The IRS has recently put out the ‘Security Six’, with a recommendation of the top 6 security items financial firms (specifically anyone dealing with taxes) should do.  We have taken this a step further.  In this document, we will cover the ‘Security Six’ as well as a few more items that we recommend all companies/departments dealing with financial info should implement.

Anti-virus software

Although details may vary between commercial products, anti-virus software scans computer files or memory for certain patterns that may indicate the presence of malicious software (also called malware). There are currently 2 categories of Anti-Virus software:

• Traditional Anti-virus software looks for patterns based on the signatures or definitions of known malware from cybercriminals.
• Next-Gen Anti-Virus software uses machine learning and/or artificial intelligence to look for malicious behaviors. It doesn’t rely on definitions to find malware.  This type of Anti-Virus is more effective for modern-day threats.

Our Recommendations:

• Next-Gen Anti-Virus software should be used is budgets permit. Security is about layers of security, so if budgets are tight, it’s better to have traditional Anti-Virus and another of the following layers of security.  There is a tradeoff anytime you use a less complex product.  The best strategy is the deploy as many layers of security, with the most advanced technology.
• Make sure that your Anti-Virus software does automatic scans and/or real-time scanning. Real-time scanning looks at files as they are accessed to make sure they are safe to open
• Make sure your Anti-Virus software auto-updates

A reminder about spyware, a category of malware intended to steal sensitive data and passwords without the user’s knowledge: Strong security software should protect against spyware. But remember, never click links within pop-up windows, never download “free” software from a pop-up, never follow email links that offer anti-spyware software. The links and pop-ups may be installing the spyware they claim to be eliminating.

Firewalls

Firewalls provide protection against outside attackers by shielding your computer or network from malicious or unnecessary web traffic and preventing malicious software from accessing your systems. Firewalls can be configured to block data from certain suspicious locations or applications while allowing relevant and necessary data.

Firewalls may be broadly categorized as hardware or software and ideally, you should have both deployed.

• Hardware – Typically called network firewalls or Unified Threat Management Appliance (UTM), these external devices are positioned between a computer and the internet (or another network connection). Hardware-based firewalls are particularly useful for protecting multiple computers and control the network activity that attempts to pass through them.
• Software – Most operating systems include a built-in firewall feature that should be enabled for added protection even if using an external firewall.

While properly configured firewalls may be effective at blocking some cyber-attacks, don’t be lulled into a false sense of security. Firewalls do not guarantee that a computer will not be attacked. Firewalls primarily help protect against malicious traffic, not against malicious programs (malware), and may not protect the device if the user accidentally installs malware. However, using a firewall in conjunction with other protective measures (such as anti-virus software and safe computing practices) will increase your security posture.

Our Recommendations:

• Companies should have a Next-Gen Firewall / UTM appliance installed at the connection to the internet to protect company data. There are multiple products out there, but make sure they have built-in Malware Scanning, Content Filtering, and Intrusion Prevention.  These services, in combination, make it harder for a hacker to access your network.
• Keep in mind, users clicking on malicious links or installing malicious software is almost the same as ‘inviting’ the bad guys in. The firewalls typically will trust your ‘requests’ to install that software, which is where the other layers of security come into play.
• Windows and Mac computers have built-in firewalls, these should be turned on (unless you have a paid-for software firewall) and set to the appropriate levels for security. e. in Windows, you can set a network as private, public, or corporate.  The firewall changes its settings based on the network you are on, so make sure in public places you have your network defined as public.
• There are some really new neat services that we also recommend integrating with your hardware firewall. These services look at all the traffic coming and going, then help to rank the traffic and the threat.  We use a company that even has auto-blocking, meaning if it deems the threat to be above a certain threshold, it will automatically make rules in the firewall to block that traffic.

Two-factor authentication

Two-factor authentication (2FA) helps by adding an extra layer of protection beyond a password. Often two-factor authentication means a user must enter credentials (username and password) plus another step, such as entering a security code sent via text to a mobile phone. The idea is a thief may be able to steal the username and password but it’s highly unlikely they also would have a user’s mobile phone to receive a security code and complete the process.

The use of two-factor authentication and even three-factor authentication is on the rise, and users should always opt for multi-factor authentication protection when it is offered, whether on an email account or tax software account or any password-protected product.

IRS Secure Access, which protects IRS.gov tools including e-Services, is an example of two-factor authentication.

Our Recommendations:

• Turn on 2FA anywhere you can, it makes hacking your accounts significantly harder (but not impossible)
• It should be company policy to have 2FA on all email accounts as well as any financial accounts (online banking, etc)
• You should have 2FA on any account that stores credit card info, if the site doesn’t support 2FA, then don’t let it save your credit card info.

Backup and Disaster Recovery

Critical files on computers should routinely be backed up to external sources. This means a copy of the file is made and stored either online as part of a cloud storage service or similar product. Or, a copy of the file is made to an external disk, such as an external hard drive that now comes with multiple terabytes of storage capacity. You should ensure that taxpayer data that is backed up also is encrypted – for the safety of you and your clients

Our Recommendations:

First, if it’s not automatic and it’s not an online backup, then it’s not really a backup.  Local backups can be corrupted or stolen, just like your computer, and if it’s not automatic then it won’t happen often enough.  We see it time and time again where someone oversaw their own backups and they ‘forgot’ to do the backup for about 3 months (or more!).

We see 2 types of backup that are worthwhile:

• File and Folder – this type of backup is the cheapest and has been around the longest. Simply put, once a day (or on a schedule you select) changes to your data are backed up to the cloud.  This backup also has one major flaw – recovery time.  To recover a system, you need to replace the system, re-install all the software, set up all the settings, then restore all your data.  It can take days to fully recover, and that lost productivity can be expensive.  BUT, at the end of the day, your data is safe.
• Backup, Continuity, and Disaster Recovery (BCDR) – with BCDR, an appliance is placed onsite that takes backup at regular intervals (typically hourly). Then if a system crashes you can virtualize the entire system in a matter of minutes.  These types of systems are what we typically recommend because, during a disaster, you will always want it recovered quickly.

Drive encryption

Given the sensitive client data maintained on tax practitioners’ computers, users should consider drive encryption software for full-disk encryption. Drive encryption, or disk encryption, transform data on the computer into unreadable files for an unauthorized person accessing the computer to obtain data. Drive encryption may come as a stand-alone security software product. It may also include encryption for removable media, such as a thumb drive and its data.

Our Recommendations:

Windows comes with Bit Locker on all ‘Professional’ editions, and it’s free.  You should turn in on for every computer in the office (it should be company policy!).  Make sure you save the encryption key, because if your computer ever asks for the key and you have lost it, then all your data will be unrecoverable.  If your company has a domain, you can configure the encryption key to back up to the server automatically.  Your IT department or consultant should know how to do this.  We also recommend that you print the key and store it in a safe.

Virtual Private Network

A VPN provides a secure, encrypted tunnel to transmit data between a remote user via the Internet and the company network.  If you have users that work remotely, they should connect to the company network with a VPN.  This forces all traffic through the company’s systems, keeping policies and security in place.  Don’t ever use public networks (coffee shops, etc.) without also using a VPN to keep your traffic safe.

Our Recommendations:

Almost all commercial firewalls will also support VPN services.  You should be able to set up a VPN to your company network at little to no cost.  If your company doesn’t have a router that supports VPN or they won’t set one up, we recommend that you get a 3^rd party VPN service to keep your internet browsing safe while using public internet (hotels, coffee shops, etc).

Additions to the Security Six:

All the above information is what the IRS recommends for tax companies and financial firms.  We also recommend all companies have the following layers of security in place:

Spam Filtering and Email

Repeatedly it’s proven that the top attack vector is email.  It’s important to have a top-quality spam filter for your email.  We recommend that your company use a service like O365 from Microsoft and a custom domain (i.e. [email protected]) and not use Gmail or a free public service.  If your company uses a Gmail, then you risk an employee leaving and taking access to that account with them.  Talk about a security risk!  All your customers/clients/users are used to getting an email from this Gmail account and now you can’t control it!  With a private domain set up with a private email provider (i.e. O365), you control who has access to what and can lock users out of accounts if they leave the company, etc.

In addition to the company email, a strong spam filter should be deployed.  Microsoft and others offer add-on spam filters in the $2 / user/month range that will help keep malicious emails and files out of your company.  Users are often the most targeted via email, so a quality spam filter service will go a long way to reducing your attack surface.

Security Training

As mentioned above, users are the #1 target for hackers.  You need a program in place to educate users on security risks, like how to spot a phishing email.  A comprehensive training program will include the following:

• Multiple ‘self-paced’ training throughout the year, at least once per quarter
• An annual training that all users are required to take. We recommend this be in person so that users can ask questions and get feedback.  It’s also a requirement in many regulated industries.
• Phishing testing should be performed 2-4 times per year. This type of test is when users get a fake email asking for credentials or some other information.  If they give the information, they fail the test.  There are several services that offer this kind of testing.

Patch Management

One of the easiest ways for a hacker to access your network is for you to leave the door wide open.  Not installing security patches regularly is the same thing as locking a screen door.  When vendors find vulnerabilities in their programs, they release patches to fix them.  The hackers then look at those patches and reverse engineer them to gain quick access to unpatched machines.  Your company should have a policy in place to patch all systems

Threat Hunting

With all the layers of security you have implemented, surely a hacker can’t get access to your network, right?  WRONG.  All it takes is one wrong click from a user, one overlooked vulnerability, one unpatched workstation, and a hacker can get into your network.  With an active threat hunting program, often called EDR (Endpoint Detection and Response), a combination of software and people analyze what’s going on inside your network and look for anomalies indicating hackers are present.  They can then respond and kick the bad guys out.  Currently, it takes more than 100 days, on average, to detect a breach.  That is a lot of time to steal data and do damage, your goal should be to cut that to days or hours.

Dark Web Monitoring

Data breaches seem to happen every day!  Turn on the news and you hear about Target, Home Depot, Blue Cross or some other major corporation being hacked (Equifax anyone?).  What’s a user to do with all this data leaking out to the internet and the ‘Dark Web’?  We recommend using a dark web monitoring service.  There are several that will monitor for your entire company or you can use programs like LifeLock or other personal services to monitor the dark underbelly of the internet for stolen credentials.  We would say this is a ‘reactionary’ service because the passwords are already out there, however, if you don’t know what your password is out there and keep using it, your risk goes WAY up.  Dark Web Monitoring can help you stay a step ahead of the bad guys.

Content Filtering

At this point, you are probably wondering when the list will end, but security these days is complex and not for the ‘do it yourself’ person.  Here is the problem, if you put in that fancy firewall that does content filtering for your office, and then someone takes a laptop on the road, you just lost a layer of security.  We suggest you get a service that does content filtering at the device (laptop, desktop, etc) for 2 reasons.  First, if you are using a different company to do the filtering at the device, it’s most likely using different algorithms and security lists, increasing your chance of blocking inappropriate or malicious sites.  Second, when that device goes home with a user, you don’t want them to lose the protection you’ve so carefully constructed, and you don’t want them to use that company asset to do inappropriate things on the internet either.  With a solid content filter in place on the workstation, you keep that protection wherever the user goes.

Conclusions

We know that all this can seem like A LOT to put in place, but the truth is cybersecurity shouldn’t be done by the casual user.  You need an IT person or MSP like us to help you out.  Just as we hire accountants and tax pros to help us with financials, IT is complex and requires a pro.   If you can’t afford a ‘pro’ then please use this guide as a starting point to help protect your data.  It won’t be long before these steps are required.

We also recommend anyone operating in the state of Texas look up House Bill 4390, the Texas Data Breach notification law.  This law strengthens current regulation with requirements that any data breach of certain scope is reported to the attorney general’s office within 60 days.  There is a lot at stake, and we all must do our part to secure data and keep the bad guys out of it.