As tax season gets underway, building up to its usual flurry of mid-April activity, it’s worth talking about information security for CPAs and small businesses. At a time when more sensitive business information is shared than any other time of year, both need to be aware of the increased risks they face.
Federal News Radio reports that IRS Commissioner John Koskinen said on a January 5th press call that the IRS was well prepared for its busy season, despite the increased risk of cyber attacks.
“We expect to see more than 153 million individual tax returns filed in 2017,” he said. “And more than 80 percent will be prepared electronically using tax return preparation software.”
Some measures to protect taxpayer information are already in place, and this year sees the launch of the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center (IDTTRF-ISAC), which will “serve as the early warning system for partners, collecting and analyzing tax-related identity theft schemes.”
Koskinen continued: “We have to be on our guard. […] If people can’t get into our systems, if they can’t get into the state systems, the next logical place they’re going and we’ve seen evidence of that, is into the preparers’ systems.”
All CPAs should be concerned about the security of the information they gather, process, and transmit, although this interesting – and alarming – blog from the Office of Inadequate Security last September suggests that this isn’t the case. It concludes: “we, the public, continue to trust our personal information and financial information to businesses or entities that do not have adequate infosecurity, may not have adequate insurance to cover breach costs, and do not have a clue what to do when data breach disaster hits.” Hardly reassuring.
The best-practice approach to cybersecurity for CPAs
CPAs should turn to international best practice to improve their security. An ISMS (information security management system) that complies with the international standard ISO 27001 provides an enterprise-wide approach to managing information security risks, and covers people, processes, and technology. Certification to the standard is regarded worldwide as the hallmark of good information security, and should reassure your clients that you are keeping their critical information safe.
Clients should look to CPAs that can show they have implemented security best practices, and should give serious consideration to implementing an ISO-27001-certified ISMS themselves.