Ethics, Part 2 Chapter 5 pp. 153-169 2017 National Income Tax Workbook™

p. 153 Introduction Cybersecurity Risk of a cyberattack Cybersecurity breaches Cost of a cybersecurity breach Risk management

p. 154 Continuing Education The duty to safeguard client privacy and security is an ethical duty Per the IRS, identity theft and data security programs that focus on enhancing tax professional awareness of protecting client data can also qualify for continuing education credit in the federal tax law category

p. 154 Risk of Cyberattack Data breaches increased 40% in 2016 Small businesses at greater risk because less time, money, and expertise to defend against cyberattack As big businesses become more secure, attackers target small businesses Attackers specifically targeting tax practices

Cybersecurity Breaches pp. 155-157 Hacking Phishing Denial-of-Service (DOS) Malicious Code Theft or Loss of Device Employee/Vendor Error

p. 155 Hacking Steal info or shut down the system Exploiting vulnerabilities to gain unauthorized access Download virus Unsecure wireless Unauthorized access to password Steal info or shut down the system

p. 155 Example 5.1 Hackers broke into retail credit card system of T.J. Maxx and Marshalls. Intercepted wireless transfers. Stole more than 90,000,000 credit and debit card numbers.

p. 155 Phishing Email that looks legit but designed to steal confidential information In 2016 IRS saw 400% increase in phishing and malware incidents

Example 5.2 p.155 New hire at the bank got a welcome email Appeared to come from HR Asked for DOB and SSN Really from third party trying to get confidential info

p. 155 Denial-of-Service Attacks Sends flood of requests to a web page so that the server crashes Legit users cannot access the system or the website

pp. 155-156 Example 5.3 DoS attackers hit Dyn Data Center and overwhelmed systems with junk data traffic Started on the East Coast and then international Disrupted access to Twitter, Netflix, and PayPal

p. 156 Malicious Code Gives the computer incorrect or destructive instructions Designed to damage, disrupt, steal Comes from infected drive, spam email, hacked webpage

p. 156 Example 5.4 Attackers planted malware on Hannaford Bros. servers. Intercepted payment card data. Forwarded up to 4.2M stolen card numbers overseas

Other Malware p. 156 Viruses – alter, replicate, and damage Trojan Horses – loss or theft of data Ransomware – blocks access to data

p. 156 Example 5.5 2017 Ransomware attack began in Europe and Asia, then spread. Attackers encrypted files, locking more than 200K computers in over 150 countries. Display screen demanded $300 in Bitcoin to restore the files

Spyware and Adware p. 157 Spyware - may display advertising, collect personal information, or change the configuration of a computer Adware - displays unwanted advertisements (like pop-ups), redirects search requests to advertising websites, and collects marketing data

Theft or Loss of Device p. 157 Breach b/c of theft or loss of Laptops Smart phones Tablets Removable media

p. 157 Example 5.6 Veterans Affairs employee was working from home. Laptop and external hard drive stolen. Unencrypted information on 26.5M people, including names, SSNs, and DOBs

Employee Errors p. 157 Unknowingly download malware Use an unsecure computer network Inadvertently release personal information

p. 157 Example 5.7 The Boston Globe accidentally recycled paper containing subscriber financial data and used the recycled paper for routing slips in 9,000 bundles of newspapers – distributed to retailers and newspaper carriers. Info on about 240,000 subscribers disclosed

pp. 158-159 Costs of Cybersecurity Breach Internal Costs to investigate and respond External Costs like lost business and damaged equipment

p. 158 Internal Costs of Breach Detect and deter: IT guy or other security Investigate: forensic accountant to determine what, if anything, was taken Containment: shut down unsecure applications and stop an attack Recovery: back up and restore data Response: improve system to deter future attack

pp. 158-159 External Costs of a Breach Information loss or theft: attorneys, reporting, identity repair, penalties and fines, lawsuits Business disruption: downtime Equipment damage: repair or replace software and systems Lost revenue: damage to reputation, lost customers

pp. 159-161 Risk Management Reduce likelihood of breach IT manager Employee training and awareness System security, encryption, passwords Intrusion prevention and detection system Separate guest network, etc.

pp. 161-162 Risk Management Cont. Reduce the size of a loss Response plan Cybersecurity insurance

pp. 162-163 Cybersecurity Insurance Transfers cost of loss to insurance co. Look closely at what is covered: Loss of income Equipment damage Attorney, forensic investigator, PR person Third party claims and defense Ransom $ Regulatory fines or penalties, etc.

p. 163 Coverage Limits and Cost Coverage limits depend on: Size and scope of business Number of customers Presence on the Internet Coverage cost depends on: Number of clients Loss history Selected coverage

pp. 166-169 Appendix 2 Sample Information Security Plan Every tax practice should have one

Questions?