Increasingly, tax professionals are being targeted by identity thieves. Outlined below are a series of "best practices" that TaxSlayer Pro recommends preparers using the software implement to protect their computers and the client data stored on them.
- Run a single, reputable security package; but, do NOT
assume it will be enough to protect your computer
TaxSlayer Pro makes no recommendation of what security software you should use. However, we have found several that cause more problems with TaxSlayer Pro than others.
Good Packages - These “play” well with TaxSlayer Pro:
- Microsoft Windows Defender – This has the added advantage that it comes free with Microsoft Windows!
- Symantec Norton Security or Norton Antivirus
- McAfee AntiVirus or McAfee Total Protection
Packages with Problems – These don’t “play“ well with TaxSlayer Pro:
No matter which security software you choose, it must be configured correctly and updated on a regular basis.
Why “Run a single, reputable security package”? When it comes to security software, “more” is not “better”. Multiple security packages can slow down your computer and in some cases conflict with each other.
- Keep both your operating system and applications up to date
Turn on automatic updates in Windows. If any applications you use offer automatic updates, turn them on. Known security vulnerabilities are corrected by these updates. If any applications you use do not offer automatic updates, check with the publisher regularly for newer versions.
See the article Supported Operating Systems for information about Windows versions currently supported by TaxSlayer Pro.
- Have an offline backup and keep it current
Most modern viruses and malware will seek to infect files on each computer attached by way of a network. This means one computer can infect ALL computers on a local network. The only way to reliably protect against this is to have a backup that is not connected to the local network.
A backup stored on a removable device such as a USB drive or an external hard drive is ideal. Once the backup is made, the device should be disconnected from the computer or network and stored in a safe location away from the computer.
- Run only the minimum number of programs on
your computer necessary to perform your work
Each program added to a computer increases the possibility of a vulnerability being introduced to your system. Remember the KISS principle. (Keep It Simply Simple).
- Don’t click on popup windows – Use ALT-F4 to close them
Attackers are getting more clever all the time. Popup windows and messages are one of the many ways infections can happen. No matter what part of the popup window you click on (even if it is a “close” or “cancel” button) you can still get infected. If you see a window that looks suspicious, rather than clicking it to close it use the keyboard combination Alt-F4 to close it.
- Do not download anything that you did not seek out
and only download from the original source
Did you just see on your screen an ad for software that promises to make your computer run like new? Don’t click on that ad! Re-read rule #4. If it is still something you need, then use your favorite search engine to find the website of the company that makes the software and download it from them. It's always safest to download from the author's or publisher's website rather than from a software aggregation site.
- Don’t click on links in email and beware of attachments
When you receive an email giving you a link and asking you to use it to accomplish a task, be careful! Example: you receive an email from your bank stating that your latest statement is available and gives you a link where you can view it. Don’t click that link! Instead manually navigate to your bank’s website and then log into your account to view the statement.
Email attachments have been a source of virus and malware infection for decades. Don’t open email attachments from senders you don’t know or from friends and co-workers that you were not expecting. If there is a question about the attachment, contact the sender before opening it.
- Practice the principle of least privilege
The principle of least privilege means that you should have as the main user account on your computer one that has only the minimum privileges necessary to accomplish your work. In other words, don’t use an account with administrative privileges to do your daily work.
- Use strong passwords, avoid reusing passwords,
and use a password manager
What is a strong password? A strong password uses a random mix of upper-case letters, lower case letters, numbers, and punctuation. The longer the password, the better. This is a good strong password: 1$yTc7@rosRz. This password is not as strong because it is not as random as the first. TreeHouse!9. It is also not a good idea to use the same strong password on multiple sites. If one site gets compromised, the bad guys have your password to all the sites on which you used the compromised password.
Because strong passwords are hard to remember, password management software will help you keep up with your passwords as well as warn you about password reuse. There are many password managers available. A few examples are LastPass, Dashlane, and Sticky Password.
- Avoid questionable websites
Today all it takes to get infected with malware is to view a website that has been infected with it. The simple act of displaying the page is enough to compromise your system. Stay away from sites promising free music, coupons, etc. If it sounds too good to be true, it probably is. Stay on well-known and reputable sites.
- Employ multi-factor authentication if an application offers it
Some sites and services offer what is known as multi-factor authentication involving two or more ways to authenticate your identity. Typically, the process involves something you know and something you have. An example of multi-factor authentication might be this: you log in to your e-mail site with your username and password (something you know). The site sends a code in a text message to your phone (something you have) and you must enter this code on the next screen of your e-mail site before it will complete the login process.
This gives much stronger security since a bad guy would need both your username/password and your cell phone to gain access. He might get one , but probably not both.
- Lock your computer and phone when not in use
When you get up from your computer, you leave it available for anyone to access and possibly install malware or steal sensitive data. When you leave your computer you should either manually lock it or have a screensaver set to lock after a short period of inactivity. In Microsoft Windows, the combination of the Windows Key plus L will lock the display, requiring entering your password to unlock it.
- Use drive encryption
Computers and phones are stolen every day. Imagine the treasure trove of data contained in the tax returns on your system. They would be of great value to an identity thief. Laptops that leave your office are especially vulnerable to theft.
To protect these systems you might want to use drive encryption. Microsoft includes BitLocker as part of Windows 10 Pro. Other vendors such as McAfee and Symantec also make drive encryption software. There are also free, open source programs that provide drive encryption.
Both IOS (Apple) and Android (Google, Samsung, and others) phones offer encryption. In some cases, it is turned on from the factory. Check yours and make sure that it is encrypted. Phones are lost/stolen more often than computers.
Note: TaxSlayer Pro return data is encrypted and unreadable outside of TaxSlayer Pro.
- Avoid the use of wireless networks
The simplicity of wireless networks is their great advantage. Their weaknesses are security and performance. Because of this we recommend that all TaxSlayer Pro customers use wired networks in their office.
- Don't let others use your tax computer for entertainment purposes
The computer you use for tax preparation is the tool that puts food on your table. Don't risk its integrity by letting others use it for entertainment and games, and keep your own non-tax usage to a minimum.
- Develop a written information security plan (WISP).
See here for more information.