Ask The Edd Attorney – Tax Professionals – Don’t Take The Bait – Be Prepared
By Robert S. Schriebman
2017
Introduction
On September 6, 2017 the IRS published its last and most informative press release counseling tax professionals on cybersecurity (IR-2017-144). The IRS currently is receiving reports from tax professionals of security breaches at the rate of almost 5 per week! Ten percent (10%) of cybersecurity depends upon technology but 90% depends on the tax professional community to teach their staff about breaches and to establish strong passwords and take other measures to secure client confidential information. If you handle taxpayer information, and we all do, we have obligations under federal and state law to protect that information from unauthorized disclosures and outright theft.
I found this press release particularly interesting because it informed me about social engineering. Social engineering is wicked stuff. It is an elaborate scheme to obtain both physical and electronic access to client information by manipulating people. A social engineer is educated and trained to research your business and to learn the names, job titles, responsibilities, and any personal information they can find. The social engineer usually calls or sends an email with a believable but phony story designed to convince you and your employees to give them valuable information.
In this article I will discuss the 8 categories of helpful information set forth in IRS Press Release IR-2017-144 (September 6, 2017).
Data security in our offices is only as strong as our least informed employee. Security precautions are not just for our offices. They must be extended into our homes. The IRS reports that many security breaches occur with laptops taken from the office and used at remote locations.
Protect Your Business and Your Clients by Following These Recommended Steps
The following recommendations and suggestions were offered by the IRS in conjunction with the FBI, as well as private sector experts. To paraphrase Harry Truman, “The buck stops with you.” You are the boss, and when security breaches occur, you are the one who will take the heat.
Be careful of email attachments and web links.
As we get older and more experienced we rely on our gut. If you are not expecting the email transmission, do not open it. However, if it looks genuine and appears important, pick up the phone, and call the sender to verify that the email is truly from them. Before you click on a link, hover over that link to see the actual web address it would take you to. If you have the slightest suspicion, go with your gut.
Use separate personal and business computers, mobile devices and accounts
Have separate devices and email accounts for personal and business use. This is especially important if children have access to your devices. On these dedicated devices avoid computer games, business banking, or other personal use. Do not send sensitive business information to personal email addresses.
Do not connect personal or untrusted storage devices or hardware into computers, mobile devices or networks
Do not share USB drives or external hard drives between personal and business computers or devices. Do not insert any unknown CD, DVD, or USB drive. Disable the “AutoRun” feature of the USB ports and optical drives on CD and DVD drives on business computers.
Be careful downloading software
If you do not know the source of the software or downloads, do not download them. This is especially true with freeware or shareware.
Watch out when providing personal or business information
Earlier in this article I discussed the danger of social engineering. There is not a day that goes by in my office that I do not receive an unsolicited phone call from someone or some company I do not recognize. Your employees should notify you whenever there is an unfamiliar request for client information or sensitive material.
Never give out usernames or passwords. Requesting this information is strictly taboo for legitimate companies. Employees should also be aware of callers asking about your operating systems, brands of firewalls, or what applications are installed. This information is a hackers’ delight.
Watch for harmful pop-ups
I usually avoid the motto, “Never say never.” But I apply this motto to pop-ups, and my pop-up blocker is always on.
Use strong passwords
Here is where the IRS gets specific. They advise you to use strong passwords that are case sensitive to upper and lower case. The NIST (Cybersecurity Framework) recommended passwords to be at least 12 characters long. If your system has sensitive and important information, consider using multiple forms of identification known as “multi-factor” or “dual-factor” authentication.
Passwords should be changed every three months.
Passwords dealing with business information should be reuse.
Consider using a password management application to store your passwords for you.
Default administration passwords should be changed immediately when installing equipment as these are easily known by hackers.
Conduct online business more securely
Your business and banking should be done using a secured browser connection. This will normally be indicated by a small lock visible in the lower left-hand corner of your browser window.
Erase the web browser cache, temporary internet files, cookies, and history regularly. This is especially true after any online commerce or banking session.
Conclusion
The IRS guidelines are excellent. And they are a product of many sources including the FBI, and major computer experts in the private sector. While this article has stressed computer and electronic security measures, I recommend you purchase and utilize high-end paper shredders. Every disposable item that is remotely connected to a client or a current matter you are working on should be shredded instead of thrown in the circular file. Today’s shredders do a much better job mulching paper than the old strip shredders. There is too much exposure today to security breaches. As I said earlier in this article, go with your gut. In a criminal jury trial, the jury is instructed on a standard of reasonable doubt, but when it comes to security safety, any doubt, even the slightest, should be enough to warn you, “Not to go there.”
***
Robert Schriebman has a successful practice in the Rolling Hills Estates area of Los Angeles County serving clients throughout California and the United States. He has successfully dedicated more than 40 years to helping individual taxpayers, business owners, CPAs, Enrolled Agents, and tax attorneys navigate the complicated tax systems of the federal and state governments.
Robert Schriebman has written the only 2 books ever published dealing with how California Employment Development Department (EDD) operates. See “California Tax Collection Practice and Procedures” and “California Taxation Practice and Procedure,” both published by Commerce Clearing House.
Robert Schriebman has written over 20 books including the major manual used nationally by practitioners and the IRS, “IRS Tax Collection Procedures – A Manual for Practitioners” published by Commerce Clearing House.
Robert Schriebman has written over 20 books including the major manual used nationally by practitioners and the IRS, “IRS Tax Collection Procedures – A Manual for Practitioners” published by Commerce Clearing House in addition to the only 2 books ever published dealing with how California Employment Development Department (EDD) operates. See “California Tax Collection Practice and Procedures” and “California Taxation Practice and Procedure,” both published by Commerce Clearing House.
Web Site Article 295