Building more secure passwords, based on updated IRS guidance

IRS would like you and your finance team to bump “Create more secure passwords” to the top of your priority list for 2020.

The Taxman recently released new advice in honor of National Tax Security Awareness Week.

And it has some very specific guidelines when it comes to passwords.

Here’s what IRS expects of you and your finance team now.

Ditch passwords in favor of these

First and foremost, make sure every member of your accounting and finance staff has switched to using phrases instead of single words to secure your systems and software.

That was the No. 1 takeaway from IRS’s advice.

The primary benefit? Phrases are easier to remember so staffers won’t have to write them down somewhere prying eyes can see.

But there are a slew of other security precautions IRS expects you to take. Make sure everyone on your team knows about these steps to more secure passwords:

• Don’t use email addresses as user names if that’s an option
• Change all default or temporary passwords that come with devices
• Incorporate a combination of letters, numbers and special characters within your passphrase
• Don’t simply update passwords (i.e. changing a 7 to an 8) – find a whole new phrase, and
• Use multi-factor authentication whenever possible.

Shore up here, too

While IRS didn’t address this specifically in its latest update, there is one vulnerability that often isn’t password-protected at all: desktop folders.

Those little manila-shaped icons are leaving companies’, their employees’ and even their customers’ sensitive information at risk.

That’s the finding of the recent 2019 Varonis Global Data Risk Report.

Specifically, these two vulnerabilities make desktop folders a liability for every firm:

• They’re not locked down. Nearly a quarter (22%) of folders are open to everyone. For 15% of your peers that equals more than one million folders that anyone could access.
• They’re full of stale data. Almost three-quarters (73%) of desktop folders house stale data, which is sensitive info a company no longer needs to do business.

Going forward, all folders should be restricted only to those who need them. You’re also going to want IT to lock folders down and restrict access.

But you might encounter some pushback from IT when you raise the issue. The techies estimate it takes about six to eight hours per folder to locate and manually remove global access groups, then figure out who needs access and create new groups.

Considering how much a data breach could cost, it’s worth the effort.