When it comes to keeping your business’ data secure—and that of your clients—you now have some new items on your to-do list.
The Internal Revenue Service and its Security Summit task force have issued some of the most important steps every tax practitioner should take to safeguard their data from cybercriminals.
No doubt, it’s not easy keeping up with the dizzying array of viruses, worms, Trojan horses, bots and all the other threats that are forever crawling up out of cyberspace to steal your business and client data. Even the terminology can be daunting. But that’s why every tax office, large or small, needs to find and deploy strong security practices and software that will do the job.
Tax Security 101
The IRS and the Security Summit partners have issued their second in the Tax Security 101 series of awareness documents aimed at giving tax pros the basic information needed to better protect taxpayer data and help prevent fraudulent tax returns.
While the Security Summit is clearly making progress in the fight against tax-related identity theft, the methods used by identity thieves continue to evolve. The number of data thefts from tax practitioner offices is rising. The aim is the same: Thieves steal data from tax professionals in order to create fraudulent tax returns that are harder to detect.
Therefore we bring you the “Security Six,” must-have strategies to secure taxpayer data on computers. Whether your tax operation is a large corporate affair or a “one-man band,” these are good ideas that can help you sleep better at night.
In general, anti-virus software scans your computer’s hard drive and memory for patterns that may indicate the presence of malicious software, called “malware.” Makers of anti-virus software update those patterns or signatures regularly, so that their software can scan for the most current threats known. Once installed, any anti-virus program should be set to check for updates automatically and install when it finds them. Don’t wait to update.
Once users have installed an anti-virus package, they should scan their entire computer periodically:
- Automatic scans – Most anti-virus software can be configured to automatically scan specific files or directories in real time and prompt users at set intervals to perform complete scans.
- Manual scans – If the anti-virus software does not automatically scan new files, users should manually scan files and media received from an outside source before opening them. This process includes:
- Saving and scanning email attachments or web downloads rather than opening them directly from the source.
- Scanning portable media, including CDs and DVDs, for malware before opening files.
Firewalls protect computer systems from outside attack, shielding the computer or network from malicious network traffic or access by malicious software that tries to access the network. In general, firewalls can be either hardware or software. Both kinds have advantages and drawbacks, but the decision to use some sort of firewall is more important than deciding which type to use.
- Hardware – Typically called network firewalls, these external devices are positioned between a computer and the internet (or other network connection). Many vendors and some internet service providers (ISPs) offer integrated small office / home office (SOHO) routers that also include firewall features. Hardware-based firewalls are particularly useful for protecting multiple computers and control the network activity that attempts to pass through them. The advantage of hardware-based firewalls is that they are separate devices running their own operating systems, so they provide an additional line of defense against attacks when compared to system or host-level protections.
- Software – Most operating systems include a built-in firewall feature that should be enabled for added protection even if using an external firewall. Firewall software can also be obtained as separate software from a local computer store, software vendor or ISP. If downloading firewall software from the internet, make sure it is from a reputable source (i.e., an established software vendor or service provider) and offered via a secure site.
While firewalls can help protect computer networks, they may not guarantee a computer against attack. A malicious program installed accidently by a user, for example, would not be stopped by a firewall. But when added with other measures, a firewall can help to “harden” the defenses of a computer network.
A lot of email providers are now offering two-factor authentication protection to email accounts. Tax pros should always opt to use this feature when it’s offered, to prevent their accounts from being taken over by cybercriminals and putting their clients at risk.
This feature works by asking first for the standard username and password, but goes farther by sending an authorization code, usually by text to the user’s mobile phone. The theory behind the process is that if an identity thief steals the user’s username and password, chances are slip he won’t also have the user’s cellphone. Without access to the cellphone, the login process cannot be completed.
Backup Software and Services
Critical files on computers should be routinely backed up to an external source. This source can be cloud-based or on a removable drive that can be stored off-site. Drake customers can use their tax software to generate a backup of their client files. Drake also offers Secure File Pro as a secure, cloud-based backup destination.
No matter which kind of backup you make, make sure the backup file is encrypted.
Client data is sensitive stuff, and as such it deserves all the protection we can give it. Consider using drive encryption, which makes all the data on a hard drive readable only by the software that encrypted the drive. For unauthorized persons accessing the drive, the data appears to be unreadable.
Drive encryption software may be available as a stand-alone security software product, and may also include encryption for removable media such as a flash drive. Encryption may also be offered by your computer’s operating system. Check your manual to make sure.
Make a Data Security Plan
The Security Summit reminds all preparers that a written data security plan is required by the Federal Trade Commission and its Safeguards Rule.
How to write a security plan? There are a number of sources you can turn to for help. The FTC has a great source in its Protecting Personal Information: A Guide for Business.
The IRS offers Publication 4557, Safeguarding Taxpayer Data, and the National Institute of Standards and Technology has Small Business Information Security: The Fundamentals.
One final reminder: despite all our talk about software and firewalls, authentication and backups, remember that none of these tools will protect data if a user falls for an email scam and unwittingly gives up usernames and passwords to an identity thief. It’s the user—not the software—that is the first line of defense in protecting the firm’s data and the data of its clients.