Increasingly, tax professionals are being targeted by identity thieves. Outlined below are a series of “best practices” that Keystone Tax Solutions recommends preparers using the software implement to protect their computers and the client data stored on them.
- Run a single, reputable security package; but, do NOT assume it will be enough to protect your computer
Keystone Tax Solutions makes no recommendation of what security software you should use. However, we have found several that cause more problems with Keystone Tax Solutions than others.
Good Packages – These “play” well with Keystone Tax Solutions
Microsoft’s Windows Defender or Microsoft Security Essentials – These have the added advantage that they come free from Microsoft!
Symantec’s Norton Security or Norton Antivirus
McAfee AntiVirus or McAfee Total Protection
Packages with Problems – These don’t “play“ well with Keystone Tax Solutions
Regardless of which security software you choose, it must be configured correctly and updated on a regular basis.
Note that we stated that you should “Run a single, reputable security package”. Multiple security packages are not a good idea. In this case “more” is not “better”. Multiple security packages can slow down your computer and in some cases conflict with each other.
2. Keep both your operating system and applications up to date
Turn on automatic updates in Windows. If any applications you use offer automatic updates, turn them on. Known security vulnerabilities are corrected by these updates. If software does not offer automatic updates, check with the publisher often for newer versions.
3. Have an offline backup and keep it current
Most modern viruses and malware will seek to infect files on each computer attached by way of a network. This means one computer can infect ALL computers on a local network. The only way to reliably protect against this is to have a backup that is not connected to the local network.
A backup stored on a removable device such as a USB drive or an external hard drive is ideal. Once the backup is made, the device should be disconnected from the computer or network and stored in a safe location away from the computer.
4. Run only the minimum number of programs on your computer necessary to perform your work
Each program added to a computer increases the possibility of a vulnerability being introduced to your system. Remember the KISS principle. (Keep It Simply Simple)
5. Don’t click on popup windows – Use ALT-F4 to close them
Attackers are getting more clever all the time. Popup windows and messages are one of the many ways infections can happen. No matter what part of the popup window you click on (even if it is a “close” or “cancel” button) you can still get infected. If you see a window that looks suspicious, use the keyboard combination of ALT-F4. This will close the active window without having to click on it.
6. Do not download anything that you did not seek out and only download it from the original source
Just saw an ad for software that promised to make your computer run like new? Don’t click on that ad! First re-read rule #4. If it is still something you need, then use your favorite search engine to find the web site of the company that makes the software and download it from there. Don’t go to your favorite software aggregation site to download a piece of software you need. If you need something, go to the author’s or publisher’s site to download it.
7. Don’t click on links in email and beware of attachments
When you receive an email giving you a link and asking you to use it to accomplish a task, be careful! Example: you receive an email from your bank stating that your latest statement is available and gives you a link where you can view it. Don’t click that link! Instead manually navigate to your bank’s web site and then log into your account to view the statement.
Email attachments have been a source of virus and malware infection for years. Don’t open email attachments from senders you don’t know or from friends/co-workers that you were not expecting. If there is a question about the attachment, contact the sender before opening it.
8. Practice the principle of least privilege
This means that you should have as your main user account on your computer one that has only the minimum privileges necessary to accomplish your work. In other words, don’t use an account with administrative privileges to do your daily work.
9. Use strong passwords, avoid password reuse, and use a password manager
What is a strong password? A strong password uses a random mix of upper case letters, lower case letters, numbers, and punctuation. The longer the password the better. This is a good strong password: 1$yTc7@rosRz. This password is not as strong because it is not as random as the first. TreeHouse!99. It is also not a good idea to use the same strong password on multiple sites. If one site gets compromised, the bad guys have your password to all the sites on which you used the compromised password.
Because strong passwords are hard to remember, a program called a password manager will help you keep up with your passwords. They will also warn you about password reuse. There are many password managers available. A few examples are LastPass, Dashlane, and Sticky Password.
10. Avoid questionable web sites
Today all it takes to get infected with malware is to view a web site that has been infected with it. The simple act of displaying the page is enough to compromise your system. Stay away from sites promising free music, coupons, etc. If it sounds too good to be true, it probably is. Stay on well-known and reputable sites.
11. Employ multi-factor authentication if an application offers it
Some sites and services offer what is known as multi-factor authentication. These generally involve two or more items. Usually something you know and something you have. An example of multi-factor authentication might be this: you log into your email site with your username and password (something you know). The site sends a code in a text message to your phone (something you have) and you must enter this code on the next screen of your email site before it will complete the login process.
This gives much stronger security since a bad guy would need both your username/password and your cell phone to gain access. He might get one, but probably not both.
12. Lock your computer/phone when not in use
When you get up from your computer, you leave it available for anyone to access and possibly install malware, or steal sensitive data. When you leave your computer system you should either manually lock it or have the screensaver set to lock after a short period of inactivity.
13. Use drive encryption
Computers and phones are stolen every day. Imagine the treasure trove of data contained in the tax returns on your system. They would be of great value to an identity thief. Laptops that leave your office are especially vulnerable to theft.
To protect these systems you might want to use drive encryption. Microsoft includes BitLocker as part of Windows 10 Pro. BitLocker is also available on the Pro version of Windows 8 and the Ultimate versions of Windows 7 and Windows Vista. Other vendors such as McAfee and Symantec also make drive encryption software. There are also free, open source programs that provide drive encryption.
Both IOS (Apple) and Android (Google, Samsung, and others) phones offer encryption. In some cases it is turned on from the factory. Check yours and make sure that it is encrypted. Phones are lost/stolen more often than computers.
14. Avoid the use of wireless networks
The simplicity of wireless networks is their great advantage. Their weaknesses are security and performance. Because of this we recommend that all Keystone Tax Solutions customers use wired networks in their office.