Tax Firm Cybersecurity Checklist

Is your tax firm cybersecure? Are you following the best practices to ensure that your business and client information is protected? Cybercriminals are on the prowl. No matter what the IRS and other tax software companies do, they are always trying to find a way in. Last summer, the IRS sent out a “Don’t Take the Bait” educational series on how to avoid phishing scams. This summer, the Taxes-Security-Together publication was released to educate taxpayers on how to be as cybersecure as possible. Here’s a recap.

Deploy the “Security Six” measures

There are some very basic best practices everyone should be following to avoid a security breach. The IRS calls this the “Security Six.” Here’s a look at what they are and how to adhere to them.

  1. Activate anti-virus software: Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.
  2. Use a firewall: Firewalls act as digital walls and keep unwanted people from connecting to your network.
  3. Opt for two-factor authentication: Two-factor authentication adds an extra layer of protection beyond a password. It requires the user to enter credentials (username and password) plus another step, such as entering a security code sent via text to a mobile phone.
  4. Use backup software/services: Back up sensitive data to a safe and secure external source not connected full time to a network.
  5. Use drive encryption: Drive encryption software transforms data on your computer into unreadable files for an unauthorized person accessing the computer to obtain data.
  6. Create and secure Virtual Private Networks: A VPN provides a secure, encrypted tunnel to transmit data between a remote user via the Internet and the company network.

Create a data security plan

The “Security Six” measures are just the basics for cybersecurity. There’s much more to being cybersecure than that. If you really want to ensure your business and its information is protected, you need to create a data security plan. This is not just a recommendation, it’s a federal requirement of all professional tax preparers.

Tax preparers are asked to focus on key areas such as employee management and training; information systems; and detecting and managing system failures. Your security plan should include the following:

  • Identify and control who has access to your business information
  • Make a plan for protecting the information through access, safeguards, and even from corruption
  • Deploy detection software like anti-virus, spyware, and malware programs
  • Develop a plan for disasters and information security incidents
  • Make sure you have multiple ways to recover data in the event of a disaster or incident

IRS Publication 4557 and the NIST Small Business Information Security publication are great resources to refer to when developing your data security plan.

Educate yourself on phishing scams

There are so many scams out there. Are you keeping up? Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. The scams run the gamut and can be very obvious or very sophisticated. If you’re not aware of how they work, you should familiarize yourself with the IRS Don’t Take the Bait 10 part series. If you want the cliff notes, we’ve got a great recap on our blog.

Recognize the signs of client data theft

Data theft can happen right under your nose. Even if you’ve done everything to secure your data, your client(s) may be victim of a scam. Common clues to help you recognize when something is wrong include:

  • Clients receive IRS letters about suspicious tax returns in their name
  • More returns filed with your Electronic Filing Identification Number than you submitted
  • Clients receive tax transcripts they did not request

IRS Publication 5923 has more on the warning signs.

Create a data theft recovery plan

If a data breach occurs, it is critical that you act as quickly as possible. These three steps are the first, and most important steps to take:

  • Contact local IRS stakeholder liaison immediately
  • Assist IRS in protecting clients
  • Contract with cybersecurity expert to stop thefts

For more on what to do in the event of data theft, refer to the IRS Data Theft Information.

As tax professionals, it is our responsibility to do our due diligence in protecting tax payer information. Following these best practices will get you on the right foot but beyond these, it’s crucial that you stay vigilant and keep up with the latest scams and cybersecurity trends.