Cybersecurity basics for the tax practice

I want to put it bluntly. You have been targeted. Cyber criminals have discovered that tax and accounting firms have a wealth of personal information stored on their local computer networks, and that your office network is the weakest link in the chain of custody for a taxpayer’s most personal financial information. To put a finer point on it, in the era of COVID-19 social distancing rules, you are likely managing some or all of your business, and working from home or in a non-public-facing way.

Whether you work remotely or in the office, how do you secure your network? Securing your office systems in a local or wide area network environment is required for retention of taxpayer data. Having a good, foundational understanding of your responsibility to secure your clients’ data and how cyber thieves operate is the best way to secure your data, and should let you sleep a little better at night! Here is how to begin securing your sensitive data files.

All professional tax preparation firms are required by law to have a written information security plan (WISP) in place. This is mandated by the Gramm-Leach-Bliley (GLB) Act and administered by the Federal Trade Commission (FTC). Tax and accounting professionals fall into the same category as banks and other financial institutions under the Safeguards Rule, which mandates how the personally identifiable information (PII) of your clients is stored and secured. Accordingly, a firm’s mindset should be one of bank-level security.

The IRS is a cooperating agency with the FTC in enforcing the Safeguards Rule standards; Publication 4557, Safeguarding Taxpayer Data, is entirely devoted to the creation of a WISP and is generously referenced.

Yet, a majority of tax practitioners are not aware of their legal responsibility to have a plan in place, ready to be activated should the unthinkable happen and they become victims of a data breach. In recent years, criminal enterprises and syndicates using the dark web have targeted tax and accounting firms as the weakest link in the custody of PII data at rest. This data at rest, stored for later use in the production of tax returns and other accounting functions, is a lucrative target for these cyber thieves.

Who is supposed to protect the firm from cyber theft?

Simply put, the firm is. Generally, the data at rest is on the firm’s local computer network. If the firm retains the data, the firm is responsible for its safekeeping. Most tax software vendors do not directly host the data for the firm. The PII data is stored in a data file folder in a different directory from the tax program installation on the firm’s local network. Hackers are not stealing the firm’s data from the software provider, since the software vendor does not retain a copy the firm’s privacy-controlled data for safekeeping. The hackers simply steal it from its native environment: the firm’s network server.

Accordingly, the IRS continues to remind tax and accounting firms that retain the PII of their clients of their legal responsibility to create a WISP (IRS Tax Tip 2019-119). The plan design should be tailored to the firm, and should consider the firm’s size and the types of services offered, along with the sensitivity of the taxpayer information the firm retains. IRS Publications 4557 and 5293 provide guidance in creating a WISP that is scaled to the firm’s operations. All tax and accounting firms should do the following:

• Identify all PII that could be at risk.
• Design a workable program and plan to protect the PII data at rest.
• Determine who in the firm should act in the role of the data security coordinator.
• Determine the plan’s scope and make it available for review by staff.
• Provide staff training and create a feedback loop to improve the plan over time.
• Monitor and test the plan for weaknesses, updating it periodically.

A cyber theft breach is very costly to the firm’s customers. It is also costly to the tax and accounting firm. The costs for a forensic IT professional to identify the pathway into the firm’s network, the costs and legal responsibility to notify the firm’s customers that their PII may be at risk, and the costs of legal counsel to steer the firm through the minefield of liability issues can be $50,000 to $250,000 per breach incident. A standard liability insurance policy covers fire damage, physical theft (as opposed to electronic theft), vandalism, and similar damages. These policies were written and actuarially assigned risk costs before the electronic age. However, the firm must request a Cyber Theft Rider be added to the liability insurance policy to be covered for electronic theft. For the nominal cost of an added cyber theft rider, many of these costs will be covered by insurance.

Many states require the firm to report a data breach to the state attorney general’s office, and also may require the firm to provide credit monitoring services to its customers at the firm’s expense for up to two years. Even if it is not required, purchasing credit monitoring service for the firm’s exposed clients makes good business sense from a client retention standpoint. If adding credit monitoring is not an option in the cyber theft rider, it will be an added expense item on the road to recovery and restoration of the firm’s reputation.

Some breaches include a ransomware attack. If the firm experienced ransomware in its data breach, it should not assume that was the end goal of the hacker. Hackers know most firms will not pay the ransom to regain control of their hard drives, since there is no guarantee the victimized firm will actually be given the unlock key once the ransom is paid. A diabolical new twist to ransomware has manifested in the last couple of years, where the breach is a three-step process of invasion of the firm’s privacy:

1. The firm’s network is breached, either through malicious malware or unsecured remote access connections. Keystroke loggers are installed to discover the firm’s username/password combinations used to access critical systems, such as the firm’s tax software application.
2. PII of the firm’s clients is exfiltrated from the firm’s network to remote computers controlled by the hackers. Many times, a copy of the firm’s tax software is also copied and relocated as well, using the PII and software to prepare and transmit the fraudulent returns they illegally file remotely.
3. Ransomware is then deployed to the firm’s network after the breach. Hackers know a firm is unlikely to pay the ransom, and that the common fix is to reformat the infected computer drive and reinstall the firm’s applications without paying the ransom. When the hard drive is reformatted, the firm is actually overwriting the trail of breadcrumbs a forensic IT professional will need to discover how the hackers breached the firm, and what data was exfiltrated and stolen. Effectively, the firm erases the evidence of the crime as part of the scheme.

If the firm has any high profile, widely known or high net worth clients, extortion attempts using data gleaned from the stolen PII may be the basis for extortion demands. The hackers discover how much and where the money is located from the data the firm retains. The data of a vulnerable company or individual can then be brokered on the internet or dark web to other criminals who specialize in such white collar crimes.

Look, I am a small business and I do not know how to do all that

This is why partnering with a capable IT service provider is so important. The firm is expected to be the expert in tax and accounting, not cyber warfare. Partnering with people who “speak cyber” is the best way to protect the firm from harm. It does not guarantee the firm will not be hacked, but the firm has IT experts to call on, so partnering with a cyber expert makes good business sense. Not all IT service providers are equal, however, so how does a firm sort out the good from the bad?

IT service providers should use a written contract that details the services for which the firm is contracting. The IT service provider should include an array of services, from initial setup to periodic monitoring and maintenance. The IT service provider should be included as part of the firm’s WISP planning for a full understanding of the firm’s needs. The firm should ensure the contract includes data breach remediation services as part of the deal. Knowing the written plan for restoration and remediation will better inform the IT service provider of the firm’s actual needs under the law. Most IT service providers do not know about the GLB Act or the FTC Safeguards Rule requirements.

Items the IT service provider should address for a robust security policy may include the following:

• Require two-factor authentication (2FA) to log into the firm’s network at startup and also to log into any applications, such as tax software, where PII is stored. The firm should ensure it is not using email to authenticate logins. Email accounts can be easily spoofed by hackers. The hacker then sees a copy of everything that is sent to the email account, including password recovery codes and 2FA access codes. It is better to receive a code or a text to respond to with a disconnected device, such as a cell phone, for the second factor step. Since hackers will not have the second device for the authentication factor, they will never gain access with just a stolen username and password.
• Encrypt computer drives where the firm stores client PII data. Data stolen off encrypted drives will still be encrypted if exfiltrated, and will be useless to a hacker. This also may mitigate the need for client notifications and certain other remediation steps if a breach occurs.
• Restrict and tightly control remote access. Remote access is a wonderful tool that allows firms to manage business functions from home or employ remote staff outside the office. The IT service provider should know how to restrict remote access portals to use the same 2FA used in the office. If the remote access application does not support 2FA, find another application. If the firm uses a virtual private network (VPN) between remote computers and the office, it should follow the same protocols and authentications used when logging into an office computer.
• The IT service provider should recommend restricting internet access during non-business hours. Even though there is seasonal demand, most firms do not work between 10 p.m. and 6 a.m. during tax season. The firm should restrict access on weekends, too, if no one is in the office. This business rule can be adjusted for seasonal client appointments, work schedules, and weekend work. Since this is unique from most business models, the firm should explain to the IT service provider the seasonal variation in working hours.
• In addition to 2FA login protection, password protect all files containing PII. This means work in progress and completed tax files. The firm should employ a system to password-protect files containing PII. Simply using the same password for all files in a given tax year works. The goal is to always password-protect each file, and that is enough of a deterrent. Hackers do not spend time cracking individual file passwords. There is no reward in that, so they move on to some other firm that did not password-protect their individual files.
• Create a systematic plan to back up your data daily, at a minimum. The firm should not rely on the data at rest associated with the software applications as a backup file. Remember, the firm’s software vendor is not storing this PII data. The daily backup should be on devices that are then fully disconnected from the network for safekeeping. This will help protect the firm from a ransomware attack or hard drive failure. For smaller amounts of data, USB memory sticks may provide enough capacity for the PII data files. They can be purchased inexpensively and can hold an impressive amount of data for their size. If a large capacity drive is required, a removable USB hard drive is a good choice. Large capacity drives are commonly available with a terabyte of storage capacity or more, and are designed for data backup use.
• The IT service contract should include periodic review of data logs by the IT service provider. The IT service provider should scan the firm’s network for suspicious login attempts at least every 90 days. The review should include firewall logs, email activity logs, and antivirus activity logs, including deny-listed threat sites. Most importantly, these logs must be enabled on the firm’s computer network. If full logging is enabled, it usually results in the IT service provider finding the source of a breach, but the logging has to be enabled well before the breach to identify when the hacker got into the firm’s network. Some breaches happen up to six months or more before a firm is aware it has problem. This is because hackers often steal data after the returns are filed in a given tax year, to be used the following tax year.
• If the IT service provider cannot provide these services, demonstrate a good working knowledge of the requirements, and clearly explain to the firm how to solve for them, the firm should find another IT service provider. The IT service provider should understand that its reputation is at stake, too. The comprehensive solutions proposed by the IT service provider should be reviewed before the firm enters into partnership with them.

Office staff participation is key

Getting buy-in from all staff is critical to a strong data security posture. It is everyone’s responsibility to secure taxpayer PII. The firm should have regular, planned security meetings. Open forum discussion is usually the most productive way to get everyone involved in solving the problem. Discuss everything, from where the key to the filing cabinet is stored, properly securing desktop paperwork from prying eyes, and the paperwork custody logging procedure, to spotting email phishing attempts. The firm should seek a “best practices” mindset and adopt accordingly. Here are some easy and common security rules to enforce:

• No login and password sharing! Everyone should have unique logins and passwords for their applications. If everyone “knows the password,” whose computer did the hacker breach? Strong passwords should be at least eight characters in length, and include uppercase and lowercase letters, numbers, and special characters.
• Update all passwords at least every 90 days. Consider a varying interval – every 30 days during the high-risk early tax season, every 90 days over the summer, and back to every 30 days during the fall filing season.
• Constantly remind staff not to click on suspicious email links, especially on correspondence where the firm did not initiate the request. Even if the request appears to come from another firm seeking professional courtesy file sharing, call the firm seeking information and confirm. If their systems were compromised, the hackers can use their email to spoof requests, such as “Is John Doe your customer? He said you had his prior year files. Can you forward them using my file sharing link, please?” The link may have embedded malicious .exe files to deploy malware, setting up a back door into your firm’s network.
• Test to see that firm employees are security aware by sending a harmless clickbait email to see if they recognize the threat it potentially could represent. Design the email with the firm’s IT service provider so it is flagged internally. Coach any employees who click on it so they become aware of the risk.
• Conduct regular security awareness office meetings, and seek discussion and input. The firm might discover vulnerabilities, unaware they were present without open-forum brainstorming. Get staff involved in working the problem, so everyone is living and breathing security 24/7.

IRS Publication 4557, Safeguarding Taxpayer Information; and Publication 5293, Protect Your Clients; Protect Yourself: Data Security Resource Guide for Tax Professionals, are excellent resources the firm can use to increase its security posture. The bottom line is this: The firm stores lucrative data criminals can misuse and the world of interconnectivity brings risks. International criminal syndicates as well as U.S.-based criminals are actively looking for the chance to exploit the data at rest on the firm’s network. These criminals are good at what they do, and get more sophisticated every year; do not make it easy for them.