A group of tax practitioners are lending their observations and recommendations on what their colleagues in the income tax industry ought to be doing about security. And these tax pros should know: they’ve been victimized by hackers and identity thieves who stole their precious client data.
As part of the “Tax Security 101” security awareness campaign, the IRS and its Security Summit industry partners have released some of the best suggestions from real-life victims of tax-office data theft on how they would have done things differently in retrospect.
The suggestions – pulled anonymously from victimized professionals – offer us all an opportunity to learn from these common mistakes and hopefully avoid a devastating data loss for clients and the businesses.
Lesson 1: Get Cyber Insurance Coverage
Unfortunately the idea of securing insurance coverage in case of a data breach many times isn’t considered until it’s too late. It seems tax offices can be divided into two groups: Those who were glad they invested in cyber insurance – and those who wished they had.
Many tax professionals maintain business policies that may cover property and liability, but it may not fully coverage data thefts. Tax professionals victimized by these crimes recommend they also explore cyber coverage for data breaches. This may require an addendum or rider to the policy. Practitioners also suggest that that the dollar amount of the policy be large enough to cover expenses.
Some insurance companies provide teams of experts in the event of a data theft, assisting tax professionals in identifying the source of the data breach and resolving it. These teams may also help notify clients or provide extended protections. Just as important, these teams of experts may assist tax professionals proactively, helping make sure adequate safeguards are in place to prevent a data theft.
If your office uses cloud storage, ask your storage provider if they have insurance in case their storage system’s security is breached.
Lesson 2: Password Protect Each Client Account
We’ll admit this up front: Yes, it’s a pain to put password security on each and every client account in your system. But the tax pros who have gone through a data breach all agree it’s a must-do. Even if intruders manage to get into your office system, password protection of each file can save the day – and your data.
And while we’re at it, let’s talk passwords here. What makes a good password? Eight characters or longer – a mix of letters, numbers and special characters. The tough part? Each client account should have its own unique password. For more on passwords and encryption, check out Protect Your Clients; Protect Yourself: Tax Security 101.
Lesson 3: Use a Virtual Private Network for Remote Connections
The tax professionals spotlighted by the IRS also wish they had used a Virtual Private Network, or VPN instead of remote access software. VPNs allow remote workers or branch offices to connect to the main office computer system and send and receive data. At the same time, a VPN can help keep those transmissions virtually invisible to would-be identity thieves.
There have been cases where cybercriminals have taken over remote access of a tax professionals’ computer systems. In one example, the thieves remotely accessed client accounts via the tax pro’s computer, completed and e-filed pending returns and changed the deposit information to their own accounts.
Some Internet Service Providers also offer VPNs as an extra service. Nationally, some providers of anti-virus software have included VPNs in their lists of security products. Prices and scope of the VPN can vary, so shop around before making a decision.
Lesson 4: Keep All Security Software Updated
The argument for keeping security software updated is simple: The hackers are using the latest tools they can get to crack your security. Shouldn’t you have the latest defenses you can get?
Security software isn’t just your anti-virus programs, either. It includes the computer operating system, anti-malware, anti-virus software, firewalls, and more. While most computers come with security software installed, tax professionals also can purchase additional security software products.
Updated software helps protect users from emerging threats that can lead to data thefts. Users can set the security software to update automatically. Even with automatic updates, however, periodic checks are needed to ensure that the system is indeed updating itself.
In addition to these steps, the Security Summit reminds all professional tax preparers that they must have a written data security plan as required by the Federal Trade Commission and its Safeguards Rule. Tax professionals also can get help with security recommendations by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: the Fundamentals by the National Institute of Standards and Technology.
Publication 5293, Data Security Resource Guide for Tax Professionals, provides a compilation of data theft information available on IRS.gov.