5 Best Practices in Tax Firm Security

Practice Management Security for tax professionals

As data breaches become more common, 81 percent of consumers are changing their behavior to protect their most sensitive data. Although the IRS recently announced changes to individual tax transcripts for the sake of security, tax firms remain a gold mine of data for ambitious criminals. As we continue to use technology to drive value and profitability, consider following these five best practices to help protect your firm’s and clients’ data.

#1: Have “The Talk” With Your Staff

Whether it’s leaving passwords on sticky notes or clicking on a phishing link in an email (see #5 below), your staff can often be the weakest aspect of your firm’s security measures. As we improve security, we must provide guidance, not just technology, to our staff. As you educate your staff about the necessity and benefits of data security, it’s essential to get their buy in.

In my firm, I’ve had this discussion with my team and found that each person had their reasons for embracing our firm’s improved security education. Positioning security threats as directly impacting our firm’s profitability helped these individuals realize just how real the consequences of a breach can be.

#2: Secure Your Login Credentials

Your next step should be to protect your logins. Strong passwords should be:

  • At least eight characters long.
  • A combination of letters, symbols and numbers.
  • Unique from all other passwords.
  • An acronym or randomized phrase, instead of your birthday or other personal data.

Rather than trying to remember thousands of passwords, we’ve found it’s best to use a password manager such as LastPass to keep our passwords strong and unique. Bottom line: We’ve made password security a priority since we view it as a way to demonstrate trust with our clients.

#3: Double-Check Your BYOD Policy

It’s increasingly common for firms to allow employees to use their devices to access company data and conduct business activities, commonly known as Bring Your Own Device (BYOD). While outsourcing and remote work are great ways to improve efficiency, the use of personal devices for company activities means a broader attack surface for your firm.

Here are four precautions to take so your staff can work productively and more securely:

  1. Update all devices in use with current software updates.
  2. Use two-factor authentication to further secure logins.
  3. Develop policies for the use of company equipment and systems.
  4. Avoid sharing sensitive data about personal or corporate matters on social media.

#4: Create a Data Security Plan

In 2019, the IRS urged all tax professionals to take steps to better protect client data, including developing a data protection plan. As part of its checklist, the IRS noted that the FTC requires companies must:

  • Designate at least one employee to manage its information security program.
  • Evaluate threats to customer data and assess the effectiveness of current security.
  • Develop safeguards and partner with qualified service providers to implement them.
  • Adjust these safeguards as business operations or security monitoring necessitate.

There are four specific steps the IRS recommends:

  1. Install and use anti-virus software.
  2. Set up a software or hardware-based firewall.
  3. Encrypt local storage drives.
  4. Use a virtual private network to secure connections on home or unfamiliar networks.

You can find more information in the security guide provided by the National Institute of Standards and Technology.

#5: Be Vigilant Against Phishing and Malicious Emails

Though it can seem like old news, phishing remains especially relevant. WombatSecurity’s 2018 State of the Phish study showed that phishing scams targeted approximately three-quarters of companies surveyed.

I recently wrote on Quora a short piece to get more employee engagement when it comes to monitoring security. Companies have begun to perform phishing simulations with the help of resources such as Infosec’s WORKed video series. Resources like this are useful because they are often more engaging and interactive than a PowerPoint with lists of statistics and graphics.

Security Should be a Priority

Being acutely aggressive and continually learning about the latest security threats to your firm will help you better protect your practice and your clients in an evolving threat landscape. As clients become more concerned about the management and treatment of their data, prioritizing security as a firm will help you stand out as a clear choice and trusted advisor.