Preparers are a special target for cybercriminals, a security expert told tax professionals during a recent webinar on cyber-security.
“You have to do what you have to do to protect your business,” host Jake Solis, co-CEO of the IT consultancy 1+1 Technology, said during the webinar, “Cyber Security Breach Prevention and Response,” which was presented by the Latino Tax Professionals Association.
Tax preparers make juicy targets because their hard drives hum with “personal identifiable information” – the scans of clients’ driver’s licenses, W-2s and previous years’ returns, for instance – that cybercriminals want.
Preparers are obligated to protect access to this information, as well as ensure that the data isn’t modified or damaged, especially in this age of FACTA and HIPAA – but that can be difficult, particularly for smaller practices.
“The small guys don’t have the security,” Solis explained.
No target too small
Cybercrime’s global economic impact has reached $1 trillion and spawned a sophisticated industry that is learning to steal more effectively from corporations and Main Street alike.
Globally, cybercrime now incorporates training, start-up kits and percentage programs for various levels of thieves (a.k.a. Cybercrime-as-a-Service, or CaaS). Cybercrooks – particularly those infecting victims’ computers with ransomware and demanding Bitcoin payment to release a victim company’s own information – can work far below the headline breaches of the likes of Yahoo or Scottrade. And crooks can demand just a few thousand dollars, which many small businesses often pay just to get back in operation, he said.
“Are we freaked out yet?” Solis asked the audience.
Protect yourself
Aside from up-to-date anti-virus software, attention to security updates and patches, and password sophistication, tax prep firms should prepare for data breaches with a security incident response plan – which should be revisited as frequently as a company’s general business plan, Solis said.
A firm’s response plan should cover who has access to its information; event monitoring to pinpoint security incidents; a backup plan beyond just external hard drives; encryption protection; and what identity information is at risk if a business loses a cell phone, laptop or other device. After a breach, firms should isolate the devices affected, gather computer activity logs, notify key personnel (including lawyers) and document the breach as much as possible, among other steps.
There are a few key questions firms should consider in the wake of a breach, Solis said: What was the source or abilities of the attacker or application? What did the attacker hope to achieve? And how can the firm prevent it happening again?
In the end, Solis urged attendees to consider the ramifications of a breach in an industry built on trust. “Do you think clients will do taxes with you again” after an undefended breach? he asked. “Do you think word won’t spread about what happened to your business?”