Tax season scaries: How to keep your data safe from insider threats
With April 15 quickly approaching, companies across the country are rushing to get their taxes filed. This often requires third party specialists who are well-versed in corporate taxes and prepared to navigate new regulations. While the right contractors are extremely valuable during tax season specifically, they shouldn’t be overlooked when it comes to managing insider threats.
According to a survey by NPR, one in five employees is a contractor – that’s 20 percent of American workers. This number is only going to increase in the next five to ten years as the workforce adapts to a shifting economy where companies rely more and more on temporary and specialized workers that operate on a project basis. Because filing taxes often requires specialty skills not needed year round, the first quarter generally sees a surge in contractor usage meaning companies are facing a heightened risk environment.
Further, tax season involves the creation and circulation of sensitive personally identifiable information (PII) internally within companies and also with outside firms (contractors). As such, leakage of this sensitive data with malicious or non-malicious intent is one of the biggest risks companies face during the first quarter. This is the time of the year when hackers, dark web consortiums, and nation states are especially active given the multitude of sensitive PII making its way through organizations.
So, when working with third party specialists and managing a multitude of sensitive information, be sure to mind these areas of the tax filing process:
Workflow: The tax process is a perfect example of a case management workflow which requires deep and rich collaboration between multiple stakeholders. As such, organizations need to implement the right controls throughout the lifecycle of the tax process to prevent data exfiltration attempts posed by insiders.
Documentation: Tax documents contain a wealth of information – in particular, highly sensitive PII such as Social Security numbers, first name, last name, address, phone numbers, etc., that, if leaked, could cause significant personal and financial damage.
Personnel: As mentioned, contactors can be valuable assets to companies, providing short-term support and expert knowledge, but the uncertainty of human nature cannot be ignored. Whether motivated by bad intent or carelessly acting in ignorance, people are unpredictable and must be properly and thoroughly trained in how to best protect sensitive data.
What’s at stake
Personal and identifiable information used in the tax preparation process can be used to commit fraud, sabotage, hacking, and identity theft if it gets into the wrong hands – a fairly common occurrence in today’s environment. The selling and buying of PII data is a lucrative business on the dark web, and due to the mass amounts of data cultivated and collected during tax season, identify theft is one of the easiest ways for criminal organizations to make money this time of the year. Companies are entrusted with employee data and have an obligation to maintain its security, which means they should be taking extra precautions when risk is especially high.
How to detect and respond to insider threats
Organizations should always take a layered security approach to protect the company’s assets and their employees’ PII data, but it’s especially important during tax season when more outsourced work can open the door to new threats. The key to such detection and prevention is granular visibility of users and their data activity to detect and stop data exfiltration before it can even happen.
Further, as the number of contractors within an organization increases, companies can no longer manage them differently from full-time employees by identifying and tagging them as administratively determined (AD). Networks have become flat, people move, access is remote and the clear distinction between full time and a contractor is fading. This means that in-depth cybersecurity training and insider threat management is necessary for all employees, no matter how short their presence is at the company. This is especially important when employees are handling sensitive personal and company information.
Insider threats can be just as damaging, if not more so, than an external threat from a company adversary. Triggers such as mergers and acquisitions, performance reviews, bonus payouts, and two-week notices, result in peak threats – meaning times of change can make companies the most vulnerable. The change in personnel and workflow that happens around tax season is no different. Although inherent trust makes onboarding contractors easier, this trust is not necessarily warranted and it can end up costing companies in the long run.
Filing taxes is a complex process that requires careful management of PII. This time of year, when stress is high and outsiders are brought in, it’s more important than ever to implement the right processes and technology to save your company and employees from avoidable reputational and financial damage.