March 8, 2016 By Rick M Robinson 2 min read

Without much fuss or public notice, millions of Americans are now taking part in one of the most challenging cybersecurity operations in the world: submitting tax returns online. How this almost unimaginable wealth of personal and business financial information is kept secure is its own story, and one that the Internal Revenue Service (IRS) stays very quiet about.

But the IRS is talking to taxpayers, both individuals and businesses, about safeguarding their financial data online by providing security tips in an ongoing series. These tips offer a concise picture of today’s leading threats to financial data and the measures that people should be taking to protect it.

The World’s Leading Custodian of Sensitive Financial Data

The IRS is in a position to know something about financial data security. If old Bond movie villains wanted to break into Fort Knox, today’s cyberthieves could dream of nothing sweeter than hacking into the IRS and stealing every American’s tax records, which are filled with detailed financial information.

While the agency did not discuss its data safeguarding measures in the release, it did talk about how people and firms should protect their own data.

Of seven security tips in the initial release, the first two are about security software: Have it, use it correctly and allow it to update automatically. In fact, automatic updating is so important that it gets its own tip. Security professionals might add automatic updating of the operating system since these updates include critical security patches. Protective software is a primary defense against attack.

The third tip is to look for HTTPS in a URL. HTTPS pages apply encryption that HTTP sites do not, and users should be wary about submitting information through unsecured avenues.

Next, the IRS advised taxpayers to use strong passwords. Suggestions are provided for stronger passwords, though many websites now let users know how strong a password is, with guidance on making it stronger.

Ensure that a business or home wireless network is secure. This is classic endpoint protection and remains the first step in keeping intruders at bay. Similarly, the IRS warned about the use of public wireless connections. While this is mainly applicable to individuals, enterprises must be aware of employees or partners who could be using public Wi-Fi and putting corporate data at risk.

The seventh and final tip is to be wary of phishing attempts. Start by educating employees as to what phishing is and how to recognize it. This tip noted that the IRS is among the organizations that phishing attempts may impersonate — we tend not to ignore notices from the IRS. Users should double-check all communications from state and federal agencies to ensure they are legitimate.

Security Tips for the Times

Those familiar with cybersecurity issues won’t find any surprises in these initial IRS online financial security tips. They addressed the major contemporary threat vectors: software vulnerabilities, wireless connections and social engineering campaigns that exploit the human factor. They outlined the basic precautions of protecting a system and its endpoints, including passwords, and advised the basic wariness needed to elude social engineering attacks.

None of this is revolutionary, but it’s important to note that the IRS takes tax refund fraud and identity theft seriously. Tax season may be a pain, but it is good to know that when it comes to data security, the tax man has our backs.

More from Government

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today