Seminar

Just attended an IRS seminar (Data Thefts and Protecting Client Tax Information) that went over the steps to do for what you are discussing. They had a CPA whose firm was "hacked" and the tremendous effects on his practice. One of the many safeguards is to make sure your insurance includes ID theft.

You may want to check the IRS website or ask any accounting/tax association you belong.

I do use bitlocker. I also have bitlocker setup to require a PIN on boot. Of course an antivirus and no personal use on the work computers. You do need to think about more than just the computer security though. For example if John Doe calls your office and says he needs his tax return information for FAFSA or something would your or your employees provide it? Is there something in place to ensure John Doe is in fact John Doe? Not to mention taxpayer folders stored at employee desks, unencrypted backups on usb or external hard drives, or even something like the cache on your printer / scanner / fax machine.

I meant to watch the IRS webinar but missed it, I'll have to find the archived version and see what they suggest.

Yes

You bring out some good points. Yes, see if you can find the webinar because the CPA thought he had everything covered like you state. Unfortunately more steps need to be taken as brought out by IRS, Homeland Security reps. and the CPA in the seminar that will surprise you.

Not to be taken lightly because the scammers and hackers are always a step above.

It's not on the IRS archived webinars yet.



I was able to register and am viewing now though, despite it being from 10/20. There's even a transcript in the webinar materials.

As far as the CPA, "We spent a weekend looking through the tax program and noticed all clients in the 2011 tax program had been backed up to an unknown source in the early hours of a morning in October of 2012" and "Homeland Security imaged all of our computers to try to find out how the hackers got in. It was at this time that the Homeland Security advised us that they knew who was responsible and that they had used a remote access program to gain access to our server. They then used a program known as Brute Force to crack the password protection."

Probably not a program named "Brute Force" but more likely the method of attack. Doesn't seem to be specific details (I suppose they wouldn't want to teach people how to hack into a computer) but the likely scenario to me seems to be a remote access program intentionally installed for the CPA's use to do work remotely (something like "logmein") and then a brute force attack to get the password (basically you try a lot of combinations of words/numbers/etc... until you get the password right - of course automated by software.)

I would guess it's a targeted attack rather than random luck. The hacker would probably know they were attacking a tax office and how/where to get the tax data from that office. A random attack seems less likely, but I don't see it mentioned in the transcript.

"What steps have we taken? Computer passwords were increased to at least 12 alphanumeric symbol
characters. If a password is typed in incorrectly more than three times, our computers shut down. All
taxpayers have individual passwords in the tax program. Our computer passwords are changed every
three months. Firewall, antivirus, malware programs are updated by our IT firm regularly. We even
installed motion detectors in our offices, and new locks at our office. All information sent to clients over
the Internet that contains any type of personal information is encrypted. Our office computers completely
shut down with no access available during certain hours of the day. In our particular case the systems are
shut down between 11:30 PM and 5:30 AM. We do not have Wi-Fi in our office."

The more complex passwords and especially the 3 attempt lockout would have saved the day on that one. But of course that's just one method a hacker could use.

I think the majority of tax offices would be susceptible to the "smash and grab". Easy to target tax offices (they're in the yellow pages!), you just smash a window and take the computers. Then at your leisure extract the data. Firewalls and antivirus completely pointless because it's a physical method. Bitlocker would be one defense on that method, but again that's just one method a hacker could use.

I have a firewall and anti-virus program. My business is all word of mouth. Not listed in phone book and I don't have a website. I figure my business is too small to get hacked.

We store everything offsite

All of our programs and data are on a cloud virtual server - an IBM facility in Dallas/Seattle. Client docs that might be left in the office while we process a return are in a safe overnight. There is nothing on the office computers - a smash and grab taking all computers should not yield any information. I will not even hint at the methods protecting access to the remote server.

Christopher Mewhort, EA

They mention Publication 4557 in the webinar, I think I was aware of it but never really looked at it much. There's some excellent checklists in it. For example Checklist 5 is "Computer Systems Security". There are 7 checklists.

On the right track

Everyones reply posts mention very good safeguards, but keep your interest in that webinar to see the additional info that the CPA thought his safeguards were the best. These scammers and hackers are the worst.

While I am interested in the Cyber Security, I have another question

What is everyone using for the Antivirus and Firewalls to protect us from the so called Ransom virsus - Crypto various versions - I understand Microsoft Security Essentials and Defender can not block it.

Has anyone found a good "block" for this either from Emails or Internet

Sandy

MSE can block ransomware. I think it's important to realize that no antivirus is 100%. As new malware is created there's always going to be some stuff that can get around the antivirus before an update is created for that antivirus or the user updates the antivirus program. More important than which antivirus program is ensuring that it's frequently updated. Certainly some antivirus have better detection rates on the new stuff and can get updates out faster than others.

Having an antivirus installed I think lets people get a little careless if they put too much trust in it. Definitely absolutely there should be an antivirus installed but it should be combined with caution as far as where one goes on the internet or what files they open, because nothing will be 100%.

That's actually the reason I have a no personal use policy on any computer with tax data. Most viruses you could avoid just by being cautious with emails/internet/installing software. But throw into the mix some employees that will click every link in email or worse open the file attachments and browse a lot of random websites and the risk just goes way up. Restricting personal use eliminates a lot of that.

In the IRS Webinar on protecting taxpayer data the guest CPA was talking about going one step further and not even using the computers with access to tax data for work related web use. Instead they would setup a search station where they could do tax research online that had no access to the tax data so that if they did end up getting a virus or what not it would only affect that search computer and not cause a data breach of the taxpayers information.

I do think ransomware is probably one of the lesser things to worry about. If my files get encrypted it's certainly an inconvenience for me - having to restore everything from backup. However it's much better than having someone take the taxpayer data for identity theft purposes which would be an absolute nightmare. Of course the defense for both would be the same as far as antivirus and computer use policies.