Cybersecurity 101 - From Victimized Tax Pros

Tips from victimized tax professionals can help you better protect against cyberattacks. By Derrick Lilly | Fall 2018



As cybercriminals continue to prey on tax professionals’ data, the Security Summit — a partnership between the IRS, states, and the private-sector tax community — is sharing some lessons learned by victimized tax professionals in hopes of helping others avoid being cybercrime targets.

In recent years, hundreds of tax professionals experienced data thefts or security breaches that exposed their clients’ personal information to cybercriminals and tax-related identity thieves, warns the Security Summit.

Thieves use stolen data from tax professionals and their firms to create fraudulent returns that are becoming harder to detect and distinguish from legitimate taxpayer returns, meaning CPAs and their firms must be especially vigilant if they want to defend against a devastating data loss.

Below, the Security Summit offers insights from victimized tax professionals to help you better protect against cyberattacks.

Lesson 1: Get cyber insurance

Tax professionals who’ve been victimized by cybercriminals say they either were glad they had, or wish they had, insurance coverage for data loss.

While it’s common to maintain business insurance policies that cover property and liability, data thefts often go overlooked. Cyberspecific coverage for data breaches also needs a special look. This may require an addendum or rider to your current policy or an entirely separate one.

It’s suggested that the dollar amount of the policy be large enough to cover all expenses. But also look for insurance companies and/or coverage that provides experts that will assist in setting up safeguards and identifying the source of the data breach and resolving it if one occurs.

Another recommendation: If you’re using a cloud storage solution, ask the provider about cyber insurance coverage in case their systems are breached.

Lesson 2: Password-protect client accounts

This could be a critical safeguard against cyberthieves. Tax professionals who have experienced data thefts acknowledge that protecting each individual client account with a unique password can be a hassle, but it’s worth the trouble should a breach occur, and many tax software solutions are making this easier to manage.

Further, strong passwords can help prevent or slow cybercriminals from accessing computer systems and accounts. Passwords should be a mix of a minimum of eight letters, special characters, and numbers.

Lesson 3: Use a virtual private network (VPN)

This may require help from your IT team, but tax professionals who have fallen victim to cybercriminals say they wish they had used a virtual private network (VPN) instead of remote access software when working offsite. A VPN allows for teleworkers or branch offices to securely connect to the firm’s central computer system to send and receive information.

Why avoid remotely accessing your work computer system? The Security Summit warns of cases where cybercriminals have taken over remote access of tax professionals’ computer systems, accessing client accounts via the highjacked computers, completing and e-filing pending returns, and changing direct deposit information to their own accounts.

Lesson 4: Keep security software updated

Tax professionals who experienced data thefts warn colleagues to keep all security software current. This includes the computer operating system, anti-malware and anti-virus software, firewalls, etc. While most computers come with security software installed, you can purchase additional security software products relevant to your specific practice and uses. To make managing updates easier, set all software to update automatically.

In addition to these lessons, the Security Summit reminds all tax professionals that they must have a written data security plan as required by the Federal Trade Commission and its Safeguards Rule. The IRS has a variety of security resources available, including Publication 4557, “Safeguarding Taxpayer Data,” and Publication 5293, “Data Security Resource Guide for TaxProfessionals,” which provides a compilation of data theft information and is available on IRS.gov.