The IRS is fairly diligent when it comes to warning citizens about IRS-related phishing scams, IRS-related malware, and IRS-related rip-off artists.
What they've needed to be doing, though, is warning us about IRS employees.
Turns out that the carelessness and gullibility of that bunch of nincompoops may represent at least as great a threat to the safety of taxpayers' digital information as the phishers, virus writers and con men.
From an Associated Press report:
IRS employees ignored security rules and turned over sensitive computer information to a caller posing as a technical support person, according to a government study.
Sixty-one of the 102 people who got the test calls, including managers and a contractor, complied with a request that the employee provide his or her user name and temporarily change his or her password to one the caller suggested, according to the Treasury Inspector General for Tax Administration, an office that does oversight of Internal Revenue Service. The caller asked for assistance to correct a computer problem.
As is so often the case with bureaucrats and their minions, it's not as though they fail to try - witness the agency's response to lax laptop encryption and the lengths to which it goes to help taxpayers at the filing deadline - rather, it's just that they're a bunch of screw-ups.
Of the latest embarrassment, Inspector General J. Russell George said: "This is especially disturbing because the IRS has taken many steps to raise employee awareness of the importance of protecting their computers and passwords."
No, it's especially disturbing because these people know all there is to know about our personal finances, yet seem incapable of locking a door.
Sixty-one out of 102? Allow me to take back that bit about them trying.
Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.
Consumer Reports on 'State of the Net': It's a jungle out there.
The 7 Wonders of the Internet ... A Buzzblog community creation.
E-mail etiquette question: Thanks or no thanks? Vote in our poll, too.
StubHub dubbed "The Official Scalper of Major League Baseball."
Video games televised as a sport? ... We're doomed, all right.
Microsoft 'silently' restores root certificates that users distrust and remove.
Football star Tedy Bruschi is NOT dead.
When a cell phone goes through the washer.
How to avoid having to hire an American: lawyerly advice.
The emoticon is turning 25: You can thank this guy :-) ... or not :-( And vote in our poll.
The Leader in Network Knowledge
IRS Computer Security
We've used a simple method to tighten our security here at work: Everyone is required to read "I.T. Wars: Managing the Business-Technology Weave in the New Millennium." We didn't buy a copy for every employee, we bought enough for each department, and circulated them around, with an expected date of completion for each department. That book also tells you how to put Security requirements into job evaluations - believe me, people start paying attention when you RATE them on something in their job eval, and it starts influencing pay raises, promotions, etc. We also made our vendors, contractors, temporary hires, etc. read it too. Every incoming, new hire, has to read it also. These agencies NEED THIS BOOK!!
IRS Computer security
All IRS employees have to take mandatory IT security courses every year. IRS employees are rated partially on security compliance on their annual reviews. However, employee evals at the IRS are a complete joke thanks to the NTEU. If you dont get the highest ranking and a bonus on your review you simply go to the union to file a grevience and - BAM - its fixed 99.9% of the time.
you have got to be in
you have got to be in management!
IRS Security
As much as I would like to say it was just an IRS problem I cannot. I have worked as a government IT Security Tech for almost 15 years. When I started as a tech at an Army Base in Wisconsin, I could go into any office and say I was a there to take their computer and fix it. Not once did anyone ever ask me for my id or call their supervisor or even call my supervisor to verify who I was or where I worked. I have seen the door codes given to the pizza delivery man so the person ordering did not have to get up and open the door. It didn't matter to him that it was a classified work environment. If folks would try to use this little saying it could help quite a bit. "Trust, but verify." We know you are trying to help, but make sure that you are actually helping and not making matters worse. OK, this security geek will get off his soapbox now.