IRS offers tips for tax pros working at home

With cyberthieves active during COVID-19, the Internal Revenue Service and the Security Summit partners on Tuesday urged tax professionals to review critical security steps to ensure they are fully protecting client data whether working in the office or a remote location.

Many tax professionals have expanded telework options this year as firms, like other businesses, work to keep personnel safe, practice recommended safety guidelines and use technology to virtually serve their clients.

During this period, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency have urged organizations to maintain a heightened state of alert as cybercriminals seek to exploit Covid-19 concerns.

To assist tax professionals with the security basics, the IRS, state tax agencies and the nation’s tax industry are launching a five-part series called “Working Virtually: Protecting Tax Data at Home and at Work.” The special series is designed to help practitioners assess their home and office data security – basic steps that should be taken for every work location. The series will continue each Tuesday through Aug. 18.

“The Security Summit partners urge tax professionals to take time this summer to give their data safeguards a thorough review and ensure that these protections are in place whether they work from home or the office,” IRS Commissioner Chuck Rettig said.

Although the Security Summit – a partnership between the IRS, states and the private-sector tax community – is making major progress against tax-related identity theft, cybercriminals continue to evolve. They are aware that tax practitioners and their systems might be more vulnerable this year during COVID-19, especially if they are working remotely.

The IRS recommends that everyone, but especially tax professionals handling sensitive data, should use anti-virus software, firewalls, two-factor authorization, backup software, drive encryption and a virtual private network.

Anti-virus software scans computer files or memory for patterns that might indicate the presence of malicious software.

Most anti-virus software can be configured to automatically scan specific files or directories in real time, although there is a manual scanning process as well. It is important to keep security software set to automatically receive the latest updates so that it is always current.

Firewalls provide protection against outside attackers by shielding a computer or network from malicious or unnecessary web traffic and preventing malicious software from accessing systems. Firewalls can be configured to block data from certain suspicious locations or applications while allowing relevant and necessary data to pass through, according to CISA.

Tax software providers, email providers and others that require online accounts now offer customers two-factor authentication protections to access email accounts. Tax professionals always should use this option to prevent their accounts from being taken over by cybercriminals and putting their clients and colleagues at risk.

Two-factor authentication adds an extra layer of protection beyond a password. Often two-factor authentication means the returning user must enter a username and password plus another step, such as entering a security code sent via text to a mobile phone.

Critical files on computers should routinely be backed up to external sources. This means a copy of the file is made and stored either online as part of a cloud storage service or similar product. Or, a copy of the file is made to an external disk, such as an external hard drive with multiple terabytes of storage capacity. Tax professionals should ensure that taxpayer data that is backed up also is encrypted – for the safety of the taxpayer and the tax pro.

Given the sensitive client data maintained on tax practitioners’ computers, users should consider drive encryption software for full-disk encryption. Drive encryption, or disk encryption, transforms data on the computer into unreadable files for an unauthorized person accessing the computer to obtain data. Drive encryption may come as a stand-alone security software product. It may also include encryption for removable media, such as a thumb drive and its data.

A virtual private network is critical for practitioners who work remotely. If a tax firm’s employees must occasionally connect to unknown networks or work from home, establish an encrypted VPN to allow for a more secure connection. A VPN provides a secure, encrypted tunnel to transmit data between a remote user via the Internet and the company network.