IRS Releases Part 3 of a Five-Part Security Summit Tips for Tax Professionals

On August 6, 2020 the Internal Revenue Service (IRS), in partnership with the Security Summit, issued the third part of their five-part series providing tips for tax professionals to thwart off cyber-security attacks during COVID-19. This week the advice was focused on virtual private networks (VPN). A VPN ensures your location stays private, your data is encrypted, and you can surf the web anonymously.

To understand how a VPN works, it is important to understand the basic transaction that occurs when individuals browse the internet. For example, when an individual types http://www.google.com in their browser they are entering the website’s domain name. A domain name designates the name of the website’s IP address. Every computer and device accessing the internet also has an IP address as well. When an individual types in http://www.google.com into their internet browser they are sending their data into the internet until it reaches the server. Then that server translates the data and sends the website that individuals has requested to visit. During these transactions, however, individuals are not only sending  requests to visit various websites, they’re also sending out their computer’s IP address and other information too. This allows the potential for hackers to intercept a person’s information. The use of a VPN will protect an individual’s information from being intercepted. A VPN creates a tunnel that encrypts information. A VPN is essential for any business because it provides a safe way to transmit data between a remote user via the Internet and the business network.

Chuck Rettig, the IRS Commissioner noted that “We continue to see tax pros fall victim to attacks every week. Failure to use VPNs risks remote takeovers by cyberthieves, giving criminals access to the tax professional’s entire office network simply by accessing an employee’s remote internet.”

However, finding a legitimate vendor to purchase a VPN from can be difficult. Carefully review various companies that offer VPN services and be sure to choose a service that includes all the capabilities that will meet your needs.

And, while not stated in the IRS’s tip for this week, it is also important to know that while a VPN is necessary, it is not a magical privacy shield that will completely insulate any company from vulnerabilities to cyberattacks. For example, a VPN cannot protect you against a website setting a tracking cookie on your device that will then alert other websites about you. A VPN also cannot protect you against a website that sells your email address to a third-party data broker.

Lastly, the IRS tip for this week also includes the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) advice regarding VPNs:

  • Update VPNs, network infrastructure devices and devices being used to remote into work environments with the latest software patches and security configurations.
  • Alert employees to an expected increase in phishing attempts.
  • Ensure information technology security personnel are prepared to ramp up these remote access cybersecurity tasks: log review, attack detection, and incident response and recovery.
  • Implement multi-factor authentication on all VPN connections to increase security. If multi-factor is not implemented, require teleworkers to use strong passwords
  • Ensure IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications—such as rate limiting—to prioritize users that will require higher bandwidths.

As always, tax professionals should take advantage of the additional resources the IRS provides related to security recommendations and questions in Publication 4557 Safeguarding Taxpayer Data (PDF), as well as the National Institute of Standards and Technology (NIST’s) Small Business Information Security: The Fundamentals (PDF).

VW Contributor: Skylar Young
© 2020 Vandenack Weaver LLC
For more information, Contact Us

IRS Releases Part 2 of a Five-Part Security Summit Tips for Tax Professionals

On July 28, 2020 the Internal Revenue Service (IRS), in partnership with the Security Summit, issued the second part of their five-part series providing tips for tax professionals to thwart off cyber-security attacks during COVID-19. The second tip is for tax professionals to use multi-factor authentication to protect client accounts. The notice also provides a reminder that beginning in 2021, all tax software providers will be required to offer multi-factor authentication options on their products that “meet higher standards.”

Multi-factor authentication, sometimes referred to as two-factor authentication, allows for additional authentication factors than just entering in a password to verify a user’s identity. Two-factor authentication requires the user to provide their password and an additional step to access their account. Sometimes, a user will receive a text message with a one-time password, or perhaps the user is asked a knowledge-based question that they previously set up, such as “what is your mother’s maiden name.” However, given the sophistication of cyber-criminals ability to exploit known weaknesses in passwords, the two-factor authentication is not always full-proof. An example of a stronger multi-factor authentication process would be where the user has to input their password and then has to provide biometric sign-in solution, such as scanning their fingerprint, voice recognition, or facial recognition. In this second example, the multi-factor authentication creates a more robust defense against unauthorized access due to the uniqueness of the biometric authentication.

Part two in this series also references easy ways for tax professionals to download authentication apps offered through Google Play and the Apple Store. Use a search engine for “Authentication apps” to learn more. The guidance reminds tax professionals to incorporate multi-factor authentication with all accounts, including cloud storage providers, as well as social media outlets.

Lastly, tax professionals should take advantage of the additional resources the IRS provides related to security recommendations and questions in Publication 4557 Safeguarding Taxpayer Data (PDF), as well as the National Institute of Standards and Technology (NIST’s) Small Business Information Security: The Fundamentals (PDF).

VW Contributor: Skylar Young
© 2020 Vandenack Weaver LLC
For more information, Contact Us

IRS Releases Part 1 of a Five-Part Security Summit Tips for Tax Professionals

On July 21, 2020 the IRS and Security Summit partners issued specific guidance to assist tax professionals with implementing basic security measures. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) are urging organizations remain in a heightened state of alertness as cybercriminals remain active during COVID-19 and prey on vulnerabilities during this time. The IRS state tax agencies and nation’s tax industry created a five-part series called Working Virtually: Protecting Tax Data at Home and at Work.

Due to the fact that many tax professionals are working from home, this five-part series is designed to walk practitioners through various strategies to assess and secure their home and office data. The first recommendation that was released on July 21 outlines six basic security steps, “Security Six,” that every tax professional should take whether they are working in the office or remotely. This series will continue each Tuesday and end on August 18.

The “Security Six” protections that everyone, especially tax professionals handling sensitive data, should use are:

  1. Anti-virus software. It is essential that professionals purchase anti-virus software that scans computer files or memory for certain patters that can detect the presence of malicious software, also known as malware. Tax professionals should educate themselves on the type of anti-virus software, also called anti-malware software package that they purchase. Additionally, it is best practice to configure the anti-virus software so that it automatically scans specific files or directories in real time, rather than the individual performing their own manual scan. Tax professionals also should keep security software set to automatically receive the latest updates to ensure it is always current.

While anti-virus software should protect against spyware, a type of malware that steals    sensitive data and passwords without the user’s knowledge, individuals should never:

  • click links with pop-up windows, nor
  • download “free” software from a pop-up, nor
  • follow links that offer anti-spyware software.

This advice also pertains to phishing emails. Never open an email from a suspicious        source, click on a link in a suspicious email or open an attachment.

  1. Firewalls provide protection against outside attackers by shielding a computer or network from malicious or unnecessary web traffic and preventing malicious software from accessing systems. Firewalls can be configured to block data from certain suspicious locations or applications while allowing relevant and necessary data to pass through, according to CISA.

Properly installing a firewall is not full proof, however. Cybercriminals love phishing- don’t become the bait! Firewalls cannot protect data if an employee clicks on a link sent in a scam email or text message, or accidently installs malware. Stay vigilant when scanning emails and text messages, and make sure your employees are also aware of phishing and malware.

  1. Two-factor authentication. Two-factor authentication is a free security feature that gives a user an extra layer of protection from being hacked, even if a cybercriminal obtains access to a user’s password. That is because, in addition to entering in the password, a user is prompted to enter a security code sent via text message.

Two-factor authentication is a basic security feature all professionals must use. Three-     factor authentication is even in use. Tax software providers, email providers and others that require online accounts now offer customers two-factor authentication protections to access email accounts. Using the two-factor authentication options offered by tax   software providers is critical to protect client data stored within those systems. Tax pros also can check their email account settings to see if the email provider offers two-factor protections.

  1. Backup software/ services.  Critical files on computers should routinely be backed up to external sources. This means a copy of the file is made and stored either online as part of a cloud storage service or similar product. Or, a copy of the file is made to an external disk, such as an external hard drive with multiple terabytes of storage capacity. Tax professionals should ensure that taxpayer data that is backed up also is encrypted – for the safety of the taxpayer and the tax pro.
  1. Drive encryption. Given the sensitive client data maintained on tax practitioners’ computers, users should consider drive encryption software for full-disk encryption. Drive encryption, or disk encryption, transforms data on the computer into unreadable files for an unauthorized person accessing the computer to obtain data. Drive encryption may come as a stand-alone security software product. It may also include encryption for removable media, such as a thumb drive and its data.
  1. Virtual Private Network. This is critical for practitioners who work remotely. If a tax firm’s employees must occasionally connect to unknown networks or work from home, establish an encrypted Virtual Private Network (VPN) to allow for a more secure connection. A VPN provides a secure, encrypted tunnel to transmit data between a remote user via the Internet and the company network. Search for “Best VPNs” to find a legitimate vendor; major technology sites often provide lists of top services.

Review professional insurance policy

The guidance also reminds tax professionals to review their professional insurance policy to see if their business is protected should a cyberattack occur.

As a final note, tax professionals should seek out addition security best practices as recommended by the  IRS Publication 4557, Safeguarding Taxpayer Data (PDF), and Small Business Information Security: The Fundamentals (PDF) by the National Institute of Standards and Technology.

VW Contributor: Skylar Young
© 2020 Vandenack Weaver LLC
For more information, Contact Us

The Importance of Personal Cybersecurity

Malware attacks occur regularly in the United States, costing an estimated $15 million annually. The attacks on large corporations tend to make the news, but anyone connected to the internet is at risk of becoming a victim of a cyberattack. Personal internet connections are, generally, open, and personal computers are easy to locate with scanners, making an easy target for the cybercriminal.

Roughly 64% of Americans experience a data breach and nearly 20 million people become victims of identity theft each year. Many consumers fall prey to hackers through use of social media, where Cybercriminals gain access to personal data by creating fake links that download malware to user devices when users click the link. Consumers may also suffer data loss when cyber thieves victimize companies. The companies are desirable targets for cybertheft as they often collect their customers’ addresses, names, social security numbers, and other personal information.

In response to the data breaches, security-related legislation has been enacted at both the state and federal level. This legislation requires companies to take certain measures to protect sensitive information and establishes standards for notifying consumers when a breach occurs. Depending upon the industry, such as the healthcare industry, additional rules and penalties apply. Overall, with the proliferation and advanced tactics of cyber criminals, careful planning is required, both by a business and those with devices connected to the internet.

© 2017 Vandenack Weaver LLC
For more information, Contact Us