How CPAs Can Mitigate Cybersecurity Risk During The Extended Tax Season

Tax season is the busiest time of year for CPA firms. Unfortunately, it’s also a busy time for hackers looking to target CPAs during this frenzied season. In today’s world, cybersecurity isn’t just a good business practice, it’s part of the rules and guidelines laid out by the IRS for all tax professionals. CPA firms are increasingly becoming the target of cyberattacks due to the rich client financial data they hold, the increase in remote work without strong security, and their often lax protection of client data. Tax season, with its increased client communication, frequent data transfers, data storage on mobile and at-home devices, and fast-paced environment is a prime time for a number of different types of cyberattacks. However, there are steps CPAs can take to protect themselves. CPA firms can reduce their risk and ensure they protect their client’s data through several manageable actions. 

Data breaches are expensive and embarrassing. What’s more they raise the added stress of potential legal action. Simply put, a CPA firm’s primary cybersecurity responsibility should be to protect their client’s data at all costs. The ways to do that during the important and hectic tax season include encrypting and safeguarding important data while minimizing the impact of any breach, ensuring employees use best practices for security, using strong cyber defense systems, and employing a competent and diligent cybersecurity team. 

Protecting Client Data 

Hackers can use compromised data in a few ways. They can directly steal money if they know specific account details along with enough personal information and passwords. They can also sell the data to third parties, steal an identity to get credit cards or other types of accounts, or hold the data hostage in exchange for a ransom. As such, CPA firms can take several precautions to ensure that sensitive data isn’t compromised. 

1. Encrypt important email and data files: using encryption adds an additional layer of security. Even in the event of a security breach, hackers need to then solve the encryption to get to the valuable data files. It may also provide your security team with enough time to add additional protection after they detect a breach. Due to an additional time burden, employees may resist encrypting communication and data, but adding encryption expectations into a data-use policy and providing the rationale for encryption should improve uptake. Consider using a virtual private network or virtual desktop to offer additional protection. Work with your IT team to integrate encryption into workflows to make adoption easier. 
2. Limit data access to an as-needed basis only: one common cyberattack relies on social engineering through email phishing that targets specific employees. If all employees have access to all the data, then if any employee gets hacked, that hacker will have access to any data they want. To prevent this, make sure that data is accessed only by those who have a critical need to see it, and that client data is only available to their specific team. Also, be sure your clients limit the amount of data they provide you. Be specific about what you need, and don’t need. While you may need access to their bank statements, don’t have them provide you their passwords (for example) unless absolutely necessary. 
3. Retain data only as long as required: update your data retention policies to only keep data for as long as required for auditing or other purposes. As you archive data, be sure to encrypt it and protect it. Even if they are no longer an active client you’re still responsible for data security. This same advice holds true for emails in employees’ inboxes. 
4. Create a security plan: the IRS requires a written security plan for all tax professionals. But it’s not just useful for compliance: a written plan, combined with practice, ensures your team is ready to respond quickly in the event of a security problem. The plan can act as a defense strategy as well as a fast response outline. It should help to identify risks to client data, how you can mitigate those risks, specify different responsibilities, and create opportunities to test and revise the plan. 

Even if a data breach has nothing to do with tax filing, if your CPA firm’s cybersecurity is compromised during tax season it’s going to have a bigger than usual impact on business. Do whatever is needed to protect client data so that your tax season can boom regardless of hackers’ intent. 

Provide Employee Training on Tax Season Specific Attacks 

Cybersecurity training for employees may not be popular, but research shows the majority of cyberattacks that succeed are the result of human error. We’ve written before about ways to protect your firm and the most common threats to CPA firms. Ideally, employees would receive regular training on preventing cyberattacks. During tax season, employees will be targeted with threats that are believable and tailored to issues faced during filing season. 

• Social engineering scams: These attacks appear to come from a trusted colleague or client. Sometimes they’ll have a nearly identical email address or even a legitimate, but hacked email account. They may request financial information for a client or ask that an employee make a financial transaction. During tax season, the busyness of this time of year may be used as an excuse for an unconventional or time-bound request. Always confirm a request with a colleague or client in an additional way like a phone call or in-person check-in. Be especially wary if the email seems unusual to the person’s writing style or work style (if it was sent at 3 a.m., for example). 
• Watch out for spear-phishing scams: these scams are sophisticated and intended to appear as legitimate. During tax season hackers will use email communications that look like they come from the IRS requesting information. They may also seem to come from accounting organizations or even your firm’s CEO. As a rule, never click an email link or attachment until you double-check its legitimacy. Be wary of any email that appears to come from the IRS or any email that asks for sensitive data.   

Tax season is popular for hackers as well as CPAs. Train employees to be on the lookout for scams this time of year and give them encouragement that protecting data and finances is prioritized over nonbinding time-sensitive requests. 

Use Enterprise-Level Cybersecurity 

At Cetrom, there are some practices and technology that we believe will offer CPA firms the most protection. Consider using multiple types of artificial intelligence technologies to detect different threats. Deploy anti-spam and anti-virus protection, use the best hardware and software you can afford, move your CPA firm to the cloud to increase protection for remote work, use intrusion detection and prevention systems, and be sure to replicate, encrypt, and backup all data. Additionally, use other safeguards like multi-factor authentication and strong passwords on networks and devices. 

• Consider cybersecurity insurance: even with trained employees, data protection, and a premier security team, breaches still happen. Get a cybersecurity insurance policy that can help cover expenses in a worst-case scenario situation. 

Lastly, ensure your security team understands the unique responsibilities of a CPA firm including an increase in cyberattack targeting during the tax filing season.

Be Sure Your Security Team is Up to the Task 

At Cetrom, our security experts and engineers are available to respond to any issues 24/7/365. It’s important that your security team is available as needed, because hackers don’t work during business hours. What’s more, a cybersecurity team that can also act as a trusted advisor offers more value because they can make recommendations that help you stay ahead of the curve. Choose a security team that you can trust during tax season.