Cybersecurity Facts Tax Practitioners Need to Get Right

How many emails does your firm receive in one day?

Whatever the number, there’s a good chance a chunk of it is malware. According to a 2018 report compiled by Symantec, Corporation, one in 412 emails contained malware in 2017. For businesses with less than 250 employees, this rate jumped to one in 376 emails. When you consider just how many emails the average office worker receives in a week, things can look a little scary.

Cyberattackers represent a growing and evolving threat to CPA firms. Perpetrators are seeking sensitive client information, financial records and firm data like PTINs using any method available to infiltrate your defenses. And a lot of times, it works.

Understanding how to ward off these attacks is half the battle. Learn how to dispel common misconceptions about cybersecurity so you can be better prepared to face down any threat to your data.

Myth 1. Cybersecurity protocols are guidelines.

A robust cybersecurity plan isn’t optional for your tax practice. You’re legally required to protect your clients’ private information. It doesn’t matter where you live in the country or how many clients you have, your job is to keep would-be cyberthieves at bay.

The Federal Trade Commission (FTC) requires all tax preparers to create and enact security plans to protect client data. On top of that, all financial institutions — including CPA firms — must safeguard sensitive data under the Gramm-Leach-Bliley (GLB) Act. Although CPAs are exempt from some aspects of GLB, they must develop a written information security plan that describes how they’re prepared to safeguard client information and how they’ll continue protecting clients’ nonpublic personal information.

Not adhering to these guidelines will get you in hot water. You could lose your business or find your reputation with clients and your peers is damaged. On top of that, you’d be on the financial hook for breaches resulting from improperly secured client data. At an average of $148 per record, that’s quite a bit of cash.

Myth 2. Encrypted email is a safe way to send information to clients.

There’s a reason the IRS doesn’t send transcripts via email.

Your firm can have the very latest cybersecurity software and still spring a leak through email. That’s because to transfer a message from one computer to another, the email must go through multiple servers and sites along the way. And at any point, that message could be intercepted.

No matter whether you employ security certificates or message encryption, your clients are probably not going to such extremes to protect their email communications. Consider using client portals — secure online storage centers — to transmit all sensitive information to clients.

Myth 3. Third-party service providers have protocols in place that protect client data.

In May 2017, Target Corporation was ordered to pay $18.5 million to 47 states and the District of Columbia after a 2013 security breach compromised customer data. Because of the breach, cyberthieves stole the debit and credit card information of more than 40 million customers.

How did hackers gain access to Target’s sensitive customer data? By attacking a third-party vendor and snaking their way into the company’s servers. It’s the same way hackers can infiltrate your firm’s client data if you don’t fully vet your vendors. Here’s how:

  • Look into the security practices of all vendors who handle any sensitive client data or who access or may access servers where client data could be held.
  • Review your vendors’ security policies and require copies for your records.
  • Be sure they perform internal security audits and ask to see their SOC 2 report.
  • Vet their background and references and find out if there’s a history of data breaches.

You should avoid any third-party vendor that can’t guarantee the protection of your clients’ sensitive information.

Myth 4. The changes to tax transcripts will keep tax data safe.

Recently, the IRS announced it would change the format for individual transcripts in an effort to protect taxpayer data. As of September 23, personally identifiable information and data, such as birth dates and full Social Security numbers, have been redacted from the Form 1040 series. Should an identity thief gain access to an individual’s transcript, they’ll be unable to access key personal information that would enable them to create a fake return.

While eliminating sensitive information creates a stumbling block for identity thieves, it won’t stop all tax-related identity theft. Hackers can adapt, and transcripts aren’t the only place they can get this information. They can get this and more by going to just one place: your firm.

If cyberthieves target your practice and breach your cybersecurity, they’ll gain access to a treasure trove of private information including passwords, maiden names, birth dates and credit card information. If you aren’t the first line of defense against hackers, no changes to tax transcripts will keep your clients’ data secure.

Bonus myth: The latest technologies will protect client data.

Your firm is doing everything right. You’ve installed and activated software and hardware firewalls. You’ve secured your wireless networks and set up web and email filters. Your clients are routinely using portals. You’ve vetted all vendors, and your passwords are indecipherable. In short, your defenses are impregnable.

Not even close. Because there’s one variable you haven’t considered: your employees.

It’s possible that your employees are the biggest threat to client data. Focusing on network security while ignoring employee training can lead to a disaster. According to a report by IBM Security, most data breaches can be attributed to human error.

Proper training and limiting employee access to data and information is key to reducing these errors. This includes helping employees identify suspicious emails and phishing attempts that can create gateways for hackers to enter your servers. And if disaster strikes, develop a plan to respond to security incidents quickly.

Cyberattacks are a reality of doing business in the modern world. But they don’t have to derail your firm. Take charge of your firm’s security. Review the resources available in the AICPA Cybersecurity Resource Center and use the downtime before busy season to get up to speed on how you can best protect client and customer data. For a deeper dive into tax identity theft, visit the Tax Identity Theft Information & Tools Resource Center made available by the AICPA Tax Section.

Cyberthieves aren’t going to wait. Why would you?

Originally posted by Allison Carter for the Association of International Certified Professional Accountants.