Best Practices 03-23-2015

Tax Season Calls for Best Practices in Enterprise Security

Ashley Call

Let's face it: whether you’re at the bottom of the enterprise totem pole or the head of the finance department, tax season is a headache for everyone. On top of all the typical stresses of filing taxes, the ever-increasing use of electronic filing makes tax season a vulnerable time for data breaches. Recent articles from Washington Post and Forbes have everyone a little on edge about the security of online tax corporation sites, but the security vulnerabilities during tax season are bigger than tax software breaches. Poor security practices by employers that use the Internet to make the tax process more convenient could be making company and individual data more susceptible to attack.

What Employers Need to Do to Protect their Employees’ Data

Companies should implement security best practices in order to protect employee data when exchanging information online. An employer’s security mistakes cause not only company consequences, but also personal consequences for all employees.

Encrypted Communication

Anne* (not her real name) has not received her W-2 form in the mail yet from her prior employer. She emails her finance contact at her previous company, asking where the W-2 is, and her contact responds immediately. The email contains a short response and an attachment: a scanned copy of Anne’s W-2. The entire correspondence took 20 minutes, but now a scanned version of Anne’s W-2 (including Social Security number, address, salary, and previous employer’s information) is floating around on the Internet in plain text.

While many mainstream mail servers are adopting TLS to encrypt their clients’ communications, there is still a lot of work to be done. Gmail, one of the first three mail providers to implement TLS, reported that 78% of outgoing mail from Gmail is encrypted, but only 57% of incoming mail to Gmail is encrypted. On the other hand, less advanced servers like and are currently encrypting “less than 1 percent of the traffic coming to and from Gmail.”

In order to avoid the risks of transferring secure information over insecure email servers, enterprises must prioritize email encryption. Through customization of popular email servers, or through proprietary methods, enterprises must secure their communications in order to keep clients’ information secure.

Note: In addition to email encryption, Document Signing certificates are an important way to authenticate the source and validity of any document. When transferring tax documents, employers can use Document Signing certificates to let their employees know to trust the source. Read more here.

Secure Portals

Today most enterprises utilize some type of web portal to organize HR procedures and other employee information. While these portals can dramatically simplify the process of hand delivering or mailing W-2’s to individual employees during tax season, the security risks associated with unsecure web portals can be big. Enterprises need to secure their portals to protect their employees’ personal data.

During tax season, or other times of increased information-sharing (e.g., open-enrollment for insurance, holidays, beginning of school semesters, etc.), hackers will use social engineering or phishing methods to get employee information—making identity-vetted SSL very important during that time.

The surest way to secure any web portal is through an EV SSL Certificate that offers both extended validation and high-assurance encryption. DigiCert’s EV SSL Certificates are the highest level of encryption certificate available on the Internet (256-bit encryption). This level of encryption is unparalleled on the Internet and will secure any portal from an outside attack.

EV SSL Certificates also require that each site is fully validated with human-to-human verification. DigiCert’s extended validation includes verification of the legal, physical, and operation existence of the entity; verification that the identity of the entity matches official records; verification that the entity has an exclusive right to use the domain specified; and verification that the entity has properly authorized the issuance of the certificate.

EV SSL Certificates also boost client confidence by clearly showing that they are secure. Each site secured with an EV SSL Certificate shows up with a green branded bar in the web browser. This green bar is easily identified as a clear sign that the site is encrypted and protected, and reassures users that it is safe to input secure information.

Note: If you are an end user, you also have the responsibility of checking that the sites your company is using are secure. If you’re concerned that your company is using a method of communication that is not secure, talk directly to your IT administrators and request that they deliver your tax information in another way.

Increased Vulnerability Requires Increased Precaution

Organizations looking to make their communications more convenient around tax time must also prioritize security to keep their clients’ information safe. Whether the hacks are social engineered or intelligent hacks, the security vulnerabilities around tax season require increased precautions on the enterprise and individual level. By improving security practices, enterprises will gain the trust of their clients’ and will avoid the inconvenience and expense of attacks—whether it’s tax season or not.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 


Unlocking Device Trust Manager

A Q&A with DigiCert Director of Product Management Kevin Hilscher

6 reasons signed SBOMs are essential to software security