‘Security Six’ - basic safeguards for tax professionals’ computers and email
The Internal Revenue Service and the Security Summit partners outlined critical steps for tax professionals to protect their computers and email as well as safeguarding sensitive taxpayer data.
The “Security Six” protections fall into several major security categories. The Security Summit partnership urges tax professionals across the nation to avoid overlooking these basic security details as identity thieves increasingly target practitioners in search of valuable taxpayer data. Here are the 6 steps in brief:
1: Antivirus software
Although details may vary between packages, anti-virus software scans files or computer’s memory for certain patterns that may indicate the presence of malicious software (i.e., malware). Anti-virus software (sometimes more broadly referred to as anti-malware software) looks for patterns based on the signatures or definitions of known malware. Anti-virus vendors find new and updated malware daily, so it is important that users have the latest updates installed on their computer, according to the U.S. Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security.
Firewalls provide protection against outside attackers by shielding your computer or network from malicious or unnecessary network traffic and preventing malicious software from accessing the network. Firewalls can be configured to block data from certain locations or applications while allowing relevant and necessary data through, according to US-CERT.
3: Two-factor authentication
Many email providers now offer customers two-factor authentication protections to access email accounts. Tax professionals should always use this option to prevent their accounts from being taken over by cybercriminals and putting their clients and colleagues at risk.
Two-factor authentication helps by adding an extra layer of protection. Often two-factor authentication means the returning user must enter credentials (username and password) plus another step such as entering a security code sent via text to a mobile phone. The idea is a thief may be able to steal the username and password but it’s highly unlikely they also would have a user’s mobile phone to receive a security code and complete the process.
4: Backup software/services
Critical files on computers should routinely be backed up to external sources. This means a copy of the file is made and stored either online as part of a cloud storage service or similar product. Or, a copy of the file is made to an external disk, such as an external hard drive that now comes with multiple terabytes of storage capacity. Tax professionals should ensure that taxpayer data that is backed up also is encrypted.
5: Drive encryption
Given the sensitive client data maintained on tax practitioners’ computers, users should consider drive encryption software for full-disk encryption. Drive encryption, or disk encryption, transforms data on the computer into unreadable files for the unauthorized person accessing the computer. Drive encryption may come as a stand-alone security software product. It may also include encryption for removable media, such as a thumb drive and its data.
6: Data security plan
The Security Summit also reminds tax professionals of several other important steps. All professional tax return preparers must have a written data security plan as required by the Federal Trade Commission and its Safeguards Rule. Tax professionals also can get help with security recommendations and creating a data security plan by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: the Fundamentals by the National Institute of Standards and Technology.