Answers to your tax season questions
Answers to your tax season questions
The IRS announced it will open the 2024 income tax return filing season on January 29. That’s when the tax agency will begin accepting and processing 2023 tax year returns.
Here are answers to seven tax season questions we receive at this time of year.
1.What are this year’s deadlines?
The filing deadline to submit 2023 returns or file an extension is Monday, April 15, 2024, for most taxpayers. Taxpayers living in Maine or Massachusetts have until April 17, due to state holidays. If taxpayers reside in a federally declared disaster area, they may have additional time to file.
2.When is my return due if I request an extension?
If you’re requesting an extension, you’ll have until October 15, 2024, to file. Keep in mind that an extension of time to file your return doesn’t grant you any extension of time to pay your taxes. You should estimate and pay any taxes owed by the April 15 deadline to avoid penalties.
3.When should I file?
You may want to wait until close to the deadline (or file for an extension), but there are reasons to file earlier. Doing so provides some protection from tax identity theft.
4.What’s tax identity theft and how does early filing help protect me?
Typically, in a tax identity theft scam, a thief uses another person’s information to file a fake tax return and claim a fraudulent refund early in the filing season.
The legitimate taxpayer discovers the fraud when filing a return. He or she is then told by the IRS that the return is being rejected because one with the same Social Security number has already been filed for the tax year. The victim should be able to eventually prove that his or her return is the valid one, but it can be time consuming and frustrating to straighten out. It can also delay a refund.
Filing early provides some proactive defense. The reason: If you file first, the tax return filed by a potential thief will be rejected.
5.Are there other benefits to filing early?
Besides providing protection against tax identity theft, another benefit of early filing is you’ll get any refund sooner. According to the IRS, “most refunds will be issued in less than 21 days.” The time may be shorter if you file electronically and receive a refund by direct deposit into a bank account. Direct deposit also avoids the possibility that a refund check could be lost, stolen, returned to the IRS as undeliverable or caught in mail delays.
6.When will my W-2s and 1099s arrive?
To file your tax return, you’ll need all of your Forms W-2 and 1099. January 31, 2024, is the deadline for employers to file 2023 W-2s and, generally, for businesses to file Form 1099s for recipients of any 2023 interest, dividends or reportable miscellaneous income payments (including those made to independent contractors).
If you haven’t received a W-2 or 1099 by early February, first contact the entity that should have issued it. If that doesn’t work, ask us how to proceed.
7.When can you prepare my return?
Contact us as soon as possible for a tax preparation appointment. Separate penalties apply for failing to file and pay on time — and they can be quite severe. Even though the IRS isn’t beginning to process returns until January 29, they can be prepared before that. We can help ensure you file an accurate, timely return and receive all the tax breaks to which you’re entitled.
Tax-favored Qualified Small Business Corporation status could help you thrive
Operating your small business as a Qualified Small Business Corporation (QSBC) could be a tax-wise idea.
Tax-free treatment for eligible stock gains
QSBCs are the same as garden-variety C corporations for tax and legal purposes — except QSBC shareholders are potentially eligible to exclude from federal income tax 100% of their stock sale gains. That translates into a 0% federal income tax rate on QSBC stock sale profits! However, you must meet several requirements set forth in Section 1202 of the Internal Revenue Code, and not all shares meet the tax-law description of QSBC stock. Finally, there are limitations on the amount of QSBC stock sale gain that you can exclude in any one tax year (but they’re unlikely to apply).
Stock acquisition date is key
The 100% federal income tax gain exclusion is only available for sales of QSBC shares that were acquired on or after September 28, 2010.
If you currently operate as a sole proprietorship, single-member LLC treated as a sole proprietorship, partnership or multi-member LLC treated as a partnership, you’ll have to incorporate the business and issue yourself shares to attain QSBC status.
Important: The act of incorporating a business shouldn’t be taken lightly. We can help you evaluate the pros and cons of taking this step.
Here are some more rules and requirements:
- Eligibility. The gain exclusion break isn’t available for QSBC shares owned by another C corporation. However, QSBC shares held by individuals, LLCs, partnerships, and S corporations are potentially eligible.
- Holding period. To be eligible for the 100% stock sale gain exclusion deal, you must hold your QSBC shares for over five years. For shares that haven’t yet been issued, the 100% gain exclusion break will only be available for sales that occur sometime in 2029 or beyond.
- Acquisition of shares. You must acquire the shares after August 10, 1993, and they generally must be acquired upon original issuance by the corporation or by gift or inheritance.
- Businesses that aren’t eligible. The corporation must actively conduct a qualified business. Qualified businesses don’t include those rendering services in the fields of health; law; engineering; architecture; accounting; actuarial science; performing arts; consulting; athletics; financial services; brokerage services; businesses where the principal asset is the reputation or skill of employees; banking; insurance; leasing; financing; investing; farming; production or extraction of oil, natural gas, or other minerals for which percentage depletion deductions are allowed; or the operation of a hotel, motel, restaurant, or similar business.
- Asset limits. The corporation’s gross assets can’t exceed $50 million immediately after your shares are issued. If after the stock is issued, the corporation grows and exceeds the $50 million threshold, it won’t lose its QSBC status for that reason.
2017 law sweetened the deal
The Tax Cuts and Jobs Act made a flat 21% corporate federal income tax rate permanent, assuming no backtracking by Congress. So, if you own shares in a profitable QSBC and you eventually sell them when you’re eligible for the 100% gain exclusion break, the 21% corporate rate could be all the income tax that’s ever owed to Uncle Sam.
Tax incentives drive the decision
Before concluding that you can operate your business as a QSBC, consult with us. We’ve summarized the most important eligibility rules here, but there are more. The 100% federal income tax stock sale gain exclusion break and the flat 21% corporate federal income tax rate are two strong incentives for eligible small businesses to operate as QSBCs.
Account-based marketing can help companies rejoice in ROI
When it comes to marketing, business owners and their leadership teams often assume that they should “cast a wide net.” But should you? If your company is looking to drive business-to-business (B2B) sales, a generalized approach to marketing could leave key customers and optimal prospects feeling like they’re receiving vague messages from a provider that doesn’t really know them. That’s where account-based marketing comes in.
Simply defined, account-based marketing is a strategy under which marketing and sales teams collaboratively focus on targeted high-value accounts. The objective is to create a customized experience for each account that locks in the buyer long-term through deep relationship building and personalized service.
Benefits and risks
The primary potential benefit of a successful account-based marketing campaign is return on investment (ROI). By focusing on customers and prospects most likely to invest substantial dollars in your products or services, you’ll better position yourself to win those odds and bring in substantial revenue. Indeed, the internet abounds with marketing surveys indicating that large percentages of responding B2B companies have gotten a higher ROI from account-based marketing than from other strategies.
Another potential benefit is better aligning marketing with sales. Many businesses struggle with mismatched messaging coming from the marketing and sales departments, respectively. This can lead to customer confusion and internal conflicts. Account-based marketing requires marketing and sales to work together to devise a unified, unique approach to each targeted account.
A third potential benefit is establishing your B2B company as an industry expert. In most industries, when word gets out that a company is successfully marketing directly to certain well-known players, that business’s reputation rises because, clearly, it “speaks the language.”
Of course, account-based marketing has its risks. The biggest one is, as you might’ve guessed, a negative ROI. You’ll need to invest substantial time and resources on each targeted account. If the initiative flounders, the resulting losses can be steep. You may also end up ignoring other customers or prospects. Your business could even hurt its reputation by interacting with a major industry player in a less than flattering way.
3 steps to success
So, how do you avoid those downsides? Here are a three general steps to success:
1. Create a framework. Before doing anything, your business will need a broad framework for executing an account-based marketing strategy. A good way to build one is to use a readily available template to map out the process. You’ll also need to form a dedicated account-based marketing team. You might even invest in specialized software to automate everything.
2. Choose your targets. This may be the most important step! You’ve got to pick the customers and prospects that are the best fits for account-based marketing. It’s generally best to start with a short list or even just one or two. Next, meticulously research key details about each business, such as its mission, size, revenue model and spending patterns. Also, identify the specific individuals you’ll need to win over within the target company.
3. Design, execute and analyze. As mentioned, you’ll need to design a customized campaign for each account. Do so with great care, relying on your research and meaningful interactions with contacts at the business in question. From there, be prepared to measure and analyze your results and iterate the campaigns as necessary.
A significant boost
Account-based marketing isn’t feasible for every business. But if you believe that messaging directly to a few key customers or prospects could give your B2B company’s sales a significant boost, it’s worth considering. For help projecting the results of an account-based marketing campaign, or assistance choosing and analyzing metrics for a campaign in progress, contact us.
© 2024
Should your business offer the new emergency savings accounts to employees?
As part of the SECURE 2.0 law, there’s a new benefit option for employees facing emergencies. It’s called a pension-linked emergency savings account (PLESA) and the provision authorizing it became effective for plan years beginning January 1, 2024. The IRS recently released guidance about the accounts (in Notice 2024-22) and the U.S. Department of Labor (DOL) published some frequently asked questions to help employers, plan sponsors, participants and others understand them.
PLESA basics
The DOL defines PLESAs as “short-term savings accounts established and maintained within a defined contribution plan.” Employers with 401(k), 403(b) and 457(b) plans can opt to offer PLESAs to non-highly compensated employees. For 2024, a participant who earned $150,000 or more in 2023 is a highly compensated employee.
Here are some more details of this new type of account:
- The portion of the account balance attributable to participant contributions can’t exceed $2,500 (or a lower amount determined by the plan sponsor) in 2024. The $2,500 amount will be adjusted for inflation in future years.
- Employers can offer to enroll eligible participants in these accounts beginning in 2024 or can automatically enroll participants in them.
- The account can’t have a minimum contribution to open or a minimum account balance.
- Participants can make a withdrawal at least once per calendar month, and such withdrawals must be distributed “as soon as practicable.”
- For the first four withdrawals from an account in a plan year, participants can’t be subject to any fees or charges. Subsequent withdrawals may be subject to reasonable fees or charges.
- Contributions must be held as cash, in an interest-bearing deposit account or in an investment product.
- If an employee has a PLESA and isn’t highly compensated, but becomes highly compensated as defined under tax law, he or she can’t make further contributions but retains the right to withdraw the balance.
- Contributions will be made on a Roth basis, meaning they are included in an employee’s taxable income but participants won’t have to pay tax when they make withdrawals.
Proof of an event not necessary
A participant in a PLESA doesn’t need to prove that he or she is experiencing an emergency before making a withdrawal from an account. The DOL states that “withdrawals are made at the discretion of the participant.”
These are just the basic details of PLESAs. Contact us if you have questions about these or other fringe benefits and their tax implications.
© 2024
IRAs: Build a tax-favored retirement nest egg
Although traditional IRAs and Roth IRAs have been around for decades, the rules involved have changed many times. The Secure 2.0 law, which was enacted at the end of 2022, brought even more changes that made IRAs more advantageous for many taxpayers. What hasn’t changed is that they can help you save for retirement on a tax-favored basis. Here’s an overview of the basic rules and some of the recent changes.
Rules for traditional IRAs
You can make an annual deductible contribution to a traditional IRA if:
- You (and your spouse) aren’t active participants in employer-sponsored retirement plans, or
- You (or your spouse) are active participants in an employer plan, and your modified adjusted gross income (MAGI) doesn’t exceed certain levels that vary annually by filing status.
For example, in 2024, if you’re a joint return filer covered by an employer plan, your deductible IRA contribution phases out over $123,000 to $143,000 of MAGI ($77,000 to $87,000 for singles).
Deductible IRA contributions reduce your current tax bill, and earnings are tax deferred. However, withdrawals are taxed in full (and subject to a 10% penalty if taken before age 59½, unless one of several exceptions apply). Under the SECURE 2.0 law, you must now begin making minimum withdrawals by April 1 of the year following the year you turn age 73 (the age was 72 before 2023 and 70½ before 2020).
You can make an annual nondeductible IRA contribution without regard to employer plan coverage and your MAGI. The earnings in a nondeductible IRA are tax-deferred but taxed when distributed (and subject to a 10% penalty if taken early, unless an exception applies).
Nondeductible contributions aren’t taxed when withdrawn. If you’ve made deductible and nondeductible IRA contributions, a portion of each distribution is treated as coming from nontaxable IRA contributions (and the rest is taxed).
Amount you can sock away
The maximum annual IRA contribution (deductible or nondeductible, or a combination) is $7,000 for 2024 (up from $6,500 for 2023). If you are age 50 or over, you can make a $1,000 “catch-up contribution” for 2024 (unchanged from 2023). Additionally, your contribution can’t exceed the amount of your compensation includible in income for that year.
Rules for Roth IRAs
You can make an annual contribution to a Roth IRA if your income doesn’t exceed certain levels based on filing status. For example, in 2024, if you’re a joint return filer, the maximum annual Roth IRA contribution phases out over $230,000 to $240,000 of MAGI ($146,000 to $161,000 for singles). Annual Roth contributions can be made up to the amount allowed as a contribution to a traditional IRA, reduced by the amount you contribute for the year to non-Roth IRAs, but not reduced by contributions to a SEP or SIMPLE plan.
Roth IRA contributions aren’t deductible. However, earnings are tax-deferred and (unlike a traditional IRA) withdrawals are tax-free if paid out:
- After a five-year period that begins with the first year for which you made a contribution to a Roth IRA, and
- Once you reach age 59½, or upon death or disability, or for first-time home-buyer expenses of you, your spouse, child, grandchild, or ancestor (up to a $10,000 lifetime limit).
You don’t have to take required minimum distributions from a Roth IRA. You can “roll over” (or convert) a traditional IRA to a Roth IRA regardless of your income. The amount taken out of the traditional IRA and rolled into the Roth IRA is treated for tax purposes as a regular withdrawal (but not subject to the 10% early withdrawal penalty).
There’s currently no age limit for making regular contributions to a traditional or Roth IRA, as long as you have compensation income. Contact us if you have questions about IRAs.
© 2024
Facing a future emergency? Two new tax provisions may soon provide relief
Perhaps you’ve been in this situation before: You have a financial emergency and need to get your hands on some cash. You consider taking money out of a traditional IRA or 401(k) account but if you’re under age 59½, such distributions are not only taxable but also are generally subject to a 10% penalty tax.
There are exceptions to the 10% early withdrawal penalty, but they don’t cover many types of emergencies.
Good news: Beginning in 2024, there will be new relief for some taxpayers facing emergencies. The SECURE 2.0 law, which was enacted late last year, contains two different relevant provisions:
1. Pension-linked emergency savings accounts. Employers with 401(k), 403(b) and 457(b) plans can opt to offer these emergency savings accounts to non-highly compensated employees. For 2024, a participant who earned $150,000 or more in 2023 is a highly compensated employee. Here are some more details of these new type of accounts:
- Contributions to the accounts will be limited to up to $2,500 a year (or a lower amount determined by the plan sponsor).
- The accounts can’t have a minimum contribution or account balance requirement.
- Employers can offer to enroll eligible participants in these accounts beginning in 2024 or can automatically enroll participants in them.
- Participants can make a withdrawal at least once per calendar month and such withdrawals must be made “as soon as practicable.”
- For the first four withdrawals from an account in a plan year, participants can’t be subject to any fees or charges. Subsequent withdrawals may be subject to reasonable fees or charges.
- Contributions must be held as cash, in an interest-bearing deposit account or in an investment product.
- If an employee has a pension-linked emergency savings account and is not highly compensated, but becomes highly compensated as defined under tax law, he or she can’t make further contributions but retains the right to withdraw the balance.
- Contributions will be made on a Roth basis, meaning they are included in an employee’s taxable income but participants won’t have to pay tax when they make withdrawals.
2. Penalty-free withdrawals for emergency expenses. This new provision is another way to get money for emergencies. As mentioned earlier, taking a distribution from an IRA or 401(k) before age 59½ generally results in a 10% penalty tax unless an exception exists. SECURE 2.0 adds a new exception for certain distributions used for emergency expenses, which are defined as “unforeseeable or immediate financial needs relating to personal or family” emergencies.
Only one distribution of up to $1,000 is permitted a year, and a taxpayer has the option to repay the distribution within three years. This provision is effective for distributions made beginning in 2024.
Guidance likely coming soon
These are just the basic details of the two new emergency-related provisions. Other rules apply and the IRS will need to issue guidance to address certain details. Contact us if you have questions or need cash and want to explore the most tax-efficient ways to tap one of your accounts.
What businesses can expect from a DOL benefits plan audit
All but the smallest businesses today are generally expected to offer employees “big picture” benefits such as health insurance and a retirement plan. Among the risks of doing so is that many popular plan types must comply with the Employee Retirement Income Security Act (ERISA). That means lots of rules and much documentation.
No matter how careful your company is with ERISA compliance, it could receive a request from the U.S. Department of Labor (DOL) for plan-related documents. Such a request usually initiates a DOL civil investigation — commonly referred to as a “plan audit.”
The first rule of the day is: Don’t panic! The second is to respond in a timely fashion. Here are the basic steps that a DOL plan audit will usually take:
Initial document request. Generally, a plan sponsor learns of an audit when it receives a letter or phone call from the DOL’s Employee Benefits Security Administration (EBSA) advising those responsible for the plan — typically referred to as “plan officials” — of the investigation and requesting a detailed list of documents. The investigation may be general in nature or target a specific issue.
On-site review and interviews. The investigator may arrange to visit the plan sponsor’s offices and could request additional documents for review during the visit, such as payroll and claims processing records. Often, the investigator will also interview plan officials.
Investigation findings. If the investigator finds no ERISA violations, EBSA will send a closing letter stating that the investigation is complete, and no further action is contemplated. If the investigator does find violations, EBSA will issue a voluntary compliance notice letter identifying the violations and inviting plan officials to voluntarily make corrections.
Corrections and settlement. Whenever possible, EBSA seeks voluntary compliance through full corrections of identified violations and restoration of plan losses. After negotiating corrective actions with plan officials, the agency issues a detailed settlement agreement.
A typical agreement requires evidence of corrections and provides that, if EBSA determines that the agreement’s terms have been fulfilled, no further enforcement action will be taken regarding the specified violations. When voluntary compliance isn’t achieved, EBSA may refer a case to DOL attorneys for litigation. Some situations are inappropriate for voluntary correction — such as those involving fraud, criminal misconduct, or severe or repeated fiduciary violations.
Fiduciary violations. ERISA imposes a mandatory 20% penalty on any amounts recovered from a fiduciary or other person for a fiduciary breach, including amounts recovered under a settlement agreement. Generally, EBSA assesses the penalty in a separate letter, though the penalty may be addressed in the settlement agreement.
Closing letter following corrections. After EBSA confirms that corrective action has been completed and any penalties have been paid, it will send a closing letter indicating that compliance was achieved.
The steps described above could be completed in a matter of weeks or take a year or more. It all depends on factors such as complexity of plan design, issues identified in the investigation and number of potential violations. The availability of documents and individuals for interviews, as well as how cooperative your company’s plan officials are with EBSA, will also affect the duration and severity of the investigation.
Again, if your business receives notification about a DOL plan audit, address the inquiry immediately. Failure to provide requested documents to EBSA can lead to a penalty assessment. A prompt and cordial response, on the other hand, can establish a positive rapport with the investigator.
Above all, obtain the assistance of experienced advisors and legal counsel. Contact us for further information, as well as for support throughout the audit process.
New per diem business travel rates kicked in on October 1
Are employees at your business traveling and frustrated about documenting expenses? Or perhaps you’re annoyed at the time and energy that goes into reviewing business travel expenses. There may be a way to simplify the reimbursement of these expenses. In Notice 2023-68, the IRS announced the fiscal 2024 special “per diem” rates that became effective October 1, 2023. Taxpayers can use these rates to substantiate the amount of expenses for lodging, meals and incidentals when traveling away from home. (Taxpayers in the transportation industry can use a special transportation industry rate.)
Basics of the method
A simplified alternative to tracking actual business travel expenses is to use the “high-low” per diem method. This method provides fixed travel per diems. The amounts, provided by the IRS, vary from locality to locality.
Under the high-low method, the IRS establishes an annual flat rate for certain areas with higher costs of living. All locations within the continental United States that aren’t listed as “high-cost” are automatically considered “low-cost.” The high-low method may be used in lieu of the specific per diem rates for business destinations. Examples of high-cost areas include Boston, and San Francisco. Other locations, such as resort areas, are considered high-cost during only part of the year.
Under some circumstances — for example, if an employer provides lodging or pays the hotel directly — employees may receive a per diem reimbursement only for their meals and incidental expenses. There’s also a $5 incidental-expenses-only rate for employees who don’t pay or incur meal expenses for a calendar day (or partial day) of travel.
Reduced recordkeeping
If your company uses per diem rates, employees don’t have to meet the usual recordkeeping rules required by the IRS. Receipts of expenses generally aren’t required under the per diem method. But employees still must substantiate the time, place and business purpose of the travel. Per diem reimbursements generally aren’t subject to income or payroll tax withholding or reported on an employee’s Form W-2.
The FY2024 rates
For travel after September 30, 2023, the per diem rate for all high-cost areas within the continental United States is $309. This consists of $235 for lodging and $74 for meals and incidental expenses. For all other areas within the continental United States, the per diem rate is $214 for travel after September 30, 2023 ($150 for lodging and $64 for meals and incidental expenses). Compared to the FY2023 per diems, the high-cost area per diem increased $12, and the low-cost area per diem increased $10.
Important: This method is subject to various rules and restrictions. For example, companies that use the high-low method for an employee must continue using it for all reimbursement of business travel expenses within the continental United States during the calendar year. However, the company may use any permissible method to reimburse that employee for any travel outside the continental United States.
For travel during the last three months of a calendar year, employers must continue to use the same method (per diem or high-low method) for an employee as they used during the first nine months of the calendar year. Also, note that per diem rates can’t be paid to individuals who own 10% or more of the business.
If your employees are traveling, it may be a good time to review the rates and consider switching to the high-low method. It can reduce the time and frustration associated with traditional travel reimbursement. Contact us for more information or read the IRS notice here.
Contributing to your employer’s 401(k) plan: How it works
If you’re fortunate to have an employer that offers a 401(k) plan, and you don’t contribute to it, you may wonder if you should participate. In general, it’s a great tax and retirement saving deal! These plans help an employee accumulate a retirement nest egg on a tax-advantaged basis. If you’re thinking about contributing to a plan at work, here are some of the advantages.
With a 401(k) plan, you can opt to set aside a certain amount of your wages in a qualified retirement plan. By electing to set cash aside in a 401(k) plan, you’ll reduce your gross income and defer tax on the amount until the cash (adjusted by earnings) is distributed to you in the future. It will either be distributed from the plan or from an IRA or other plan that you roll your proceeds into after leaving your job.
Tax benefits
Your wages or other compensation will be reduced by the pre-tax contributions that you make, which will save you current income taxes. But the amounts will still be subject to Social Security and Medicare taxes. If your employer’s plan allows, you may instead make all, or some, contributions on an after-tax basis. These are Roth 401(k) contributions. With Roth 401(k) contributions, the amounts will be subject to current income taxation, but if you leave these funds in the plan for a required time, distributions (including earnings) will be tax-free.
Your elective contributions — either pre-tax or after-tax — are subject to annual IRS limits. In 2023, the maximum amount permitted is $22,500. When you reach age 50, if your employer’s plan allows, you can make additional “catch-up” contributions. In 2023, that additional amount is up to $7,500. So if you’re 50 or older, the total that you can contribute to all 401(k) plans in 2023 is $30,000. Total employer contributions, including your elective deferrals (but not catch-up contributions), can’t exceed 100% of compensation or, for 2023, $66,000, whichever is less.
In a typical plan, you’re permitted to invest the amount of your contributions (and any employer matching or other contributions) among available investment options that your employer has selected. Periodically review your plan investment performance to determine that each investment remains appropriate for your retirement planning goals and your risk specifications.
Taking withdrawals
Another important characteristic of these plans is the limitation on withdrawals while you’re working. Amounts in the plan attributable to elective contributions aren’t available to you before one of the following events:
- Retirement (or other separation from service),
- Reaching age 59½,
- Disability,
- Plan termination, or
- Hardship.
Eligibility rules for a hardship withdrawal are strict. A hardship distribution must be necessary to help deal with an immediate and heavy financial need.
As an alternative to taking a hardship or other plan withdrawal while employed, your employer’s plan may allow you to receive a loan, which you pay back to your account with interest.
Matching contributions
Employers may opt to match 401(k) contributions up to a certain amount. Although matching is not required, surveys show that most employers offer some type of match. If your employer matches contributions, you should make sure to contribute enough to receive the full amount. Otherwise, you’ll lose out on free money!
These are just the basics of 401(k) plans for employees. For more information, contact your employer. Of course, we can answer any tax questions you may have.
Businesses: Know who your privileged users are … and aren’t
Given the pervasiveness of technology in the business world today, most companies are sitting on treasure troves of sensitive data that could be abducted, exploited, corrupted or destroyed. Of course, there’s the clear and present danger of external parties hacking into your network to do it harm. But there are also internal risks — namely, your “privileged users.”
Simply defined, privileged users are people with elevated cybersecurity access to your business’s enterprise systems and sensitive data. They typically include members of the IT department, who need to be able to reach every nook and cranny of your network to install upgrades and fix problems. However, privileged users also may include those in leadership positions, accounting and financial staff, and even independent contractors brought in to help you with technology-related issues.
What could go wrong?
Assuming your company follows a careful hiring process, most of your privileged users are likely hardworking employees who take their cybersecurity clearances seriously.
Unfortunately, sometimes disgruntled or unethical employees or contractors use their access to perpetrate fraud, intellectual property theft or sabotage. And they don’t always act alone. Third parties, such as competitors, could try to recruit privileged users to steal trade secrets. Or employees could collude with hackers to compromise a company’s network in a ransomware scheme.
How can you protect yourself?
To best protect your business, you may want to implement a formal privileged user policy. This is essentially a set of rules and procedures governing who gets to be a privileged user, precisely what kind of access each such user is allowed, and how your company tracks and revokes privileged-user status.
When developing and enforcing the policy, you’ll first need to identify who your privileged users are and what specific security clearances each one needs. A good way to start is to list the privileges required for every position and then compare that list to a separate record of privileges that each employee currently has. What makes sense? What doesn’t? When in doubt whether someone needs a certain type of access, it’s generally best to err on the side of caution.
Also, establish an “upgrading” process under the policy. Only trusted and qualified managers or supervisors should have the power to upgrade or reinstate an employee’s privileges, perhaps in consultation with the leadership team. Use technology to help standardize and track requests and approvals. For sensitive systems and applications, such as those that store customer and financial data, consider requiring two levels of approval to elevate a user’s privileges.
In addition, your privileged user policy should include stipulations to carefully monitor user activity. Observe and track how employees use their privileges. Let’s say a salesperson repeatedly accesses customer data for a region that the person isn’t responsible for. Have the sales manager inquire why. Subtly reminding employees that the company is aware of their tech-related activities is a good way to help deter fraud and unethical behavior.
Another important aspect of the policy is how you revoke privileges and remove dormant accounts. When employees leave the company, or independent contractors end their engagements, privileged access should be revoked immediately. Keep clear records of such actions. If a previously deactivated account somehow shows signs of activity, block access right away and investigate how and why it’s come back to life.
Do you know?
Every business should be able to definitively say who is a privileged user and who isn’t. If there’s any gray area or uncertainty regarding current or former employees or other workers, the security of your data could be severely compromised. And the ramifications, both financially and for your company’s reputation, are potentially very serious.