Security of tax agents’ systems
Criminals will always look for the easy way in, be it burglary or IT crime. Are agent login details an open door invitation to fraudsters?
Last week, the news broke that a member had had their log in details to HMRC’s website stolen, and the password changed so that they could not access HMRC Online services. Thursday brought urgent news from HMRC that there had been a breach of security at more than one agent, and police were investigating.
HMRC has now published a document including guidance and information on security, both at the tax authority and advice to firms about security in their offices.
The move to online services by agents has been quite sudden, with a significant take-up of online filing by agents in the period ended 31 January 2009. It may be, therefore, that the security issues have taken some agents by surprise, and that they have not yet properly thought through how to keep client data secure.
Of particular concern at the moment are the login details for the HMRC Online services. The login names are long and a mixture of alpha and numeric characters, and passwords are similarly difficult to remember. It may well be, therefore, that the login details are recorded somewhere handy so that they can easily be accessed when someone needs to log on. I have heard urban legends about logins pinned to office notice boards, but I’m sure in some cases these may be true. Just as dangerous is asking Windows to remember your login and password, as anyone who can get access to your machine doesn’t have many keys to try out to find the drop-down with both login name and password on it.
So what are the key issues to watch?
First, there is the physical security of your computer. If you use a laptop for work this is eminently portable, so you might think about retaining all data on a backup server or remote hard drive so that if the laptop is lost or stolen, there is no sensitive data on it. Make sure that systems are closed down and password protected whenever you leave the office. Change passwords regularly and try to use at least 10 characters, a mix of alpha and numeric. Sensitive passwords should run to 13 characters minimum as they then become virtually unbreakable. Don’t forget back-up media – this is just as sensitive as the computer itself, so ensure that it is protected in the same way. If you need to use USB drives to transfer data from one machine to another get used to deleting it as you move it to the destination computer. The files could still be recovered even if deleted, but at least you’re not making it easy for crooks.
Next comes the security of your internet connection. Tax agents probably don’t need advice about virus and similar protection packages, but it is amazing how many don’t have an automatic updated set up – which for most packages is very easy to do. Schedule an update for at least once a day, and run a scan of your hard drive regularly too – I scan mine almost every day, but this may be inconvenient in most offices. Whether you use an integrated package, or a mixture of software, your virus protection should include:
- Basic anti virus protection that will scan all incoming and outgoing mail and scan files as you open them
- A firewall which will prevent unauthorised content from being downloaded. Make sure that your firewall is turned on – sometimes you need to drop the security level to install a program – always check that it is turned back on again.
- Anti spyware is also an essential element of your protection. This spots malicious software running on your machine, and as its name suggests is intended to prevent spyware from running on your computer. Spyware can capture information you put into your machine, such as recording your keystrokes (when you log on) and sending them back to the remote host. You would not be aware that such a program is running. Spyware also need to be kept up to date, and if this is a separate program to your anti virus, you should run a spyware scan regularly too.
You should also be aware of unauthorised users 'piggy backing' onto your wireless network. They could be parked outside your office, or may even pull up there at night. This is a widespread problem, and those with sensitive data to protect need to ensure that they have a sufficiently sophisticated security arrangements, with passwords etc. which are changed regularly to ensure no authorised access to your network, either within the office or through the internet connection.
Finally, avoiding some of the traps set to catch you. It would be clear to all concerned that HMRC would never ask for personal data by email, and any contact purporting to come from HMRC with requests of this nature should be reported immediately. In particular, never click through a link in an email of this nature to see whether it is real, as this can initiate the download of malware, which may then report back to 'base' with details of your clients and other confidential information.
Bear in mind that clever criminals didn’t take very long to work out that targeting tax agents and firms of accountants would be a good idea, so you will need to be increasingly vigilant against more concerted attacks.
You might also be interested in
Rebecca trained in London with Kidsons and, on qualifying, spent some time as Chief Accountant of a manufacturing company. She now has her own small practice in Gloucestershire that comprises of owner managed businesses and small companies.
She also lectures extensively for a range of professional bodies, accountancy firms,...