Drake Software blog for tax pros, covering tax, IRS news, and more

Cybersecurity for Tax Professionals

Cybersecurity for Tax Professionals

Today, tax preparers operate within an increasingly complex and perilous cybersecurity context. These challenges not only threaten the integrity of your practice, but also put your clients' financial well-being at risk. At Drake Software®, we recognize the gravity of these threats and are committed to providing you with the knowledge and tools necessary to fortify your practices. As we delve into this topic, we will examine prevalent threats, share foundational best practices, and outline critical strategies to help you implement a digital shield around your business.  

Cybersecurity Threats in the Tax Industry 

As tax preparers are entrusted with a wealth of sensitive financial information, they are often vulnerable to evolving digital risks. It is therefore imperative to establish an understanding of the potential dangers to your tax practice, so that you are prepared to protect against them. 

  • Phishing Attacks 

Cybercriminals employ sophisticated social engineering tactics, often through deceptive emails or messages, to deceive unsuspecting individuals into disclosing sensitive information, such as login credentials and client data. In fact, according to Verizon’s 2021 Data Breach Investigations Report, a staggering 94% of malware is delivered via email, with phishing being the most common attack vector.  

  • Ransomware 

This insidious form of malicious software has the potential to swiftly encrypt critical files, holding them hostage until a ransom is paid.  

  • Data Breaches 

Unauthorized access to the treasure trove of sensitive client information that tax professionals hold can lead to catastrophic consequences, often manifesting as data breaches. Beyond the immediate financial impact, these breaches possess the potential for enduring reputational harm. In 2023, the average cost of a data breach is $4.45 million, as noted in IBM's 2023 Cost of a Data Breach Report. 

By gaining a comprehensive understanding of these pervasive threats, tax professionals can take an essential step toward bolstering their cybersecurity.  

Cybersecurity Best Practices 

To help strengthen your tax practice against the cyber threats looming in today's digital landscape, a proactive approach built on suggested cybersecurity best practices is indispensable.  

  • Strong Password Policies 

To help protect your business, we suggest encouraging the use of complex, unique passwords for all accounts, incorporating a combination of letters, numbers, and symbols. Advocate for regular password changes and the avoidance of easily guessable information, such as birthdates or common words. 

  • Multi-Factor Authentication (MFA) 

You may further elevate your cybersecurity defenses by mandating the use of multi-factor authentication (MFA) wherever possible. MFA adds an extra layer of protection by requiring users to verify their identity through a secondary method, such as a one-time code sent to a mobile device. 

  • Software Updates and Patch Management 

Stay vigilant in applying software updates and patches promptly. Outdated software can serve as a vulnerable entry point for cybercriminals, so we recommend regularly reviewing and updating all operating systems, applications, and security software to mitigate potential vulnerabilities. 

  • Employee Training Programs 

Your staff is your first line of defense against cybersecurity risks, so it’s important to invest in comprehensive employee training and awareness programs. Educate your team about cybersecurity risks—phishing attacks, for example—and empower them to recognize and report suspicious activity promptly. 

Introducing similar best practices such as these will not only enhance the security of your tax practice but also reinforce the trust your clients place in your ability to safeguard their financial information.  

Protecting Client Data 

While we’ve established some general strategies for upholding secure practices within your business, a major responsibility shouldered by tax professionals is safeguarding client data with the utmost diligence and care. Below, we’ve outlined some additional measures to take to specifically protect client data. 

  • Encryption 

Finally, you might leverage secure, encrypted file sharing and storage solutions to protect sensitive client data. Ensure that data is encrypted both in transit and at rest, and consider implementing access controls to restrict data exposure to authorized personnel. 

  • Secure Data Storage Solutions 

Choose secure data storage solutions that align with industry standards and regulations. We recommend opting for reputable cloud providers with a strong focus on data security, complemented by access controls and encryption measures. 

  • Data Retention Policies 

You might also develop and adhere to data retention policies that stipulate the length of time client data is retained. With this method, we suggest purging any unnecessary data as well, reducing the volume of sensitive information that could potentially be exposed in the event of a breach. 

  • Client Data Access Controls 

Another security measure is to restrict access to client data to authorized personnel only. You may implement robust access controls that limit who can view, edit, or share sensitive information, ensuring that data exposure is minimized. 

  • Compliance with Legal and Ethical Obligations 

Finally, make yourself familiar with the legal and ethical obligations governing the protection of client data in your jurisdiction. Adherence to these regulations is not only a legal requirement but also essential for maintaining trust and credibility. 

Protecting client data is a foundational component of ethical practice and compliance. By enacting stringent measures to safeguard information, you build client trust in your business. If you're interested in learning more about safeguarding your clients, visit our blog on privacy policies for tax preparers. 

Building an Incident Response Plan 

The ability to swiftly and effectively respond to potential breaches or incidents is incredibly important. It is crucial to construct a comprehensive incident response plan to serve as a blueprint for navigating the complexities of cyber threats. We’ve outlined some key components below. 

  • Detection and Identification of a Breach 

The first step is to proactively employ tools for detecting and confirming a cybersecurity incident quickly. We suggest researching different intrusion detection systems, security information and event management (SIEM) tools, and anomaly detection to identify irregularities. 

  • Containment and Eradication 

You may also find it helpful to detail breach containment procedures to prevent further damage and eradicating the root cause. This may involve isolating affected systems, disabling compromised accounts, or patching vulnerabilities. 

  • Communication and Reporting 

Consider establishing communication protocols for notifying relevant stakeholders—including clients, regulatory authorities, and law enforcement—as required by applicable laws and regulations. 

  • Recovery  

Finally, define the necessary steps to recover affected systems and data. We suggest conducting a thorough post-incident analysis to glean insights and lessons that can be applied to strengthen future cybersecurity efforts. 

With any cybersecurity measures, it’s necessary to regularly assess your efficacy through testing and simulations. Additionally, the threats you may encounter can shift constantly, so it’s important to remain informed. In doing so, you can stay ahead of potential weaknesses and adapt to emerging threats. 

An incident response plan serves as a critical line of protection in the aftermath of a cybersecurity incident. Even in adverse conditions, you can assure your clients that your business responds with speed and precision to minimize negative implications on your clients.  

For more information about creating a Written Information Security Plan (WISP) as required by the IRS, refer to our cybersecurity resource page from an IRS National Tax Forums presentation earlier this summer by our very own Jared Ballew, 2022-2023 ETAAC Chair and VP for Government Relations for Drake Software. You can also see IRS Publication 5708. 

Choosing Secure Tax Software 

Selecting the right tax software is a pivotal step in fortifying your tax practice's cybersecurity. Exemplary tax software that focuses on security won’t neglect crucial components such as: 

  • Security Features 
  • Regular Updates 
  • Compliance 
  • Reputation 
  • User Training 
  • Integration 
  • Scalability 
  • Backup and Recovery 
  • User Access Controls 

Make an informed choice for tax software that not only enhances your tax preparation services, but also bolsters your business’ security. Read our blog on how to choose the best tax preparation software, or take the first step towards comprehensive cybersecurity with Drake Software today.  

To learn more about why Drake Software is so many of your colleagues’ choice for tax preparation, read how we ranked excellent in every category of the 2023 NATP Survey, or how we received top ratings for 11 categories in the Journal of Accountancy Survey. We can’t wait to be your tax preparation solution! 

Drake Software Blog Team

The Drake Software Blog Team is proud to cover the latest in tax-industry-related news, from tax law and IRS updates to technology and business strategies. If you have questions about an article or just want to reach out to our staff, email comments@taxingsubjects.com.