Tax Season’s Silent Threat: The Importance of Securing the Software Supply Chain

In 2023, the Federal Trade Commission (FTC) released a warning to five of the most popular tax preparation companies, stating they could face civil penalties if they used confidential data collected from consumers – for unrelated purposes.

Two years after the warning was published, an even greater concern has emerged — the integrity of the tax prep companies’ software. Gartner predicts that by this year, 45% of organizations worldwide will have experienced attacks on their software supply chains. If compromised, for tax prep businesses and their customers, the consequences of a software supply chain attack could be devastating. The potential threats and damages would extend well beyond the April 15 tax deadline.

The Hidden Risks in Tax Software

Sensitive data within tax prep software includes anything from finances to personal details such as marital status and children, and even health details — all of which are a top target for cybercriminals. Adversaries can use this information to conduct identity theft, tax refund, and other forms of financial fraud, targeted phishing attacks, and even extortion and blackmail.

One of the most common ways that adversaries attempt to penetrate tax prep companies’ networks is by exploiting vulnerabilities in their software. Tax software, like the overwhelming majority of all software today, is made up of open-source components. Unfortunately, these dependencies often bring a multitude of security weaknesses.

Nearly all (95%) of security weaknesses originate within open-source packages, with half of these vulnerabilities, across all severity levels, having no known fixes. In addition, nearly three-fourths of open-source components are either poorly or no longer maintained.

With the demand that tax season brings on these organizations’ developers, it is nearly impossible for them and security teams to keep up with software supply chain maintenance and governance needs, leaving wide open gaps for threat actors to infiltrate. Plus, the recent IRS reduction in force could also increase IT security threats and make it easier for cybercriminals to break in due to fewer employees, delayed security updates and patches, and diminished security threats and inquiries.

Strengthening Tax Software from the Inside Out

Fortunately, there are steps tax companies’ developers and security teams can take to stay secure all year long.

Get to Know What’s in Your Software: Developers and security teams don’t have X-Ray vision, so tax companies need to have a solution that can generate a comprehensive software bill of materials (SBOM). SBOMs can provide visibility into all open-source, third-party, and custom-developed software components, ensuring that even the deepest layers of dependencies meet the current compliance standards and don’t introduce risk.
Keep Your SBOMs Organized: Sometimes tax prep companies need to access an SBOM quickly to either verify the origin of software, provide it for a third-party, or pull information for other software. Tax prep companies need to have a secure channel to share SBOMs and security attestations when needed, all while maintaining confidentiality.
Hold Third-Parties to a High Security Standard: Tax prep companies work with a variety of third-party vendors, including e-filing and payment processors, identity verification and fraud prevention companies, cloud and hosting providers, and even marketing and analytics companies. Tax organizations must have the ability to verify the safety of third-party software and track, share, and manage SBOMs across multiple partners to ensure the integrity of the entire software ecosystem.
Don’t Wait for a Vulnerability to Present a Problem: Identifying vulnerabilities is only half of the battle. Tax organizations also need to take action to fix them quickly, especially for open-source code that might not even have a patch available. Fortunately, there are solutions on the market that can help developers prioritize which vulnerabilities to address first and provide guidance on how to fix them.

In order for tax companies to stay safe throughout the busy tax prep season, it’s imperative that they focus on proactive cybersecurity measures such as utilizing multi-factor authentication, ensuring that there are regular software updates, conducting strong encryption protocols, and providing security user education programs.

While all of these measures certainly help, all of it is futile without a strong, secure software supply chain. Tax prep companies can protect user data year-round by maintaining SBOMs, holding partners accountable, and proactively managing vulnerabilities.