The IRS has created a “Taxes-Security-Together” checklist to help accountants and tax preparers stay compliant. Should your business follow suit?
It’s tax season, which means businesses around the country are pulling together their financial documents and submitting statements to their accountants. These documents are rich in sensitive information that can be exploited by identity thieves or others attempting to commit tax fraud.
Tax preparers and CPAs have many compliance regulations to meet to protect private information. Because security standards are still unfamiliar to many professionals, the IRS recently released a “Taxes-Security-Together” checklist to help those in the tax industry achieve and maintain compliance.
As more businesses have followed these protocols, incidents of cybercrime and identity theft have decreased. According to the data collected from the IRS, the number of taxpayers who have reported identity theft to the IRS fell 71% from 2015 to 2018. In that same time period, the number of confirmed identity theft returns blocked by the IRS fell by 54%.
While the checklist is designed primarily for professionals in the tax preparation industry, many of these principles are important for private businesses to follow as well. Here’s what you need to know for your own business.
1. Follow “security six” protocols.
The IRS Security Summit identified six critical areas where businesses can begin to protect themselves from security threats that might lead to tax fraud. These six measures include:
Deploy anti-virus software.
Anti-virus software is designed to identify, quarantine, and remove any suspicious programs on your computer. It is a basic step to preventing computer viruses and malware from running unchecked within your system.
Activate your firewall.
A firewall limits the sources from which documents, files, or programs can be downloaded and installed on your computer. It is not uncommon for malware to be embedded in a link such that a user might inadvertently begin a download while browsing the internet. Firewalls prevent this from happening.
Set up two-factor authentication.
Password security is a perennial fail point for many businesses. You may already be familiar with two-factor authentication if you have ever entered your password and then been asked to enter a secondary temporary pin from an authenticator app, or that was sent to you via email or text message. Requiring this second authentication factor makes it substantially more difficult for someone to break into your account.
Backup software and devices.
The goals of hackers vary considerably, from data thieves who want access to as much user information as possible, to those who want to hold your data ransom, to those who just want to cause chaos. Ransomware attacks have become a more prominent occurrence in recent years, but one which can be thwarted through frequent data backups.
Employ drive encryption.
Drive encryption—otherwise known as encryption at rest—means that even if a hacker were able to obtain data from your drive, it would be inaccessible without the appropriate decryption keys.
Create and secure VPNs.
A Virtual Private Network (VPN) allows users to use public networks (the Internet) to securely share information between computers as if those computers were linked via a private network. It is safer and more direct than other data-sharing solutions.
2. Create a data security plan, including a data theft recovery plan.
Planning for security should encompass more than the above steps. If you think of your data security like securing your house, then the above steps cover basic measures such as “lock the door” and “install a security system.” However, every business is different and will have unique requirements. Just like a home in Florida will have to have special contingency plan in place for hurricanes, your business will have its own requirements.
Your security plan should identify sensitive information, describe how that information will be protected, and include an assessment of risk factors. Your business should also create a recovery plan in case the worst happens. In any crisis, time is of the essence. Having a plan in place to respond to the data theft, recover compromised data, and alert effected parties is essential for limiting the damage caused.
3. Educate your staff about common security threats.
Human error is one of the largest and most consistent factors when it comes to security leaks. Employees indiscreetly downloading programs from the Internet, mistakenly providing passwords to phishing schemes, or sending important documents along insecure channels are some of the most common vulnerabilities in even highly secure organizations.
Because the human element is so common, employee training in appropriate security measures can go a long way in preventing error—and in helping employees identify and report errors when they occur.
4. Be alert to spot the signs of a possible security breach.
Many of the most damaging security breaches have succeeded by being hard to spot. The longer a security breach goes undetected, the more information is likely to be leaked. There are several signs that your system may have a virus that are relatively easy for a user to spot. For instance, if you continually have to close down strange pop-up windows, if your computer is running very slowly and crashing frequently, or if programs aren’t behaving the way they should be, it may be a sign that your system is infected.
However, some viruses run under the radar and are harder to spot without dedicated breach detection software. Breach detection software is designed to search for suspicious programs that are moving or modifying files in an unusual way, that are sending data to an outside source, or that are attempting to access protected files or high-level user controls. Again, detecting these programs early can prevent significant problems down the road.
When it comes to tax security, no one is beyond the threat of a data breach.
When it comes to digital security, your secret enemy is complacence. Believing that your business is too small to be a target—or that your large business is secure enough to withstand any threat—will undermine your security from the start, making it that much easier for malicious actors to discover and exploit vulnerabilities in your system. This is why maintaining strict security protocols is essential for businesses—and for the tax preparers and CPAs with whom they entrust their financial information.
Most data breaches are initiated by bots or through digital viruses that can probe thousands of sites across the Internet at a time. The purpose of these security hacks range from stealing digital information, holding site for ransom, or planting viruses that can further compromise other systems.
As information security practices evolve, so do the threats deployed by data thieves and other bad actors. Staying ahead of the curve is the best way to protect your business and your clients. If you need assistance in achieving any of these security measures, or if you have industry-specific compliance standards to meet, contact us. We specialize in helping businesses achieve the security standards they need to protect their operations.