IRS Releases Part 3 of a Five-Part Security Summit Tips for Tax Professionals

On August 6, 2020 the Internal Revenue Service (IRS), in partnership with the Security Summit, issued the third part of their five-part series providing tips for tax professionals to thwart off cyber-security attacks during COVID-19. This week the advice was focused on virtual private networks (VPN). A VPN ensures your location stays private, your data is encrypted, and you can surf the web anonymously.

To understand how a VPN works, it is important to understand the basic transaction that occurs when individuals browse the internet. For example, when an individual types in their browser they are entering the website’s domain name. A domain name designates the name of the website’s IP address. Every computer and device accessing the internet also has an IP address as well. When an individual types in into their internet browser they are sending their data into the internet until it reaches the server. Then that server translates the data and sends the website that individuals has requested to visit. During these transactions, however, individuals are not only sending  requests to visit various websites, they’re also sending out their computer’s IP address and other information too. This allows the potential for hackers to intercept a person’s information. The use of a VPN will protect an individual’s information from being intercepted. A VPN creates a tunnel that encrypts information. A VPN is essential for any business because it provides a safe way to transmit data between a remote user via the Internet and the business network.

Chuck Rettig, the IRS Commissioner noted that “We continue to see tax pros fall victim to attacks every week. Failure to use VPNs risks remote takeovers by cyberthieves, giving criminals access to the tax professional’s entire office network simply by accessing an employee’s remote internet.”

However, finding a legitimate vendor to purchase a VPN from can be difficult. Carefully review various companies that offer VPN services and be sure to choose a service that includes all the capabilities that will meet your needs.

And, while not stated in the IRS’s tip for this week, it is also important to know that while a VPN is necessary, it is not a magical privacy shield that will completely insulate any company from vulnerabilities to cyberattacks. For example, a VPN cannot protect you against a website setting a tracking cookie on your device that will then alert other websites about you. A VPN also cannot protect you against a website that sells your email address to a third-party data broker.

Lastly, the IRS tip for this week also includes the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) advice regarding VPNs:

  • Update VPNs, network infrastructure devices and devices being used to remote into work environments with the latest software patches and security configurations.
  • Alert employees to an expected increase in phishing attempts.
  • Ensure information technology security personnel are prepared to ramp up these remote access cybersecurity tasks: log review, attack detection, and incident response and recovery.
  • Implement multi-factor authentication on all VPN connections to increase security. If multi-factor is not implemented, require teleworkers to use strong passwords
  • Ensure IT security personnel test VPN limitations to prepare for mass usage and, if possible, implement modifications—such as rate limiting—to prioritize users that will require higher bandwidths.


As always, tax professionals should take advantage of the additional resources the IRS provides related to security recommendations and questions in Publication 4557 Safeguarding Taxpayer Data (PDF), as well as the National Institute of Standards and Technology (NIST’s) Small Business Information Security: The Fundamentals (PDF).

VW Contributor: Skylar Young
© 2020 Vandenack Weaver LLC
For more information, Contact Us