You don’t leave your tax office unlocked after hours. And when clients are attending their appointments, you definitely don’t let them thumb through the filing cabinets before taking a seat in your office. After all, the community has entrusted you with their sensitive financial information. Keeping those physical tax documents safe is one very important part of the equation, but it’s also essential that you lock up clients’ digital information.
Data security can feel completely unapproachable to those who would otherwise consider themselves computer literate. Luckily, the IRS, state departments of revenue, and private members of the tax industry came together five years ago to create best practices for securing digital information. Ever since, the Security Summit has created written how-to guides and hosted annual outreach events to help taxpayers and tax professionals avoid falling victim to identity theft tax refund fraud scams.
What is the Security Summit annual event for 2020?
It’s no secret that 2020 forced a lot of unwelcome changes on everyone. The COVID-19 pandemic normalized social distancing and face masks, and a lot of people had to quickly navigate the pitfalls of remote work. (Heck, late-night comedians are still working from home due to restrictions on public gatherings.)
Since many tax professionals were forced out of their office during the 2020 filing season—and 2021 may start with statewide stay-at-home orders—the Security Summit understandably shifted gears to emphasize remote-work data security in this year’s five-week campaign: “Working Virtually: Protecting Tax Data at Home and at Work.”
This week, the Summit began the event by explaining the “Security Six.”
What is the Security Six?
The Security Six is a list of security products that help protect data from cybercriminals. From preventing malware infections to controlling network traffic, each tool works proactively to thwart a host of identity theft scams.
Here are the recommendations for 2020:
- Antivirus software
- Firewalls
- Multi-Factor Authentication (MFA)
- Drive Encryption
- External Backups
- Virtual Private Networks (VPNs)
You may be familiar with some of the items on this list—some popular antivirus product have been around since the late 80s and early 90s—but this could be the first time you’ve heard of a VPN. We’re going to break them down into two categories: prevention and mitigation. (We’re going to address the Security Six out of order, but stick with us!)
How does the Security Six prevent data theft?
Malware is a favorite tool for identity thieves, since it can be used to record keystrokes, steal files, and hijack access to the infected device, and a whole host of other nastiness. Antiviruses directly protect against malware by identifying and quarantining these programs before they can take root (though you have to keep your antivirus program updated, and you need to use both regularly scheduled and spot-check manual scans). Firewalls take an indirect approach by acting as a crossing guard for inbound Internet traffic, which can prevent bad actors from accessing your computer or network in the first place.
Unfortunately, cybercriminals are pretty good at their job. Once they know your email address or username (which shouldn’t be your email address, if you are able to choose it), they only need to suss out your password to access your computer or online account—unless, of course, you’re using multi-factor authentication.
If you’ve ever made a Gmail, Hotmail, or Yahoo email account, you’re probably familiar with MFA These services generally prompt you to add a text-message verification code to log into your account, which is one of the more common forms of MFA. Think of it this way: Your password is a single authentication factor, so requiring another piece of user-entered information makes your accounts that much more difficult to crack.
How does the Security Six help mitigate the damage from a data breach?
Ransomware attacks like WannaCry are becoming more frequent, and they can be devastating for victims. This malware locks users out of their computers by encrypting installed files and demanding a ransom—usually paid in virtual currency, like Bitcoin—for the cipher (sort of like a digital decoder ring). Files that are encrypted cannot be read without the cipher that will restore access.
Imagine what happens if you’re hit with this type of scam in the middle of filing season: Your tax preparation software, client lists, and all other installed files are basically held hostage until you pony up. Unfortunately, there are two problems.
- There is no guarantee that the criminals will actually unlock your system after receiving payment.
- The criminals probably stole all your files regardless of how you proceed.
External backup services render the first threat meaningless. You don’t have to worry about accessing your files, because you can restore them using the external backup. When you use an external backup, your data is regularly stored on an external hard drive or cloud-based service. That said, you can also use encryption to your advantage.
Drive encryption protects your files from prying eyes by requiring a cipher that you control. While that service is good for locally stored data, Virtual Private Networks apply that concept to the information you sending and receiving online. The IRS says that VPNs are “critical for practitioners who work remotely,” and you can find them by “[searching] for ‘Best VPNs’ to find a legitimate vendor … [or checking] major technology sites.”
Finally, the IRS says that reaching out to your insurance company may be the best way to start using the Security Six. “All tax professionals also should review their professional insurance policy to ensure the business is protected should a data theft occur,” they explain. “Some insurance companies will provide cybersecurity experts for their clients … [who] can help with technology safeguards and offer more advanced recommendations.”
Remember, identity thieves will shamelessly use any crisis to develop and deploy a scam. That’s why we have to work together and spread the word about data security.
Source:IR-2020-167