WASHINGTON – The IRS, state tax agencies and the tax industry today urged tax professionals to make data security an everyday priority, noting a few simple steps can go far in protecting taxpayer information from cybercriminals.
Cybersecurity experts often refer to the 90/10 rule. This rule states that 10% of cybersecurity is reliant upon technology; 90 percent is up to users. The IRS currently is receiving reports of tax professional data breaches at the rate of three to five a week, a level that requires immediate attention.
Making daily security a priority is part of the “Don’t Take the Bait” campaign, a 10-part series aimed at tax professionals. The IRS, state tax agencies and the tax industry, working together as the Security Summit, urge practitioners to work to protect their clients and themselves from cybersecurity threats. This is part of the ongoing Protect Your Clients; Protect Yourself effort.
“Tax professionals should not overlook the importance of protecting their systems and their data,” said IRS Commissioner John Koskinen. “Cybercriminals are increasingly targeting the tax community, and tax practitioners play a critical role in helping safeguard their client data as well as their own. Taking a few critical steps can help tax professionals avoid a devastating situation for their business and the taxpayers they serve.”
Data security within a tax professional’s office is only as strong as the least-informed employee. And, security awareness must extend beyond the office into homes. The IRS is aware of situations where a data breach of a tax preparer’s office began at the home of an employee working remotely.
Tax professionals – as well as the Security Summit partners – are matching wits and skills with highly-sophisticated, well-funded, technologically-adept criminal syndicates from the United States and around the world. Anyone who handles taxpayer information has an obligation under federal law to protect that information from unauthorized disclosure, improper disposal and outright theft.
Tax professionals should conduct ongoing education of office employees to combat daily threats, including spear phishing emails, business identity theft, account takeovers, ransomware attacks, remote takeovers, business email compromises and Electronic Filing Identification Number (EFIN) thefts.
Protecting Clients and Businesses by Making Data Security a Daily Priority
Practitioners also should review the NIST small business guide to learn not only what technological steps should be taken but also what everyday steps all employees should take. NIST, or the National Institute of Standards and Technology, a division of the U.S. Department of Commerce, has been helping small businesses with information security since 2001. NIST also has recommendations on everyday activities tax professionals and employees can do to help keep businesses safe and secure. Some of these include: