Practice Management 5 Best Practices in Tax Firm Security Read the Article Open Share Drawer Share this:Click to share on Twitter (Opens in new window)Click to share on Facebook (Opens in new window)Click to share on LinkedIn (Opens in new window) Written by Cassidy Jakovickas, CPA Published Mar 10, 2020 4 min read As data breaches become more common, 81 percent of consumers are changing their behavior to protect their most sensitive data. Although the IRS recently announced changes to individual tax transcripts for the sake of security, tax firms remain a gold mine of data for ambitious criminals. As we continue to use technology to drive value and profitability, consider following these five best practices to help protect your firm’s and clients’ data. #1: Have “The Talk” With Your Staff Whether it’s leaving passwords on sticky notes or clicking on a phishing link in an email (see #5 below), your staff can often be the weakest aspect of your firm’s security measures. As we improve security, we must provide guidance, not just technology, to our staff. As you educate your staff about the necessity and benefits of data security, it’s essential to get their buy in. In my firm, I’ve had this discussion with my team and found that each person had their reasons for embracing our firm’s improved security education. Positioning security threats as directly impacting our firm’s profitability helped these individuals realize just how real the consequences of a breach can be. #2: Secure Your Login Credentials Your next step should be to protect your logins. Strong passwords should be: At least eight characters long. A combination of letters, symbols and numbers. Unique from all other passwords. An acronym or randomized phrase, instead of your birthday or other personal data. Rather than trying to remember thousands of passwords, we’ve found it’s best to use a password manager such as LastPass to keep our passwords strong and unique. Bottom line: We’ve made password security a priority since we view it as a way to demonstrate trust with our clients. #3: Double-Check Your BYOD Policy It’s increasingly common for firms to allow employees to use their devices to access company data and conduct business activities, commonly known as Bring Your Own Device (BYOD). While outsourcing and remote work are great ways to improve efficiency, the use of personal devices for company activities means a broader attack surface for your firm. Here are four precautions to take so your staff can work productively and more securely: Update all devices in use with current software updates. Use two-factor authentication to further secure logins. Develop policies for the use of company equipment and systems. Avoid sharing sensitive data about personal or corporate matters on social media. #4: Create a Data Security Plan In 2019, the IRS urged all tax professionals to take steps to better protect client data, including developing a data protection plan. As part of its checklist, the IRS noted that the FTC requires companies must: Designate at least one employee to manage its information security program. Evaluate threats to customer data and assess the effectiveness of current security. Develop safeguards and partner with qualified service providers to implement them. Adjust these safeguards as business operations or security monitoring necessitate. There are four specific steps the IRS recommends: Install and use anti-virus software. Set up a software or hardware-based firewall. Encrypt local storage drives. Use a virtual private network to secure connections on home or unfamiliar networks. You can find more information in the security guide provided by the National Institute of Standards and Technology. #5: Be Vigilant Against Phishing and Malicious Emails Though it can seem like old news, phishing remains especially relevant. WombatSecurity’s 2018 State of the Phish study showed that phishing scams targeted approximately three-quarters of companies surveyed. I recently wrote on Quora a short piece to get more employee engagement when it comes to monitoring security. Companies have begun to perform phishing simulations with the help of resources such as Infosec’s WORKed video series. Resources like this are useful because they are often more engaging and interactive than a PowerPoint with lists of statistics and graphics. Security Should be a Priority Being acutely aggressive and continually learning about the latest security threats to your firm will help you better protect your practice and your clients in an evolving threat landscape. As clients become more concerned about the management and treatment of their data, prioritizing security as a firm will help you stand out as a clear choice and trusted advisor. Previous Post Alejandra Matias, EA, on Using Technology in Her Firm Next Post How Adding Financial Planning Can Turn a Seasonal Tax Practice… Written by Cassidy Jakovickas, CPA Cassidy is a CPA and the CEO of MBS Accountancy, a California firm providing tax and accounting services for $500K-$10M businesses and nonprofits. Cassidy is an active member of Intuit’s ProConnect community and CalCPA, a former member of Intuit’s 2019 Accountant Council, and a 2021 honoree of The CPA Practice Advisor’s 40 under 40 award. More from Cassidy Jakovickas, CPA Comments are closed. Browse Related Articles Tax Law and News Annual inflation adjustments for TY24 and TY25 Practice Management Intuit is committed to your success Practice Management Lacerte® Tax spotlight: Karl J. Strube, CPA Practice Management ProConnect™ Tax Online spotlight: Alejandra Matias Practice Management ProConnect Tax Virtual Bootcamp: Jan. 15-16 Webinars Navigating Common IRS Red Flags: Jan. 20 Webinars Pay-by-Refund: Jan. 20 Webinars Practical Security Checklist: Jan. 14 Tax Law and News January 2025 tax and compliance deadlines Workflow tools On the Books podcast: Merry books-to-tax season