The Tax Information You Store – Is at Risk! You Don’t Have To Be an Easy Target for Hackers.

As a modern tax professional, you know highly sophisticated cyber attacks makes your business a potential target. With more of your business information being digitized, cybersecurity becomes a key component of your overall security. It’s the best way to guarantee your data is secure, and why you protect yourself and your clients’ information from unauthorized access.

But here’s 2 pieces of information you may not know:

Information Security vs. Cybersecurity

Information Security is formally defined as The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity, and availability.

Cybersecurity is a key component of Information Security. It involves the protection of electronic devices and electronically stored information, with the similar goal of ensuring its availability, integrity, authentication, confidentiality, and non-repudiation.

More information like this can also be found in the U.S. Federal Government’s National Institute of Standards and Technology (NIST) published guidelines entitled: “Small Business Information Security: The Fundamentals” It’s worth reading.

“Verizon’s 2016 Data Breach Investigations Report found a shocking 30% of recipients open phishing messages and 12% click on attachments.”

What’s a Cybercriminal’s Best Weapon? Ignorance!

“Small and medium-sized businesses (SMBs) are a prime target for hackers today”, says Jim Krantz of Krantz Secure Technologies. “They are easier prey than larger enterprises because most don’t have data security policies in place. Not to mention, they don’t believe they will ever be attacked, so they won’t take the time or invest the money to protect their business. For those reasons, the Dark Web makes it easier and cheaper for anyone to use ransomware solutions, like Petya and WannaCry, to place a “bull’s eye” on your business.”

Don’t be fooled – Your Files Have “Theft Value”.

Cybercriminals want your data – your client’s data – and your money, and will not stop until they get what they want. But how?

Attack Vectors – Below is a diagram which shows the most common “attack vectors” being used, that hackers don’t want you to know about.

But what are Attack Vectors? They are the steps, codes, keystrokes and software a hacker uses to gain access to your computer or network to deliver malware that can result in:

• Damage to your information or systems
• Regulatory fines, penalties and legal fees
• Decreased productivity
• Loss of critical business information
• Loss of trust from your clients
• Damage to your reputation
• Damage to your credit so you can’t get loans
• Loss of business income
• Financial loss due to ransomware or wire transfer exploits

The purpose for the theft? Hackers steal your clients’ data, so they can:

• Sell it on the Dark Web
• Access financial accounts for withdrawals
• Set up credit card accounts
• File fraudulent tax returns in victims’ names to collect refunds

As you can see, taxpayer information you store is at great risk. That information, left unprotected, is a target for data theft.

Hacking is a crime. It remains a top priority for the IRS to end this criminal activity. To help keep you informed and up-to-date, back in 2015, the IRS implemented National Tax Security Awareness Week for:

• Tax return preparers
• Software providers
• State tax agencies
• Payroll providers
• Financial Institutions

The IRS urges you to take the time between tax seasons to contemplate your cybersecurity measures.

Visit their Protect Your Clients, Protect Yourself Campaign.

And yes, it is your legal obligation to protect taxpayer’s personal information. The good news is, there are easy steps you can take and is affordable to protect your organization. Once in place, your program balances security with the needs and capabilities of your business. When viewed as part of your business strategy and regular processes, information security makes sense.

Follow These Best Practices.

Protect Your Credit.

• Set up Fraud Alerts with your banks, credit companies, and credit cards.
• Regularly check your credit report from each of the 3 bureaus.
• Monitor all accounts closely, even small transactions.
• Freeze your credit report with all 3 services.

Your FICO Score is used in over 90% of U.S. lending decisions. Taking these steps won’t impact your credit or ability to use existing credit cards. However, if you’re applying for a loan, you’ll need to “thaw” your account. Allow 3 days for the reports to become available.

Classify Your Data.

• Identify what information your business stores and uses.
• Determine the value of your information. If you can’t estimate it in dollar amounts, then classify it as low, medium or high.
• Ask yourself–What would happen to my business if:
  • Was this information made public?
  • Was this information incorrect?
  • I or my clients couldn’t access this information?
• Do I even need this data? Don’t collect personal information you don’t need. If you require it for only a short period of time, make sure you have a process to promptly and properly discard it.

Security Awareness Training for Your Employees

Remember, hackers will try to gain access to your network any way they can. It’s a lot easier for the bad actors to attack using your employees, than a well-maintained infrastructure.

Let’s look at how employees may be your biggest vulnerability:

• Employees share their passwords with other employees.
• Using simple passwords easily cracked and stolen by brute-force hacking tools.
• They get tricked by phishing attempts and CEO fraud.
• Unknowingly divulge confidential information or provide access to funds.

For this reason, it’s recommended that you have a professional conduct Security Awareness Training on a regular basis.

Secure Your IT Infrastructure.

1. Your network must be well managed with patching, virus protection backup solutions and firewalls that are diligently kept up to date.
2. Use GEO IP Filtering on your Firewall whenever possible. This feature allows you to block connections to or from a geographic location. It should be a next-generation firewall with perimeter malware protection.
3. Be sure you have reliable backups, both onsite and offsite.
4. Use next-generation endpoint protection, which also includes any printers and copiers that are connected to your network.
5. Use strong up-to-date spam and content filtering.
6. When using remote access 2 Factor Authentication is essential.
7. Undergo an annual cybersecurity assessment.
8. Deploy a proactive effort with incremental layers of security to meet today’s new security challenges.
9. Conduct ongoing Internal Vulnerability Assessments and Remediation.
10. Provide Cybersecurity End User Training.
11. Get Cybersecurity Insurance. (Your provider should be part of your Incident-Response Team.)
12. Develop a Cybersecurity Policies and Procedures Manual.
13. Make sure you have a written (and tested) Business Continuity Plan.

Let’s Not Forget to Use the SANS 20 Critical Security Controls

The SANS 20 Critical Security Controls were adopted by regulatory and government agencies as the foundation for security strategies. By implementing these controls you can reduce the potential impact of cyber attacks. They may seem daunting, but the experts at Krantz Secure Technologies can help you streamline the process and ensure your firm is following the best practices for information security.

Ensure Your Mobile Devices Are Secure as Well.

With the proliferation of mobile device use and BYOD (bring your own device) to work, your business needs secure mobile device solutions. Mobile Device Security ensures your work force uses their devices in a secure and controlled manner. It protects your data, whether it’s deployed across multiple mobile service providers or on a variety of mobile operating systems.

Your Mobile Device Security solutions should allow:

• Access to remotely locate, wipe or lock a stolen device.
• Permission to wipe only business data from a personal device.
• Dynamic security features that continuously monitor and manage devices.
• Implementation of secure passcode policies.
• Enforced encryption policies.

Your Mobile Device Security should include your employees’ smartphones. They may contain valuable contact information and emails that cybercriminals want. Even text messages can be spoofed.

Bluetooth is convenient but not secure. Viruses can be spread via Bluetooth and hackers can use it to connect and compromise your phones. Always turn off Bluetooth when it’s not needed, and disable automatic pairing. Also, set your devices to “Non-discoverable.”

WiFi Hotspots can put your business information at risk. Anything that you send over an unsecured Wifi can be intercepted. Always turn off WiFi when you’re not using it. Don’t allow your device to auto-join unfamiliar networks. And don’t send sensitive information over WiFi unless you know it’s secure.

Keep an Internet Security Mindset.

Simply visiting an unsecured site without clicking any links can compromise your cybersecurity. When browsing online be sure to check the website’s security status. Make sure it begins with HTTPS before you enter any personal or financial information. You want to see a closed padlock symbol next to the URL (shown below). This means that GeoTrust has confirmed the site’s security is up to date.

Be Careful with The Internet of Things (IoT).

The IoT refers to the connection of devices to the Internet. Cars, appliances, medical and manufacturing devices are all being connected through the IoT— With the rapid development of the IoT, and the fact that more small devices are connected into the Internet, security is an increasing concern.

Many IoT devices have weak or no security. There are known vulnerabilities that can’t be patched or upgraded. If you use them in your business, they should be isolated to their own network.

Take the Time to Protect Your Business

Before It’s Too Late.

As you have learned, there is much to be considered, when it comes to protecting your business from today’s hackers. Off-the-shelf software is no longer the answer. The good news is Krantz Secure Technologies can address potential cybersecurity threats. We’ll train your staff to recognize and defend against them. Security Awareness Training, coupled with our Cybersecurity Solutions, will protect your business against today’s ever-growing forms of cybercrime.

For assistance, contact us at (202) 286-0325 or via the contact form on our website.