Each year, tax and accounting firms of all sizes are targeted by hackers. Why? Because for cyber-thieves, these firms hold a treasure trove of information and tax firm security is often lacking.
Whether it’s tax returns or payroll data, your tax firm holds the key to addresses, employers, dependent names, ages, Social Security numbers, and more. With this valuable information, producing fake W-2s that look legitimate and filing a fraudulent tax return is a piece of cake.
Even though the IRS has worked to stop the spread of fraud and reduce the risk to tax preparers and taxpayers, they stress that hackers are continuing to target professional tax preparers. While security breaches at major organizations often make the headlines, the truth is that 70-80% of cyberattacks occur at businesses with fewer than 100 employees, according to the Congressional Small Business Committee.
Without the proper security protocols in place, you’re putting not only your clients’ data, but your firm’s reputation at risk. A security breach can cause irreparable damage and cost you the business you’ve worked so hard to build.
So, now that you know why security deserves your attention, what actions should you take to secure your firm?
1. Train your employees to be safe.
Because your staff are primarily interacting with clients, make sure they are aware of cybersecurity risks. Employees are your first line of defense and should be trained properly, especially if they are accessing client information on multiple devices.
Consider outsourced training or provide staff with information on user permissions, strong passwords, multi-factor authentication, and the characteristics of scams. Requiring employees to sign off on written security policies and procedures once a year is a good idea as well.
2. Educate your clients on security measures.
Security is a two-way street. Educate your clients on the security measures your firm has in place, but also encourage them to make security a priority as well.
IRS Publication 4524, Security Awareness for Taxpayers, includes a checklist that can be shared with clients. The IRS also has a series of identity theft videos with valuable information for taxpayers.
3. Create an incident response plan.
In the event that your systems are compromised, your firm should have a detailed incident response plan to follow. If you don’t have one, work with your legal counsel and other specialists to develop one immediately. According to the FTC, the GLBA Safeguards Rule requires organizations to develop a written information security plan that describes how they protect client information. The plan must be appropriate to the firm’s size and complexity, the nature and scope of its activities, and the sensitivity of the client information it handles.
The main areas of focus for this plan should include quarantining your technology, bringing in forensic experts to assess the damage, contacting your attorney, managing any notification process and its timing, and building your internal and external communication plans. Read Your firm’s been hacked for more information on building your incident response plan.
4. Continuous security updates.
Do you have someone responsible for reviewing your infrastructure and software to ensure that things are up-to-date? If not, you should consider hiring someone (in-house or externally) to ensure you’re doing everything you can to stay security.
5. Review your tax workflow.
Review your tax workflow and the tools in your software — are there areas that you could inject more secure processes or security checks? With how fast technology is changing, it’s always a good idea to take another look at your tax preparation software and ensure its providing you with all of the security considerations your practice and clients need.
Remember: While focusing on security measures may seem time-consuming, you don’t want to be caught off-guard should your firm experience a breach. Take the time now to protect the business and reputation you’ve worked so hard to build. It’s certainly worth the time and investment. You should consult with your legal and technology security advisors for regular guidance on data security practices and legal standards applicable to your practice.