Third-party IT vendor

IT Tips for Today’s Tax Professionals

April 2, 2019 by securewebsite

With tax day just two weeks away, many people may have their minds set on getting their taxes filed fast if they haven’t done so already. Tax professionals always find themselves swamped from February to May with businesses and individuals alike trying to finish up their taxes for the previous year. As a result, information technology (IT) may not be on the top of your mind as a tax professional but it should be.

With all of the personally identifiable information (PII) tax professionals work with on a daily basis from birthdates to social security numbers, IT security is a must to prevent breaches and data loss. Here are some top tips to keep your tax business and your clients safe.

Don’t Get Phished

Phishing emails are one of the most common ways hackers target businesses through email according to the Internet Security Threat Report Volume 24 by Symantec. “Employees of smaller organizations were more likely to be hit by email threats- including spam, phishing, and email malware- than those in large organizations,” according to the report.

Learn how to recognize phishing emails and train your employees to do so as well. Emails from unknown sources, especially those coming from someone pretending to be the Internal Revenue Service (IRS), e-Services, a tax software provider, or cloud storage provider should be deleted. Be sure to never open any link or attachments in suspicious emails as this is how the bad guys access your email and network. Note that the IRS never initiates initial contact through email with tax professionals regarding returns, refunds, requests for PII or other sensitive data.

The Symantec report does offer some good news in that “Phishing levels declined, dropping from 1 in 2,995 emails in 2017, to 1 in 3,207 emails in 2018.” This may be the result of better training and anti-phishing software. Be sure to keep your employees trained so your business isn’t phished.

Draft Your Data Plan

Every business, especially those in industries that are highly regulated or those that are often targeted due to the sensitive information they handle, should create a data security plan. When it comes to tax professionals, your security plan should use IRS Publication 4557, which addresses the proper safeguarding of taxpayer data. You will also want to look at Small Business Information Security- The Fundamentals developed by the National Institute of Standards and Technology, a non-regulatory federal agency charged with promoting U.S. innovation and industrial competitiveness.

These standards outlined in these publications will help you develop a data security plan that meets rigorous standards and the individual needs of your tax business. If you need assistance developing a data security plan, third-party vendors such as ORAM Corporate Advisors can handle this for you through an IT assessment.

Security Software

You’ll need to review the internal controls your business has in place to protect its data. Start with installing anti-malware and anti-virus software if you haven’t already done so, or if you have, you may want to update the software you have in place. This will need to be done on all of the devices used for business from laptops and desktops to routers and tablets. Don’t forget about your phones as well. Be sure to keep your security software set to automatically update as software companies push out updates and patches regularly.

Powerhouse Passwords

Be sure to use passwords that are powerful. Use a mix of at least 8 or more upper and lowercase characters, numerals, and signs in your passwords. Ensure your passwords are strong and unique for each different login you have. While this might seem overwhelming, there are a number of password managers available that can help you keep them all straight.

You will also want to password protect every wireless device in case of loss or theft. Use a phrase or words that are easily remembered and periodically change your passwords. Finally, never use old passwords and use multi-factor authentication wherever possible. Be sure to train your employees on these password best practices as well.

A Prescription for Encryption

In addition to strong password protections, one of the best ways to secure data in your tax business is to encrypt sensitive files and/or emails. In a worldwide survey of businesses by Statista, encryption was “employed extensively” by 63 percent of enterprises in 2018. Another 24 percent of businesses survey by Statista said encryption was partially deployed in their company databases. There are many types of encryption software to choose from. At ORAM, we recommend Mimecast for email encryption. For full-drive encryption, ORAM recommends eSet Endpoint Encryption so you can encrypt your sensitive files when they are in storage.

Back It Up

Be sure to back up all of your sensitive data to protect your business in the event of a disaster scenario. Ransomware is rampant, viruses can infect your network, and natural disasters such as fires and hurricanes can wipe out your data. To ensure that you always have access, have a backup plan in place and know exactly what you are backing up and to where. See ORAM’s blog on “The Biggest Backup Mistakes Businesses Make” to learn what to avoid.

Proper Disposal

Make sure that when you dispose of data, it’s being done so properly. Whether you are super shredding hard copies of data or replacing old computers, be cognizant of how you do it. All of your old computer hard drives should be wiped clean or destroyed before you dispose of them. This is also true of printers which can also store sensitive data.

Limit Access

Limit access to taxpayer data to only those employees who require it to fulfill their job duties. This is meant to protect both your client data as well as your own business. While many breaches happen due to outside sources, internal threats are still an issue in organizations around the world.

As a matter of fact, an online article from Security Intelligence reported that insider threats account for nearly 75 percent of security breaches. Disgruntled employees, those recently let go, and others may be ready to turn on your business to make a buck or out of spite. In the IT world, this limited access is known as the practice of least privilege. Be sure to employ it to protect your business from insider threats.

Check Your IRS e-Service Account

Be sure to check in on your businesses IRS e-Service account on a weekly basis. This allows you to ensure that the number of returns your business has filed with its EFIN is correct. If there are any discrepancies with the number of returns filed, contact the IRS immediately. Additionally, you will want to report any data theft or loss immediately. You will need to determine the appropriate IRS Stakeholder Liaison with whom to report the loss.

Keep In Contact

Stay in contact with the IRS and keep abreast of new developments though a subscription to the e-News for Tax Professionals, the latest national and local IRS news. QuickAlerts sends important messages, within seconds, to keep you up to date on the events that affect authorized IRS e-file providers like you. You can also keep in contact with the IRS through various social media as an authorized IRS e-file provider.

The IRS also has a Data Security Resource Guide for Tax Professionals that details the signs of data theft, teaches you how to report data theft to the IRS, and provides a number of data theft links. We recommend all tax professionals download the guide and read through it so you are prepared for a worst case scenario. This way you won’t be struggling for resources when you’re already under stress.

If you need more assistance securing the data of your tax business, please contact ORAM today at (617) 933-5060 or visit us online. We are happy to schedule a free initial consultation to get your tax business on the road to better security fast.

The Modern Office and Business Continuity

March 7, 2019 by securewebsite

What you need to know to protect your company

The modern office requires that all components of your business environment work together harmoniously to ensure the best use of your IT infrastructure and seamless scalability as your business grows. One of the major components of the modern office is business continuity. This is an imperative piece of a solid IT plan for every company regardless of size or industry.

Business Continuity

When IT professionals discuss business continuity, they are generally referring to a proactive approach of having the right processes and procedures in place to ensure mission-critical functions continue to work properly in the face of a disaster or while a business is recovering from one. When it comes to business, there are many moving parts that still need to continue operating smoothly whether your company experiences a devastating fire or a nasty data breach.

The IT and business statistics are shocking. In the last five years, one in three organizations were hit by a virus or malware attack, according to DataCore, and more than half of companies (54%) experienced downtime that lasted more than eight hours. That’s a full day of work lost! While DataCore shows only 35 percent of outages are caused by natural disasters, 45 percent of outages are operational and another 19 percent are due to human error. These site outages can cost businesses thousands of dollars in lost revenue and restoration costs for every incident. Gartner, Inc., a global research and advisory firm, estimates that only 35 percent of small and medium businesses (SMBs) have a comprehensive business continuity plan and the financial loss for every hour of downtime can reach into the thousands even for SMBs.

Business continuity requires comprehensive planning before tragedy strikes an organization to allow them to overcome long-term challenges that would otherwise stop them in their tracks. With prior planning, business continuity ensures your entire business returns to full functionality as fast as possible following a crisis. That means everything from vital employee records and payroll to stored data access and email.

Think Cybersecurity

One of the first steps in a complete cybersecurity plan is business continuity. To start, you’ll want to ensure your business employs the best technology to combat the latest threats from ransomware and malware to other types of breaches. This means updating protections such as antivirus and firewalls, using multifactor authentication, and engaging your employees in ongoing, meaningful cybersecurity training.

Cybersecurity plans, which are typically handled internally by the chief information security officer (CISO) in larger businesses, should be designed as a living document that can expand and adjust when necessary to meet the changing needs of your business. Small to medium enterprises often don’t have a dedicated CISO so they can outsource this responsibility to organizations like ORAM Corporate Advisors.

Written Information Security Plan

As part of your business continuity plan, you’ll need a written information security plan (WISP), which also happens to be a requirement of many regulatory bodies, especially for businesses who contract or subcontract with the government and financial institutions. While government regulations vary from state to state and with the federal government, in Massachusetts this written document should contain, “certain minimum administrative, technical, and physical safeguards to protect” personal information such as names, driver’s license numbers, social security numbers, and financial account numbers. You’ll need to check with both your state and federal government to determine which regulations impact you as well as any industry-specific regulations. This is another place a CISO or third-party IT vendor can help.

Your WISP should designate an individual responsible for maintaining your IT program. This may be a business owner, CISO, or even a trusted advisor such as ORAM. It will also need to identify any reasonably foreseeable data security risks as well as protect and restrict access to electronic data that may include personal information for your employees and/or clients. This plan should also outline the oversight of third-party service providers and ensure those providers comply with local, state, federal, and industry regulations as well.

Because your business and its processes, risks, and procedures are unique, your WISP will be very specific to your organization. It cannot effectively protect you from culpability in the event of a breach or loss if it doesn’t address the particular risks of your company or if it includes practices that have not been put into practice in your business. Through coordination with your IT team and/or third-party IT vendor, you will need to identify “reasonably foreseeable risks” to ensure your WISP includes the practices your business adheres to.

In addition to IT functionality, your WISP will also address the non-technical operations that will still need to work in a disaster situation to keep your business moving forward. For example, it might address the accounting measures you have in place to keep employees and bills paid and clients invoiced if the worse should happen.

What Crisis Looks Like

Stolen laptops, lost cell phones, and an employee clicking on a phishing email that infects your entire network. These are all crisis that can and often do occur in the business world. Think of all the critical information that can be lost, stolen, or even held ransom. What do you do and who do you talk to? This is where planning ahead and having a WISP helps. It will outline how to respond to a variety of incidents.

Lost your company cell? Your WISP will inform you of who to call to wipe the lost phone and deactivate it before serious damage can be done. Did your organization experience a data breach? Your WISP will have identified a data backup plan so that nothing is completely lost. Has a virus made accessing email impossible? Your WISP will have determined if your email is stored locally, in the cloud, or both to decide how to get it up and running again fast. This thinking ahead with recommendations by your IT team or third-party vendor will help ensure you have continued access to business email which is the lifeblood of most commerce today.

Recovering from Incidents

One of the best things your WISP will do is outline policies and procedures for how to react and recover in a crisis situations. Regardless of the disaster that strikes, your WISP will point you to who to contact and how to react. Part of your WISP will address incident response and crisis management to minimize the impact when things do go awry, as they inevitably do.

Incident response and crisis management involves having the ability to maintain critical business functions during a disaster scenario. It also encompasses having plans in place for a rapid recovery from catastrophic incidents. If your business were to experience a flood, fire, or data breach today, would it be able to recover quickly and efficiently? Business continuity is all about having a plan in place that expects the unexpected and is prepared to handle it.

When it comes to IT and business continuity, the big question is, “How do you operate tomorrow?” If you don’t know the answer, it’s time to get a plan in place starting with an evaluation of the foreseeable risks your organization may face and a WISP to address them. Think of it as an insurance plan that also helps your business with regulatory compliance. When disaster strikes, your business’s IT team, CISO, or third-party IT vendor should have already given you advice. Hopefully, you have followed it. Then you know who you can call when things go wrong so they can tell you how to react to keep your business moving full-steam ahead.

If your company or organization needs assistance with risk assessment, developing a WISP, and planning for business continuity, call the trusted advisors at ORAM today at (617) 933-5060 or visit us online. Our experienced professionals are here to help and we are dedicated to partnering with small businesses to assist them in achieving success.