Auditing The Auditors

April 15 is right around the corner, and taxes are probably on most folks’ minds. Everyone has to do their taxes, but most people don’t exactly look forward to it. And then when we hear that there are security risks at the IRS, it doesn’t exactly help us get excited about filing our returns and giving the agency our sensitive information.

The Government Accountability Office (GAO) recently released a report entitled “Information Security: IRS Needs To Continue Improving Controls Over Financial And Taxpayer Data” on the cybersecurity failures of the IRS. Jeff Knott, Assistant Director at GAO’s Information Security Issues Group, sat down with Christopher Dorobek for the podcast DorobekINSIDER and spoke about the findings of the audit.

The GAO conducts this audit-of-the-auditors each year, and while they have seen improvements since the beginning of the annual reports in the early 1990s, big problems with information security remain prevalent at the IRS.

The sensitive nature of all of the data that the IRS systems house make this a particularly grave issue. When there are IT breaches at the Home Depot, for instance, no one is happy about the news, but when there are similar failures at a government agency responsible for Americans’ sensitive financial information, it’s even worse.

So, according to Knott, the IRS really needs to make massive improvements. They have done some good things already, such as updating their workstations and laptops and increased the complexity of the login process. Additionally, they’ve allocated more money towards improving cybersecurity, but it’s not quite enough, Knott said. But management changes at IRS have helped make cybersecurity more of a priority.

“They have a new Chief Technology Officer [Terence V. Milholland], and he’s certainly changed the culture and helped focus the attention on these issues,” said Knott.

To make matters better, where should Milholland and others begin to revise their approach? According to Knott, it’s important to figure out the biggest priorities, and begin there.

“The GAO alone has made about 70 outstanding recommendations for improving information security at IRS,” he said. “So it’s a matter of assessing the risk associated with those, and then prioritizing them appropriately during the time of budget constraints.”

The issue that the IRS needs to sort out, then, is figuring out where amongst the seventy recommendations they should mine their efforts now. “They have to look at the impact of that weakness,” he explained. “Ask themselves, how vulnerable does it make them? And figure out which one makes the most sense to correct first, wherever they’re most vulnerable.”

One major issue that the IRS is up against that might need timely addressing is the security surrounding external contractors. According to Knott, the IRS itself has a very good security awareness training program in place, but some of the contracted companies they work with don’t match up. As he pointed out, “You’re only as strong as your weakest link.”

So, moral of the story: don’t forget to do your taxes – due April 15! But also, auditing government agencies can show that even the auditors themselves have huge improvements to be made towards passable cybersecurity.

Leave a Comment

Leave a comment

Leave a Reply