When accountants ask IRS compliance providers if their site is secure the answer will always be “Yes,” leaving them less than enlightened on the accuracy of that answer.
Accountants are rightly more concerned than ever about the security of their clients' data in the cloud. Below are five specific questions and the ideal answers that will help you assess the security of your online providers.
1. How do they manage their servers and where are they located?
Ideal answer: AWS, Google, Azure or other managed cloud provider with physical protection and excellent reputation. If your provider sets up and manages their own servers in a 'server farm,’ this has the potential to be less secure since it adds a lot more complexity to your IRS provider's workload.
2. What operating system is used on their servers and how often is it updated for security patches?
Ideal answer: The most important thing is that the provider actually has a regular security update procedure. General security patches should be updated weekly. Major security issues should be updated as soon as the patches are issued, which could be same day. The two major operating systems used are either Windows-based or Linux-based. We recommend the Linux-based systems, but a well-maintained Windows system is fine. Again, it's the regularity of the updates that are most important.
3. How many people in the company have complete access to your account and the entire database of client accounts?
Ideal answer: As few as possible. Many of the notorious security hacks originate with an insider employee who uploads malware to the company's servers via an admin function of some sort, such as accessing customer dashboards or accounts. Obviously, the more people who have access to this level of functionality, the more likely this scenario can occur. Companies should limit the number of people with admin access and also limit the type of access to only that needed. For instance, client support personnel should only be able to access one client's account at a time, not the whole database.
4. What kind of automatic alerting is in place if suspicious activity is occurring? In other words, how does the company not operate blindly, hoping that all is going well?
Ideal answer: The company should have many levels of automatic alerting via email, text or other real-time warning systems that let company personnel know who, when, where and how a possible issue is in progress. Logging of all client actions and access is crucial for post-action analysis, but it's critical that a company have defensive alerting in place to stop attacks quickly.
5. Does your site use 256-bit SSL encryption protocols throughout all pages, including communications between servers?
Ideal answer: Yes! Other possible answers:
a.) 128 bit SSL, which is encryption, but more easily broken than 256 bit,
b.) only on certain important pages of our site while information pages are not encrypted. This is a hybrid security protocol which can be more challenging to maintain, when it's relatively easy to encrypt the whole site.
c.) No, we do not encrypt (this would be very unusual and bad).
Let us acknowledge that no site can be 100 percent secure against all attacks. That being said, keeping software up to date, implementing encryption and limiting the number of personnel with admin access are part of a layered defense that makes hacking more difficult.
Make sure your online IRS compliance providers do these things at a minimum before entrusting your data to them.