The IRS, state tax agencies and the tax industry are offering several important tips for how tax professionals can get started protecting their clients and their business from cybersecurity threats.
All tax practitioners, from the largest of firms to the smallest of offices, have a legal obligation to protect taxpayer information in their care. That means securing sensitive data from unauthorized disclosure, improper disposal and outright theft.
Explaining how to address security threats is part of the “Don’t Take the Bait” campaign, a 10-part series aimed at tax professionals. The IRS, state tax agencies and the tax industry, working together as the Security Summit, urge practitioners to learn to protect their clients and themselves from cybersecurity threats. This is part of the ongoing Protect Your Clients; Protect Yourself effort.
“More and more, we see the data held by tax professionals being targeted by national and international criminal syndicates that are highly sophisticated, well-funded and technologically adept,” said IRS Commissioner John Koskinen. “No tax practitioner today can afford to ignore cybersecurity threats or overlook putting in place strong safeguards.”
To get started, preparers can review IRS Publication 4557, Safeguarding Taxpayer Data, which outlines the practitioners’ legal obligations and offers a checklist to help create a security plan.
Most tax professionals are also small business operators. Recently, the Commerce Department’s National Institute of Standards and Technology (NIST) issued new guidance called Small Business Information Security: the Fundamentals. NIST sets cybersecurity frameworks that government agencies, including the IRS, follow.
Protecting Clients and Businesses from Cybersecurity Threats
The Security Summit coalition urges tax practitioners to fully review both Publication 4557 and NIST’s Small Business Information Security: the Fundamentals. Here’s a summary of key recommendations:
Publication 4557 initial steps for tax professionals:
- Take responsibility or assign an individual or individuals to be responsible for safeguards
- Assess the risks to taxpayer information in offices, including operations, physical environment, computer systems and employees
- Make a list of all the locations where taxpayer information is kept (computers, filing cabinets, bags and boxes taxpayers may bring in)
- Write a plan of how to safeguard taxpayer information. Put appropriate safeguards in place
- Use only service providers who have policies in place to also maintain an adequate level of information protection defined by the Safeguards Rule; and
- Monitor, evaluate and adjust security programs as business or circumstances change
NIST’s small business guide sets out five action-item categories that can help tax practitioners:
- Identify and control who has access to business information
- Conduct background checks
- Require individual user computer accounts for each employee
- Create policies and procedures for information security
- Limit employee access to data and information
- Install Surge Protectors and Uninterruptible Power Supplies (UPS)
- Patch operating systems and applications
- Install and activate software and hardware firewalls on business networks
- Secure wireless access point and networks
- Set up web and email filters
- Use encryption for sensitive business information
- Dispose of old computers and media safely
- Train employees
- Install and update anti-virus, spyware and other malware programs
- Maintain and monitor logs
- Develop a plan for disasters and information security incidents
- Make full backups of important business data/information
- Make incremental backups of important business data/information
- Consider cyber insurance
- Make improvements to processes, procedures and technologies