IR-2017-144, September 5, 2017
WASHINGTON – The IRS, state tax agencies and the tax industry today urged tax professionals to make data security an everyday priority, noting a few simple steps can go far in protecting taxpayer information from cybercriminals.
Cybersecurity experts often refer to the 90/10 rule. This rule states that 10% of cybersecurity is reliant upon technology; 90 percent is up to users. The IRS currently is receiving reports of tax professional data breaches at the rate of three to five a week, a level that requires immediate attention.
Making daily security a priority is part of the “Don’t Take the Bait” campaign, a 10-part series aimed at tax professionals. The IRS, state tax agencies and the tax industry, working together as the Security Summit, urge practitioners to work to protect their clients and themselves from cybersecurity threats. This is part of the ongoing Protect Your Clients; Protect Yourself effort.
“Tax professionals should not overlook the importance of protecting their systems and their data,” said IRS Commissioner John Koskinen. “Cybercriminals are increasingly targeting the tax community, and tax practitioners play a critical role in helping safeguard their client data as well as their own. Taking a few critical steps can help tax professionals avoid a devastating situation for their business and the taxpayers they serve.”
Data security within a tax professional’s office is only as strong as the least-informed employee. And, security awareness must extend beyond the office into homes. The IRS is aware of situations where a data breach of a tax preparer’s office began at the home of an employee working remotely.
Tax professionals – as well as the Security Summit partners – are matching wits and skills with highly-sophisticated, well-funded, technologically-adept criminal syndicates from the United States and around the world. Anyone who handles taxpayer information has an obligation under federal law to protect that information from unauthorized disclosure, improper disposal and outright theft.
Tax professionals should conduct ongoing education of office employees to combat daily threats, including spear phishing emails, business identity theft, account takeovers, ransomware attacks, remote takeovers, business email compromises and Electronic Filing Identification Number (EFIN) thefts.
Protecting Clients and Businesses by Making Data Security a Daily Priority
Practitioners also should review the NIST small business guide to learn not only what technological steps should be taken but also what everyday steps all employees should take. NIST, or the National Institute of Standards and Technology, a division of the U.S. Department of Commerce, has been helping small businesses with information security since 2001. NIST also has recommendations on everyday activities tax professionals and employees can do to help keep businesses safe and secure. Some of these include:
- Be careful of email attachments and web links
- Do not click on a link or open an attachment that you were not expecting. If it appears important, call the sender to verify they sent the email and ask them to describe what the attachment or link is. Before you click a link (in an email or on social media, instant messages, other webpages), hover over that link to see the actual web address it will take you to. Train employees to recognize phishing attempts and who to notify when one occurs.
- Use separate personal and business computers, mobile devices and accounts
- As much as possible, have separate devices and email accounts for personal and business use. This is especially important if other people, such as children, use personal devices. Do not conduct business or any sensitive activities (like online business banking) on a personal computer or device and do not engage in activities such as web surfing, gaming, downloading videos, etc., on business computers or devices. Do not send sensitive business information to personal email addresses.
- Do not connect personal or untrusted storage devices or hardware into computers, mobile devices or networks.
- Do not share USB drives or external hard drives between personal and business computers or devices. Do not connect any unknown / untrusted hardware into the system or network, and do not insert any unknown CD, DVD or USB drive. Disable the “AutoRun” feature for the USB ports and optical drives like CD and DVD drives on business computers to help prevent such malicious programs from installing on the systems.
- Be careful downloading software
- Do not download software from an unknown web page. Be very careful with downloading and using freeware or shareware.
- Watch out when providing personal or business information
- Social engineering is an attempt to obtain physical or electronic access to business information by manipulating people. A very common type of attack involves a person, website or email that pretends to be something it’s not. A social engineer will research a business to learn names, titles, responsibilities and any personal information they can find. Afterwards, the social engineer usually calls or sends an email with a believable, but made-up, story designed to convince the person to give them certain information.
- Never respond to an unsolicited phone call from a company you do not recognize that asks for sensitive personal or business information. Employees should notify their management whenever there is an attempt or request for sensitive business information.
- Never give out usernames or passwords. No company should ask for this information for any reason. Also, beware of people asking what kind of operating system, brand of firewall, internet browser, or what applications are installed. This is information that can make it easier for a hacker to break into the system.
- Watch for harmful pop-ups
- When connected to and using the Internet, do not respond to popup windows requesting that users click “OK.” Use a popup blocker and only allow popups on trusted websites.
- Use strong passwords
- Good passwords consist of a random sequence of letters (upper case and lower case), numbers, and special characters. The NIST recommends passwords be at least 12 characters long. For systems or applications that have important information, use multiple forms of identification (called “multi-factor” or “dual factor” authentication).
- Many devices come with default administration passwords – these should be changed immediately when installing and regularly thereafter. Default passwords are easily found or known by hackers and can be used to access the device. The manual or those who install the system should be able to show you how to change them.
- Passwords should be changed at least every three months.
- Passwords to devices and applications that deal with business information should not be re-used.
- You may want to consider using a password management application to store your passwords for you.
- Conduct online business more securely
- Online business/commerce/banking should only be done using a secure browser connection. This will normally be indicated by a small lock visible in the lower right corner or upper left of the web browser window.
- Erase the web browser cache, temporary internet files, cookies and history regularly. Make sure to erase this data after using any public computer and after any online commerce or banking session. This prevents important information from being stolen if the system is compromised. This will also help the system run faster. Typically, this is done in the web browser’s “privacy” or “security” menu. Review the web browser’s help manual for guidance.
We all have a role.