IRS Urges Tax Pros to Take Cyber Seriously


The agency released a list of basic cybersecurity procedures the entire tax industry should use to stop digital identity theft.

The IRS is urging the tax industry to follow a series of basic cybersecurity procedures to ensure they’re keeping Americans’ data safe.

The Tax Security 2.0 checklist is meant to give tax professionals a blueprint for locking down their IT systems, which are ripe targets for digital identity thieves. The list offers a combination of technical safeguards and organizational practices that could help keep tax databases secure.

“The IRS, the states and the private-sector tax industry have taken major steps to protect taxpayers and their data,” IRS Commissioner Chuck Rettig said in a statement. “But a major risk remains. We hope tax professionals will use our checklist as a starting point to do everything necessary to protect their client’s data.”

In 2018, the IRS halted some 649,000 tax returns due to identity theft. While that figure is down nearly 54 percent from 2015, officials warn that cybercriminals are always changing their tactics, so the tax industry must remain vigilant.

The checklist outlines six basic technical solutions all tax organizations should use to better protect their data: anti-virus software, firewalls, two-factor authentication, backup software, full-disk encryption and virtual private networks. These may seem like no-brainers, but cyber experts often say following basic procedures can fend off the vast majority of attacks.

“These six steps are simple actions that anyone can take,” Rettig said. “No tax business should assume they are too small or too smart to avoid identity thieves.”

Beyond implementing the “security six,” tax professionals should also create a flexible information security plan that addresses issues like employee training, intrusion detection and cyber resiliency. 

Officials also recommended companies keep an eye out for signs of identity theft, create a data theft recovery plan and educate employees on common cyberattack tactics, like phishing and ransomware. In the coming weeks, the agency plans to release more detailed breakdowns of these measures.