Where to Start in Cybersecurity
Tips for building a cybersecurity defense for your tax practice.
For some time now, we here at Drake – along with the Internal Revenue Service, state tax agencies and their other tax industry partners – have been giving helpful tips for building a cybersecurity defense for your tax practice.
But where do you start?
Start by understanding our responsibilities. IRS Commissioner John Koskinen says all tax practitioners, from the largest of firms to the smallest of offices, have a legal obligation to protect taxpayer information in their care. That means securing sensitive data from unauthorized disclosure, improper disposal and outright theft.
“More and more, we see the data held by tax professionals being targeted by national and international criminal syndicates that are highly sophisticated, well-funded and technologically adept,” said Koskinen. “No tax practitioner today can afford to ignore cybersecurity threats or overlook putting in place strong safeguards.”
One place to start is Publication 4557, Safeguarding Taxpayer Data, which outlines the legal obligations of tax practitioners. The IRS publication also offers a checklist to help create a security plan. Some of the key initial steps include:
- Take responsibility or assign an individual or individuals to be responsible for safeguards
- Assess the risks to taxpayer information in offices, including operations, physical environment, computer systems and employees
- Make a list of all the locations where taxpayer information is kept (computers, filing cabinets, bags and boxes taxpayers may bring in)
- Write a plan of how to safeguard taxpayer information. Put appropriate safeguards in place
- Use only service providers who have policies in place to also maintain an adequate level of information protection defined by the Safeguards Rule; and
- Monitor, evaluate and adjust security programs as business or circumstances change
Since most tax pros are also small business operators, the Commerce Department’s National Institute of Standards and Technology (NIST) has issued a new guidance document, Small Business Information Security: The Fundamentals. The NIST guide offers action-item categories to help steer tax pros in their security efforts:
- Identify and control who has access to business information
- Conduct background checks
- Require individual user computer accounts for each employee
- Create policies and procedures for information security
- Limit employee access to data and information
- Install Surge Protectors and Uninterruptible Power Supplies (UPS)
- Patch operating systems and applications
- Install and activate software and hardware firewalls on business networks
- Secure wireless access point and networks
- Set up web and email filters
- Use encryption for sensitive business information
- Dispose of old computers and media safely
- Train employees
- Install and update anti-virus, spyware and other malware programs
- Maintain and monitor logs
- Develop a plan for disasters and information security incidents
- Make full backups of important business data/information
- Make incremental backups of important business data/information
- Consider cyber insurance
- Make improvements to processes, procedures and technologies
Explaining how to address security threats is just part of the Security Summit’s “Don’t Take the Bait” awareness campaign aimed at tax professionals. The Security Summit is a joint effort among the IRS, state tax agencies and tax industry leaders as part of the ongoing Protect Your Clients; Protect Yourself effort.