IRS Taking Steps to Boost Security to Avoid Cyberattacks

With the move to remote work, the Internal Revenue Service (IRS) continues to work to deter and prevent cyberattacks on confidential taxpayer information.

Personal information is valuable to digital bad actors. The IRS is a sweet resource for fraudsters looking for a goldmine of information on a large number of consumers. Income, refunds, addresses, bank accounts, and more reside in the domain of the aging computer infrastructure of the IRS.

In 2015, hackers accessed the personal information of 104,000 taxpayers through the IRS, including social security numbers. By accessing the “Get Transcript” function on the site, hackers were able to exfiltrate returns and other tax information. And let’s not forget, a social security number is forever. Attempted hacks on the U.S. Treasury and Commerce departments, as well as other agencies, are common and efforts in that regard are not likely to subside anytime soon.

As the pandemic put pressure on the global workforce, working remotely reduced exposure to the virus and kept the lights on in businesses emptied of onsite workers. The IRS was no different. According to a report from the U.S. Treasury Inspector General for Tax Administration (TIGTA), 20,000 IRS employees were working remotely as of March 2020. By September of the same year, 60,700 workers were offsite.

Because of the increased risk of a data breach with remote workers, TIGTA looked at how the IRS handled the leap to remote work during the pandemic. Overall, no recommendations were made in the report, which outlined the standards put in place by the IRS for its employees. Some of those standards include:

• Participants in Zoom and Cisco WebEx meetings can attend only via invitation from an IRS host. File sharing was disabled on both platforms.
• Remote work and access are conducted via a virtual private network (VPN) with two-factor authentication.
• Though not described, TIGTA notes the IRS has guidance in place to “prevent the unauthorized dissemination of Controlled Unclassified Information, Personally Identifiable Information, and Sensitive But Unclassified information.”
• In September 2020, the IRS initiated an asset management program that improved oversight and compliance of laptops, virtual workstations, and Personal Digital Assistants.
• Overall, the IRS performs vulnerability scanning six days a week. Results are analyzed and disseminated for process improvement.

In addition to the IRS, tax professionals, such as accountants and tax preparers, are prime targets for cyber mayhem. Ensure that your corporate accounting firm or accountant is cyber-strong. If you use a tax preparer, ask about the steps they take to prevent tax fraud and theft of personal information. Make smart choices about sharing confidential information and use best practices in storing and securing your own financial information. The digital world is great, until it isn’t.