IRS provides new data security checklist amid growing risk


You know all too well how poor tech security can lead to big financial loss. Whether you lead a department of five at a small biz or manage a team of fifty at a large corporation, security risks remain high, IRS warns.

That’s why the Service’s urging you to review your own security practices this summer – and providing a thorough checklist to do so. Here’s a look at the new “Taxes. Security. Together” Checklist, plus some additional insight straight from IRS, so you can keep your secure data safe and sound:

Implement the Service’s “Security Six” measures

First and foremost, you’ll want to go over your company’s controls for:

  • Anti-virus software. Computers should be regularly scanned for signs of malicious software. Since new threats pop up daily, it’s key to install the latest software updates.
  • These protect more against malicious traffic, not programs, IRS notes. But used with software and other safety measures, they create another important layer of protection.
  • Two-factor authentication. This usually involves a username/password and another step, like a security code. The thought behind it: Someone may know your credentials, but not the security code, so your data remains safe.
  • Backup services. In case of data loss, backups (store online or to a hard drive) can be a lifesaver.
  • Drive encryption. This technology turns data into unreadable files for unauthorized people. It can come as a stand-alone product and IRS advises companies to look into adding it.
  • Virtual Private Networks. By creating and securing these networks, IT can ensure that only those who should access your networks can.

2. Create a data security plan

Your company likely has a data security plan, but when was the last time it was reviewed? With the emergence of new technology and new scams, it’s smart to take a second look now. Verify that it addresses IRS’s key risk areas:

  • Employee management. This should include how often employees are trained and what’s covered. Of course, that should change over time as your company systems and the cybersecurity landscape changes.
  • Information systems. Regular communication and strong collaboration with IT can help ensure your department always gets the latest updates, backup services and security awareness.
  • System failures. What happens when things go wrong? Your plan should address how to detect and manage system failures, no matter what type of disruption causes them.

3. Be alert to current and evolving scams

Proper fraud prevention includes educating yourself and others on a regular basis. There are two big scams that IRS spotlights as focal points for your company:

  • Phishing emails. You know that business email compromise (BEC) scams, where an impersonator makes a request for secure data or money, are growing more and more prevalent. In fact, 80% of companies were hit, and 54% of those incurred financial loss in 2018.
  • Ransomeware. With just one click on a malicious link, either online or in an email, ransomware can be download onto computers.

4. Recognize the signs of data theft

When your department is up to date on data security, it can effectively put that knowledge into practice. After all, spotting suspicious data threats is the first step to beating them. Along with the advice listed above, IRS also recommends you focus on:

  • Strong passwords. Avoid common keywords (12345, password, qwerty, etc.) and using same passwords for all accounts and systems. A passphrase may be a good alternative. The harder your credentials are to guess, the more secure your data is, too.
  • Source legitimacy. Your staffers should especially be on guard for emails and calls that come from fraudsters posing as legitimate organizations you trust (like your bank, your credit card company or even IRS).
  • Caution. Of course, It’s always good to pause before you act. Remind staffers to be hesitant. Don’t instinctively clink on links or download attachments from unknown sources.

5. Create a data theft recovery plan

Last but not least, your company should have a written plan of security measures and policies to show that you’re prepared. Here are some factors you’ll want to consider:

  • Initial steps. When panic ensues, staffers may freeze up. Outlining clear first steps will ensure your department’s able to spring into action without missing a beat.
  • Contacting officials. In the event of data theft, do you know who your local IRS Stakeholder Liaison is? How about your local law enforcement office? That information should be listed, so you can alert them immediately.
  • Third-party help. Ultimately, it may be beneficial to contract with a cybersecurity expert that could help your company prevent and stop thefts, IRS advises.