IRS, states and industry outline ‘Security Six’ protections to help tax professionals and taxpayers be safer online
Using a new “Taxes-Security-Together” Checklist, the Internal Revenue Service and the Security Summit partners urged tax professionals to review critical security steps to ensure they are fully protecting their computers and email as well as safeguarding sensitive taxpayer data.
The Security Summit partners – the IRS, states and tax industry – urge tax professionals to take time this summer to give their data safeguards a thorough review. To help the tax community, the Summit created a “Taxes-Security-Together” Checklist as a starting point for analyzing office data security.
In the first of a five-part weekly series, the initial step on the checklist involves the “Security Six” protections. These steps fall into several major security categories.
“These six steps are simple actions that anyone can take,” said IRS Commissioner Chuck Rettig. “The important thing to remember is that every tax professional, whether a sole practitioner or a partner in a large firm, is a potential target for cybercriminals. No tax business should assume they are too small or too smart to avoid identity thieves.”
Although the Security Summit – a partnership between the IRS, states and the private-sector tax community – is making major progress against tax-related identity theft, cybercriminals continue to evolve, and data thefts at tax professionals’ offices continue. Thieves use stolen data from tax practitioners to create fraudulent returns that are harder to detect.
The Security Summit partnership urges tax professionals across the nation to remember these basic steps to help in the battle against identity theft.
Deploy the ‘Security Six’ steps for basic protections
The following are the basic protections that everyone, especially tax professionals handling sensitive data, should deploy:
Sometimes the software will produce a dialog box with an alert that it has found malware and asks whether users want it to “clean” the file (to remove the malware). In other cases, the software may attempt to remove the malware without asking first.
When selecting an anti-virus package, users should learn about its features, so they know what to expect. Keep security software set to automatically receive the latest updates so that it is always current.
A reminder about spyware, a category of malware intended to steal sensitive data and passwords without the user’s knowledge: Strong security software should protect against spyware. But remember, never click links within pop-up windows, never download “free” software from a pop-up, never follow email links that offer anti-spyware software. The links and pop-ups may be installing the spyware they claim to be eliminating.
A reminder about phishing emails: A strong security package also should contain anti-phishing capabilities. Never open an email from a suspicious source, click on a link in a suspicious email or open an attachment – or else you could be a victim of a phishing attack and you and your clients’ data could be compromised
While properly configured firewalls may be effective at blocking some cyber-attacks, don’t be lulled into a false sense of security. Firewalls do not guarantee that a computer will not be attacked. Firewalls primarily help protect against malicious traffic, not against malicious programs (malware), and may not protect the device if the user accidentally installs malware. However, using a firewall in conjunction with other protective measures (such as anti-virus software and safe computing practices) will strengthen resistance to attacks.
The Security Summit reminds tax pros that anti-virus software and firewalls cannot protect data if computer users fall for email phishing scams and divulge sensitive data, such as usernames and passwords. The Summit reminds the tax community that users, not the software, is the first-line of defense in protecting taxpayer data.
The use of two-factor authentication and even three-factor authentication is on the rise, and tax preparers should always opt for a multi-factor authentication protection when it is offered, whether on an email account or tax software account or any password-protected product.
IRS Secure Access, which protects IRS.gov tools including e-Services, is an example of two-factor authentication.
Tax pros can check their email account settings to see if the email provider offers two-factor protections.
How to get started with the ‘Security Six’ All tax professionals also should review their professional insurance policy to ensure the business is
protected should a data theft occur. Some insurance companies will provide cybersecurity experts for their clients.
These experts can help with technology safeguards and offer more advanced recommendations.
Having the proper insurance coverage is a common recommendation from tax professionals who have experienced data thefts.
Tax professionals also can get help with security recommendations by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: the Fundamentals by the National Institute of Standards and Technology. Publication 5293, Data Security Resource Guide for Tax Professionals, provides a compilation data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals and Social Media.
The Taxes-Security-Together Checklist
During this special Security Summit series, the checklist highlights these key areas for tax professionals: