The Tax Preparer's Ultimate Guide to Data Security
In 2021, cybercrime cost U.S. businesses nearly $7 billion, yet 29% of CEOs and 40% of chief security officers admitted that their organizations remain unprepared for a large-scale cyberattack.
It isn't just corporate giants at risk. According to the IRS, data theft at tax professionals’ offices has continued to rise, with 2022 reflecting the highest incidence rate ever. As cyber criminals become more adept at accessing confidential data from unprepared tax preparation offices, the need for data security is necessary and, in many instances, the law. Whether you run a large tax preparation business that employs thousands or work as a sole proprietor, if you have access to a taxpayer’s personal information, it's your job to keep it safe.
You can immediately institute many things to help keep data secure, such as getting up to speed on the most prevalent threats. Criminals continue to change their method of operation, and if you don't stay up to date on the latest threats, you won't be able to implement the appropriate measures to stop them.
This occurs when a breach in security allows a cybercriminal to eavesdrop on a transaction between two parties, positioning themselves between the two communicating parties to intercept or change a message. Without a secure network for communicating with your clients, you’re vulnerable to MITM attacks.
This can come from within the organization itself, or from the outside, with hackers having sophisticated tools at their disposal to help guess your password. They can also access personal data about an individual and use that information to guess a password, which is why having a complicated password works best.
DoS attacks are used to overwhelm a system, making it easy for hackers and cybercriminals to access the system. If successful, the DoS attack often requires a system to go offline, making it particularly vulnerable to cyber-attacks.
A URL interpretation attack can be particularly damaging to a tax preparation business. A cybercriminal can redirect the URL to gain access to administrator privileges, where they can manipulate or steal data.
Not all cybercrime is committed by unknown assailants. You can also leave yourself vulnerable to in-house attacks simply because of your employees' proximity to information such as passwords and client files. The best way to protect against in-house attacks is to limit employee access to specific data.
Ransomware attacks have increased by 42% in the first half of 2022. Attackers use ransomware malware to encrypt your files, preventing you from accessing them. Once you’re locked out, the attackers demand money or "ransom" to restore access to your data. As ransomware attacks have increased, attackers have resorted to threats such as releasing data to the public to convince reluctant companies to pay up. A ransomware attack during the tax preparation season can severely disable or even destroy a tax preparation business.
Phishing involves criminals sending email or text messages with a link or attachment in an attempt to steal passwords gain access to personal or confidential data, or gain access to your bank account. Phishing is also used to download malware onto your computer.
Early on, it was easy to recognize a phishing attempt, but with cybercriminals using more sophisticated tools, emails and texts often look credible. Many phishing attempts are designed to look like they're coming from your bank, a utility company, or a popular online shopping site. They draw you in with claims of problems with your account, or that suspicious activity has been noted. All you have to do to fix the problem is to click on the link or download the attachment. If you click on the link, the scammers immediately gain access to your data.
To protect your company against phishing, all employees should be trained in how to recognize phishing attempts before responding to an email or text.
Malware and Viruses
The terms malware and viruses are often used interchangeably, but the two differ. While a virus is a form of malware, you should be aware of other types of malware. Today, more than a quarter of all data breaches involve malware, which is used to steal or manipulate data and can take many forms, including spyware, viruses, trojan horse, and worms, and are usually distributed via an email attachment. However, pop-ups can also contain a virus.