Computer security at the Internal Revenue Service might be most appropriately described as Swiss cheese, according to a Treasury Inspector General for Tax Administration report (PDF).
The report found that most IRS employees used e-mail inappropriately, putting the organization at risk of computer viruses and other malware, that out of 228 authorized e-mail servers, all that were examined contained security vulnerabilities, and that 4,913 additional unauthorized e-mail servers were found on the IRS internal networks.
The report found that IRS employees were regularly violating the personal use policy, forwarding chain letters, sexually explicit jokes and other inappropriate e-mail messages. “Specifically, we found inappropriate email messages in 74 percent of the employee mailboxes reviewed,” the report said. “Opening these types of emails can activate [a] computer virus, which in turn could destroy data on computers, enable the hacker to gain unauthorized access to the computer and any sensitive information stored on the computer, and disrupt email and computer operations.”
While the IRS has a policy on this type of e-mail message, it does not effectively enforce the policy, the report said. And while IRS has conducted training and awareness sessions on the proper use of e-mail, improper use continues. Apparently IRS employees have better things to do than collect taxes.
Auditors examined 28 of the 228 authorized e-mail servers and found that all of them contained security vulnerabilities, 687 of them in all. They also checked 30 of the 4,913 unauthorized servers and found a total of 363 security problems on all of them.
“The majority of the security vulnerabilities on the email servers cited above occurred because system administrators had not installed current security patches to the email servers,” the report said. That’s right, system administrators aren’t doing their jobs.
The report recommended that the IRS monitor e-mail usage and that system administrators patch authorized e-mail servers and remove unauthorized ones, and while IRS management agreed with the recommendations, it hasn’t yet figured out how to effectively stop people from forwarding jokes, chain letters and funny pictures to each other, or how to get them to take security seriously.