IRS Password Security Still Poor

The Treasury Department’s latest audit found that security at the US Internal Revenue Service (IRS) is still lacking.

Government auditors posed as help-desk employees and called various IRS employees. 60% of IRS workers readily gave up their user names and agreed to change passwords when prompted. This poses a strong security threat, as passwords are at risk for being breached.

The same social engineering test was performed in 2001, when 71% of employees failed. Employee training improved this, and a similar test in 2004 revealed a failure rate of 35%. Now it seems those numbers have climbed once again.

Employees who failed the test said they exposed their login information because they thought it was legitimate, thought changing a password was different from disclosing it, or had experienced past computer problems.

This new audit reinforces the need for a strong security policy coupled with consistent security training in order to minimize the “people” threat to data breaches.

The inspector general for the Treasury Department concluded that:

“Employees either do not fully understand security requirements for password protection or do not place a sufficiently high priority on protecting taxpayer data in their day-to-day work.”

It is recommended that IRS employees be re-trained on password security and the dangers of social engineering in obtaining secure and private information. A further audit has been suggested in order to gauge the disciplinary action taken by those who put the company security at risk. Regular social engineering tests should be conducted internally by the IRS in order to stay on top of this security issue.

To date, the IRS has not breached data in any way. The report concludes that IRS employees are the “weakest link” in the security system.

Download the full report from the US Treasury here. [PDF]

Via webcpa & channel register ; Tags: irs, irs security, password, passwords, password security, data breach, computer security, identity theft, internal revenue services, government, government security