Tax & Accounting Blog

Cybersecurity in the New World

Accounting Firms, Blog, CS Professional Suite, Technology October 6, 2017

Cybersecurity incidents are happening at an alarming rate. We can take action to initiate strategic changes and protect ourselves and our clients, or we can ignore the statistics, continue as usual and see what happens.

Are you willing to take that risk? I’m not.

I spoke about major trends that will impact the profession over the next decade during my 2017 California Accounting & Business Show & Conference keynote address, and I’d like to share statistics from the security portion of the presentation with you.

  • In 2016, companies and individuals were hit with over 90 million attacks. Nearly 70 percent of these attacks went unnoticed.1
  • 72 percent of firms responding to the latest UltraTax CS survey had clients affected by ID theft or tax refund fraud in the past year.
  • Weak passwords account for more than 60 percent of data breaches.2

Hacks of the past generally targeted victims for tax refund ID theft involving Social Security numbers, names and addresses. Hackers were mostly based in the U.S., tended to work alone or in small groups and — though they may have been successful in defrauding American taxpayers — were relatively unsophisticated.

Today’s tax fraud hacks use more sophisticated techniques: social engineering, IP masking, phishing and spear-phishing. Ransomware — malicious software used to threaten publishing or blocking access to the victim’s data unless a ransom is paid — is also expanding dramatically. Many of today’s hackers operate offshore, and they’ve expanded their use of the dark web beyond tax refund ID theft.

These hackers are increasingly focused on professional tax and accounting firms — large and small. They view firms as easy targets, where a large amount of real data can be gathered from a single breach.

The IRS repeatedly warns tax professionals that hackers are trying to remotely take control of computers to file fraudulent tax returns, using names and IDs of firm clients. They do this by acquiring legitimate accounting firm credentials through methods like malware that installs key loggers.

Since tax and accounting firms are responsible for valuable data — employer IDs, Social Security and financial account numbers, W-2 information — these attacks threaten the identity and financial security of firms, staff, clients and third parties. The stakes are higher than ever, and our clients trust us to do everything in our power to protect their personal information and reduce the risk of a breach.

First: Work closely with your IT security teams to plan and implement safeguards for your data and technology — automatically blocking certain emails, proactively managing desktop and network updates, having effective firewall and anti-virus software, implementing block-level encryption on laptops and maintaining up-to-date operating systems.

One of the most effective things you can do now is activate multi-factor authentication (MFA) as an extra security step on your Thomson Reuters software with our Thomson Reuters Authenticator™ app. Don’t wait until after a breach; it will be too late.

Everyone in your firm is responsible for data security. Never click links or open attachments without being absolutely sure of the sender’s identity. It’s essential to have strong, private, unique passwords on all logins — 71 percent of online accounts are guarded by duplicate passwords, which is a big liability.

Maybe you’re tired of hearing about security threats. That’s understandable. But we must be realistic and prepare ourselves. The silver lining? We’re getting stronger and smarter.

To learn more about vital security issues, visit our security page. I’ll also continue to update my blog with thoughts on the latest developments in the profession at tax.tr.com/author/jonbaron.

1 Source: “2017 cybercrime trends: Expect a fresh wave of ransomware and IoT hacks,” TechRepublic, October 2016
2 Source: Verizon 2016 Data Breach Investigations Report
3 Source: TeleSign Consumer Account Security Report 2016