Cybersecurity 101 - From Victimized Tax Pros
Tips from victimized tax professionals can help you better protect against cyberattacks.
As cybercriminals continue to prey on tax professionals’ data, the
Security Summit — a partnership between the IRS, states, and the
private-sector tax community — is sharing some lessons learned
by victimized tax professionals in hopes of helping others avoid
being cybercrime targets.
In recent years, hundreds of tax professionals experienced data
thefts or security breaches that exposed their clients’ personal
information to cybercriminals and tax-related identity thieves, warns
the Security Summit.
Thieves use stolen data from tax professionals and their firms to
create fraudulent returns that are becoming harder to detect and
distinguish from legitimate taxpayer returns, meaning CPAs and
their firms must be especially vigilant if they want to defend against
a devastating data loss.
Below, the Security Summit offers insights from victimized tax
professionals to help you better protect against cyberattacks.
Lesson 1: Get cyber insurance
Tax professionals who’ve been victimized by cybercriminals say
they either were glad they had, or wish they had, insurance
coverage for data loss.
While it’s common to maintain business insurance policies that
cover property and liability, data thefts often go overlooked. Cyberspecific
coverage for data breaches also needs a special look.
This may require an addendum or rider to your current policy or
an entirely separate one.
It’s suggested that the dollar amount of the policy be large enough
to cover all expenses. But also look for insurance companies
and/or coverage that provides experts that will assist in setting up
safeguards and identifying the source of the data breach and
resolving it if one occurs.
Another recommendation: If you’re using a cloud storage solution,
ask the provider about cyber insurance coverage in case their
systems are breached.
Lesson 2: Password-protect client accounts
This could be a critical safeguard against cyberthieves. Tax
professionals who have experienced data thefts acknowledge that
protecting each individual client account with a unique password
can be a hassle, but it’s worth the trouble should a breach occur,
and many tax software solutions are making this easier to manage.
Further, strong passwords can help prevent or slow cybercriminals
from accessing computer systems and accounts. Passwords
should be a mix of a minimum of eight letters, special characters,
Lesson 3: Use a virtual private network (VPN)
This may require help from your IT team, but tax professionals who
have fallen victim to cybercriminals say they wish they had used a
virtual private network (VPN) instead of remote access software
when working offsite. A VPN allows for teleworkers or branch
offices to securely connect to the firm’s central computer system
to send and receive information.
Why avoid remotely accessing your work computer system? The
Security Summit warns of cases where cybercriminals have taken
over remote access of tax professionals’ computer systems,
accessing client accounts via the highjacked computers,
completing and e-filing pending returns, and changing direct
deposit information to their own accounts.
Lesson 4: Keep security software updated
Tax professionals who experienced data thefts warn colleagues to
keep all security software current. This includes the computer
operating system, anti-malware and anti-virus software, firewalls,
etc. While most computers come with security software installed,
you can purchase additional security software products relevant
to your specific practice and uses. To make managing updates
easier, set all software to update automatically.
In addition to these lessons, the Security Summit reminds all tax
professionals that they must have a written data security plan as
required by the Federal Trade Commission and its Safeguards Rule
. The IRS has a variety of security resources available,
including Publication 4557, “Safeguarding Taxpayer Data,”
Publication 5293, “Data Security Resource Guide for TaxProfessionals,”
which provides a compilation of data theft
information and is available on IRS.gov