© 2020 Arizent. All rights reserved.

Data defense: 10 tips for tax security

Despite progress by the Internal Revenue Service and its Security Summit partners against identity theft, cyber-crooks’ evolving tactics continue to threaten the tax community and the data of taxpayers.

The numbers are apparently encouraging. In 2018, the IRS received 199,000 identity theft affidavits from taxpayers, compared with 677,000 in 2015, the third consecutive year this number declined. The number of confirmed ID-theft returns stopped by the IRS declined 54 percent, from 1.4 million in 2015 to 649,000 in 2018.

“The IRS, the states and the private sector tax industry have taken major steps to protect taxpayers and their data – but a major risk remains regardless of whether you’re the sole tax practitioner in your office or part of a multi-partner accounting firm,” warned IRS Commissioner Chuck Rettig.

Tax professionals can get help with security recommendations in IRS Publication 4557, “Safeguarding Taxpayer Data,” and “Small Business Information Security: the Fundamentals” by the National Institute of Standards and Technology. Publication 5293, “Data Security Resource Guide for Tax Professionals,” provides a compilation of data theft information available on IRS.gov.

In the meantime, the Security Summit partners have created a “Taxes-Security-Together” checklist for tax professionals, which starts with deploying their “Security Six” measures, and that adds a number of other protective strategies.

Security Six No. 1: Anti-virus software
There are a variety of anti-virus packages on the market that will periodically conduct automatic scans of your files and documents to detect malware, spyware, viruses and other malicious code. Since hackers are constantly coming up with new malware, anti-virus software vendors continually update their defenses — and you need to make sure that you accept those updates as soon as possible on a regular basis.
Security Six No. 2: Build firewalls
Beyond scanning for malware that may already be in your systems, you want to create a shield around that includes hardware in the form of external devices positioned between your computers and the internet, and software that runs on your systems to protect against malicious traffic.

Note, though, that firewalls won’t prevent every attack — particularly since so many are enabled by human carelessness within your network.
Security Six No. 3: Two-factor authentication
Check to see if the software vendors who provide your email, tax prep and other systems allow you to employ two-factor authentication, and if they do, use it. Essentially, it requires users to prove themselves twice before getting access to a system, first by providing a credential like a username and password, and then through a second step, which is often a security code sent to a mobile phone. This significantly raises the bar for hackers looking to crack a system.
Security Six No. 4: Back up files
This is important for a number of reasons, but for security purposes, having backups of critical files on external servers will give you and your clients options if you are ever subject to ransomware or other attacks that try to deny you access to your data and systems.
Security Six No. 5: Encrypt drives
Drive encryption can be achieved in a couple of different ways, but the important point is to make the data on a computer unreadable and inaccessible to unauthorized people.
Security Six No. 6: VPNs
For firms with staff who work remotely or otherwise outside the office, they should establish encrypted virtual private networks that give them a more secure connection to the internet. Public WiFi networks are notoriously insecure, but even an individual’s home network access is much less secure than it should be, and VPNs make a major difference.
Create a data security plan
Federal law requires all “professional tax preparers” to create and maintain an information security plan for client data. The security plan requirement is flexible enough to fit any size prep firm, and tax pros should focus on key risk areas such as employee management and training, information systems and detecting and managing system failures.
Educate yourself and be alert to key email scams
In addition to being on the lookout for IRS alerts on the latest e-schemes, learn about spear phishing emails (emails ostensibly from a known or trusted sender to you to reveal confidential client information) and beware ransomware malware, designed to deny access to a computer system or data until a ransom is paid.
Recognize signs of client data theft
If clients receive IRS letters about suspicious tax returns in their name, or more returns are filed with a practitioner’s EFIN than submitted, or if clients receive tax transcripts they never requested — chances are suddenly good that somebody’s got their hands on your client data.
Move fast on a data-theft recovery plan
If you think you’ve been hacked, contact the local IRS Stakeholder Liaison immediately. Assist the IRS in protecting clients’ accounts and contract with a cybersecurity expert to help prevent and stop future thefts.