8/4/2021
There are several security measures that should be used by tax professionals and taxpayers alike to protect their sensitive data:
Multi-factor authentication. Multi-factor authentication, also known as two-factor authentication, allows the use of another feature, such as a security code sent to a mobile device, a pin number or a fingerprint in addition to just a username and password. When thieves try to steal usernames and passwords, they won't be able to access accounts without that additional multifactor feature. Multi-factor authentication is available on all online tax software products, in commercial email products and cloud storage providers.
Anti-virus software. Anti-virus software, also known as anti-malware software, scans existing files and drives or computer’s memory for patterns based on the signatures or definitions of known malware that indicate the presence of malicious software.
Keep anti-virus software set to automatically receive the latest updates so that it is always current. Anti-virus vendors find new and updated malware daily, so it is important that users have the latest updates installed on their computer, according to the U.S. Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security.
Once you have installed anti-virus software, you should scan your entire computer periodically. Most anti-virus software can be configured to automatically scan specific files or directories in real time and prompt users at set intervals to perform complete scans. If it doesn't automatically scan new files, you should manually scan files and media received from outside sources by saving and scanning email attachments or web downloads rather than opening them directly, and by scanning portable media such as CDs and DVDs before opening the files.
When choosing anti-virus software, read about its features so you know what to expect. Some software will produce a dialog box with an alert that it has found malware and ask whether you want it to “clean” the file (to remove the malware); other software may attempt to remove it without asking first.
Firewalls. Firewalls shield digital devices from external attacks.
Firewalls provide protection against outside attackers by shielding a computer or network from malicious or unnecessary web traffic and preventing malicious software from accessing systems. Firewalls can be configured to block data from certain suspicious locations or applications while allowing relevant and necessary data to pass through, according to CISA.
Firewalls may be broadly categorized as hardware or software. While both have their advantages and disadvantages, the decision to use a firewall is far more important than deciding which type used:
Hardware – Typically called network firewalls, these external devices are positioned between a computer and the internet (or another network connection). Hardware-based firewalls are particularly useful for protecting multiple computers and control the network activity that attempts to pass through them.
Software – Most operating systems include a built-in firewall feature that should be enabled for added protection even if using an external firewall. Firewall software can also be obtained as separate software from a local computer store or software vendor. If downloading firewall software from the internet, make sure it is from a reputable source (such as an established software vendor or service provider) and offered via a secure website.
While properly configured firewalls may be effective at blocking some cyber-attacks, don't be lulled into a false sense of security. Firewalls do not guarantee that a computer will not be attacked. Firewalls primarily help protect against malicious traffic, not against malicious programs (malware), and may not protect the device if the user accidentally installs malware. However, using a firewall in conjunction with other protective measures (such as anti-virus software and safe computing practices) will strengthen resistance to attacks.
Anti-virus software and firewalls cannot protect data if employees fall for email phishing scams and divulge sensitive data, such as usernames and passwords. The Summit reminds the tax community that users, not the software, is the first line of defense in protecting taxpayer data.
Backup software/services. Making a copy of files can be crucial, especially if you becomes a victim of a ransomware attack. Critical files on computers should routinely be backed up to external sources. This means a copy of the file is made and stored either online as part of a cloud storage service or similar product. Or, a copy of the file is made to an external disk, such as an external hard drive with multiple terabytes of storage capacity. Tax professionals should ensure that taxpayer data that is backed up also is encrypted – for the safety of the taxpayer and the tax pro.
Drive encryption. Drive encryption secures computer locations where sensitive files are stored, making data on the files unreadable to unauthorized users. Given the sensitive client data maintained on tax practitioners' computers, users should consider drive encryption software for full-disk encryption. Drive encryption, or disk encryption, transforms data on the computer into unreadable files for an unauthorized person accessing the computer to obtain data. Drive encryption may come as a stand-alone security software product. It may also include encryption for removable media, such as a thumb drive and its data.
Virtual Private Networks (VPNs). A VPN provides a secure, encrypted tunnel to transmit data between a remote user via the Internet and the company network. As teleworking or working from home continues during the coronavirus, VPNs are more critical than ever to protect and secure internet connections from remote takeovers by cyberthieves. Criminals can gain access to an entire office network by accessing just one employee's remote internet. If you can't afford a cybersecurity expert, you can search for "Best VPNs" to find legitimate vendors, or browse major technology sites that provide lists of top services. Never click on a pop-up ad for any marketing security products, as those are typically scams.
Some tips for VPNs from The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA):
Set VPNs to automatically update network infrastructure devices and devices used to log in remotely to work environments with the latest software patches and security configurations
Require teleworkers to use strong passwords
Implement multi-factor authentication on all VPN connections to increase security
IT security personnel should test VPN limitations to prepare for mass usage and implement modifications such as rate limiting to prioritize users that will require higher bandwidths.
Client information stolen from tax professionals' offices is used to create fraudulent tax returns that are difficult to detect because the identity thief is using real financial data. While federal law requires all professional tax preparers to create and implement a data security plan, the IRS also recommends that they create a data theft response plan, which includes contacting the IRS Stakeholder Liaisons to report a theft.
Resources:
Publication 4557, Safeguarding Taxpayer Data
Publication 5293, Data Security Resource Guide for Tax Professionals
Publication 4524, Security Awareness for Taxpayers
Small Business Information Security: The Fundamentals by the National Institute of Standards and Technology