Cyber attacks are on the rise. The IRS website states that every tax professional, whether independent or part of a firm, is a target. These thieves are highly sophisticated and well-funded. They’re after your clients’ data for a myriad of uses, not the least of which is to file fraudulent tax returns. Tactics include using email, phone, and direct hacking to gain access to your computers and your e-service passwords and to steal EFINs or CAF numbers.
The Federal Trade Commission regulations require tax professionals to develop and maintain up-to-date security plans to protect client data. It’s critical that you be thoroughly familiar with the legal requirements. Publication 4557, Safeguarding Taxpayer Data, details many steps tax preparers should take in order to protect their clients and themselves from data theft.
Company security plan
Create a written security plan using the Safeguarding Taxpayer Data and the Small Business Information Security publications. This plan should be updated regularly, as cybercriminals will be continually developing new ways to bypass the protections you have in place.
Technical security at all locations
Your technology has a multitude of portals through which hackers and cybercriminals can enter. It is critical to have multiple overlapping security methods. These security measures must be on every device that accesses client or company data, including the home offices of employees. To list a few:
- Firewalls, anti-virus, anti-malware, anti-spyware on all devices including phones and tablets that is automatically updated
- Strong passwords, changed regularly
- Encrypted drives, emails, and files that contain sensitive data
- Secure client portals and secure file sharing for the exchange of information between client and company as well as within the organization
- Proper disposal of all old devices that thoroughly destroys data in a secure manner
- Router protocols that include changing the default router name and administrative password and reducing the power to transmit only as far as needed
- Multi-factor authentication and a secure Virtual Private Network (VPN) for remote access to the office network
Some firms provide staff with laptops, tablets, or phones to be used exclusively for business that may not be used for personal use in order to maintain their high level of security.
Thieves can also gain access to physical information. To limit the chances of unauthorized access, establish protocols for authenticating people who enter your office, with employee key cards, visitor logs, badges, or other controlled access procedures.
Additionally, keep private files in locked, secure filing cabinets with access to codes or keys being limited to administrators who can keep track of the whereabouts of the documents. Client data should never be left open or unattended on desks.
All trash should be professionally shredded. Office shredders are insufficient for the shredding of sensitive documents that could potentially be pieced back together by thieves who have much to gain and would be motivated to make the effort. Professional shredding services shred quite thoroughly.
Employee training and education
Employees should all be fully trained in security policies and procedures and should receive frequent reviews. This education should include training on how to spot scammers and protocols regarding opening attached files or clicking on links.
Protecting your clients’ data during this time of high cyber threats can be very challenging, but with vigilance and regular attention, you can be confident that criminals, who generally look for easy targets, will leave your firm alone.