Partner Rebecca Benneyworth Training Consultants
Share this content

Security of tax agents’ systems

10th Aug 2009
Partner Rebecca Benneyworth Training Consultants
Share this content

Criminals will always look for the easy way in, be it burglary or IT crime. Are agent login details an open door invitation to fraudsters?

Last week, the news broke that a member had had their log in details to HMRC’s website stolen, and the password changed so that they could not access HMRC Online services. Thursday brought urgent news from HMRC that there had been a breach of security at more than one agent, and police were investigating.

HMRC has now published a document including guidance and information on security, both at the tax authority and advice to firms about security in their offices.

The move to online services by agents has been quite sudden, with a significant take-up of online filing by agents in the period ended 31 January 2009. It may be, therefore, that the security issues have taken some agents by surprise, and that they have not yet properly thought through how to keep client data secure.

Of particular concern at the moment are the login details for the HMRC Online services. The login names are long and a mixture of alpha and numeric characters, and passwords are similarly difficult to remember. It may well be, therefore, that the login details are recorded somewhere handy so that they can easily be accessed when someone needs to log on. I have heard urban legends about logins pinned to office notice boards, but I’m sure in some cases these may be true. Just as dangerous is asking Windows to remember your login and password, as anyone who can get access to your machine doesn’t have many keys to try out to find the drop-down with both login name and password on it.

So what are the key issues to watch?

First, there is the physical security of your computer. If you use a laptop for work this is eminently portable, so you might think about retaining all data on a backup server or remote hard drive so that if the laptop is lost or stolen, there is no sensitive data on it. Make sure that systems are closed down and password protected whenever you leave the office. Change passwords regularly and try to use at least 10 characters, a mix of alpha and numeric. Sensitive passwords should run to 13 characters minimum as they then become virtually unbreakable. Don’t forget back-up media – this is just as sensitive as the computer itself, so ensure that it is protected in the same way. If you need to use USB drives to transfer data from one machine to another get used to deleting it as you move it to the destination computer. The files could still be recovered even if deleted, but at least you’re not making it easy for crooks.

Next comes the security of your internet connection. Tax agents probably don’t need advice about virus and similar protection packages, but it is amazing how many don’t have an automatic updated set up – which for most packages is very easy to do. Schedule an update for at least once a day, and run a scan of your hard drive regularly too – I scan mine almost every day, but this may be inconvenient in most offices. Whether you use an integrated package, or a mixture of software, your virus protection should include:

  • Basic anti virus protection that will scan all incoming and outgoing mail and scan files as you open them
  • A firewall which will prevent unauthorised content from being downloaded. Make sure that your firewall is turned on – sometimes you need to drop the security level to install a program – always check that it is turned back on again.
  • Anti spyware is also an essential element of your protection. This spots malicious software running on your machine, and as its name suggests is intended to prevent spyware from running on your computer. Spyware can capture information you put into your machine, such as recording your keystrokes (when you log on) and sending them back to the remote host. You would not be aware that such a program is running. Spyware also need to be kept up to date, and if this is a separate program to your anti virus, you should run a spyware scan regularly too.

You should also be aware of unauthorised users 'piggy backing' onto your wireless network. They could be parked outside your office, or may even pull up there at night. This is a widespread problem, and those with sensitive data to protect need to ensure that they have a sufficiently sophisticated security arrangements, with passwords etc. which are changed regularly to ensure no authorised access to your network, either within the office or through the internet connection.

Finally, avoiding some of the traps set to catch you. It would be clear to all concerned that HMRC would never ask for personal data by email, and any contact purporting to come from HMRC with requests of this nature should be reported immediately. In particular, never click through a link in an email of this nature to see whether it is real, as this can initiate the download of malware, which may then report back to 'base' with details of your clients and other confidential information.

Bear in mind that clever criminals didn’t take very long to work out that targeting tax agents and firms of accountants would be a good idea, so you will need to be increasingly vigilant against more concerted attacks.


Replies (4)

Please login or register to join the discussion.

By Shorty
10th Aug 2009 12:38

Did it take the agent this long to realise there was a problem because of the length of time it is taking to get refunds sent out.....?

Thanks (0)
By Mark Hutchinson
10th Aug 2009 12:48

RE: Security of tax agents’ systems

As a technology vendor I am disappointed with the quality of information detailed in the above post. Whilst at a high level it is correct, this in its self could be misleading to many non technical readers.

Examples -

'The firewall needs to be switched on' - True, however an incorrectly configured firewall that has been switched on could provide little or no protection at all and this risk should also be highlighted . Firewalls need to be configured and checked by someone who knows what they are doing. Default firewall configurations on Microsoft/Windows PC's etc are not always correct and need checking.

Even with a correctly configured firewall certain 'ports' need to be open for email, browsing etc and if servers/PC's behind the firewall are not fully patched an up to date these applications/services will be open to being hacked.

Even if you don't ask Windows to remember your user name/password if you have used it once it will still be stored in the memory/cache of your PC/Server and available to a hacker so it is critical that your network/PC security is bullet proof.

Around 14 months ago we ran a 'penetration test' (ethical hacking to test how secure a network is) on 100 small business networks (including a few Accountants and Solicitors) as a research project and we were able to hack in to 84 networks very quickly and gain access to all sorts of information and many of these businesses were confident that their information was safe/secure.

Many IT consultants/support companies are pretty clueless when it comes to IT security and short cuts taken when setting networks up can create problems so the only real solution is to use the services of a specialist security company (known as 'Ethical Hackers') who will be able to use a range of tools/techniques to test your security, audit the findings and fix any weaknesses. The catch is that engaging security specialists even for a very small business is likely to cost £1k to £3k per audit (this should really be done annually as a minimum) and for this reason many businesses will choose to ignore the potential risks.

Best Regards

Mark Hutchinson

Thanks (0)
Rebecca Benneyworth profile image
By Rebecca Benneyworth
10th Aug 2009 17:50

Thanks for your constructive criticism Mark
I put the article together from the information provided by HMRC and my own knowledge of very small firms of accountants; I did get it "idiot checked", and perhaps the level is right for the average accountant but lacks much for the IT professional ( a bit like when journalists write about technical tax subjects). So your added comments are very useful. Although I'm afraid went over my head technically; I would regard myself as quite a good tech standard for a small accountancy practice (which I do run myself).

You are absolutely right, even at the lower end of your cost range the fees charged for this type of work would be well outside the scope of small practices. Most spend considerably less than that on their tax software, and this sort of overhead is just never going to wash with them. So you are probably looking at a "least bad" option for them. I use AVG professional 8, which is updated once a day and I find to be less intrusive than some of the better known packages. It's also very reasonably priced.

So if you have any suggestions of very low cost options for accountants it would be great to hear them - either post on here or do feel free to post a blog on computer security.

Thanks (0)
By Gentoo
13th Aug 2009 12:50

Consider alternative software
Changing anything is obviously a PITA, but as information is the new money, using software that has an intrinsically better security model has got to be a good idea.

And there is no doubt that the better model is the one used by GNU/Linux.

Of course, if you leave all the doors open it's easy to walk in, but with GNU/Linux you've got to try very hard to leave the doors open. And there is no software in the world that will protect you from claiming your winnings in a Spanish lottery. Nor can it protect you from downloading the contents of a compressed file from a dodgy server.

However, and contrary to official advice talking about "all software", GNU/Linux saves you from yourself when you click on those dubious links. You can't accidentally or unknowingly install anything.

And anything you do download (I thought it was "dark side of the moon" not...) doesn't end up in some unknown and hidden folder somewhere.

I am aware that not all of your favourite software has its FOSS equivalents, and unfortunately, its the accounting packages, but take a look here, (it's a UN publication and it's already out of date, but it's indicative)

But if the industry body cannot persuade the applications vendors to develop versions for GNU/Linux, surely it's big enough and ugly enough to fund the development of new or improve existing accounting applications?

One model for this development is google summer of code delete google insert accountancy bodies.

Usability studies have long since shown that changing from what you currently use to a desktop based on GNU/Linux is no more difficult than overcoming the problems encountered when one of your current suppliers upgrades an existing package.

The desktops are increasing pretty, for example:

Everyone knows the servers are secure.

No it's not a pain free decision, but the pain is a one off experience. And then, if you use FOSS, no one will be auditing you to check for software licence compliance, no one cares if you use another copy of anything you use, no one will ask you for any money, either initially or for upgrades. It doesn't need such powerful hardware to run.

Of course you could choose to pay for support, but then you might choose to pay to have a washer changed on your tap.

Gerry Gavigan

Thanks (0)