer will research a business to learn names, titles,
responsibilities and any personal information they can find. Afterwards,
the social engineer usually calls or sends an email with a believable,
but made-up, story designed to convince the person to give them certain
information.
- Never respond to an
unsolicited phone call from a company you do not recognize that asks for
sensitive personal or business information. Employees should notify their
management whenever there is an attempt or request for sensitive business
information.
- Never give out
usernames or passwords. No company should ask for this information for
any reason. Also, beware of people asking what kind of operating system,
brand of firewall, internet browser, or what applications are installed.
This is information that can make it easier for a hacker to break into
the system.
- Watch for harmful
pop-ups
- When connected to and
using the Internet, do not respond to popup windows requesting that users
click “OK.” Use a popup blocker and only allow popups on trusted
websites.
- Use strong passwords
- Good passwords consist
of a random sequence of letters (upper case and lower case), numbers, and
special characters. The NIST recommends passwords be at least 12
characters long. For systems or applications that have important
information, use multiple forms of identification (called “multi-factor”
or “dual factor” authentication).
- Many devices come with
default administration passwords – these should be changed immediately
when installing and regularly thereafter. Default passwords are easily
found or known by hackers and can be used to access the device. The
manual or those who install the system should be able to show you how to
change them.
- Passwords should be
changed at least every three months.
- Passwords to devices
and applications that deal with business information should not be
re-used.
- You may want to
consider using a password management application to store your passwords
for you.
- Conduct online business
more securely
- Online
business/commerce/banking should only be done using a secure browser
connection. This will normally be indicated by a small lock visible in
the lower right corner or upper left of the web browser window.
- Erase the web browser
cache, temporary internet files, cookies and history regularly. Make sure
to erase this data after using any public computer and after any online
commerce or banking session. This prevents important information from
being stolen if the system is compromised. This will also help the system
run faster. Typically, this is done in the web browser’s “privacy” or “security”
menu. Review the web browser’s help manual for guidance.