Preferred Provider Coaxis

Eight steps to protect your firm from being hacked

Financial firms face serious hacking threats in the era of COVID-19 and beyond. That was the dire warning to lawmakers on the House Financial Services subcommittee in June 2020 after the coronavirus pandemic was connected to a 238% surge in cyberattacks against banks. The increased threat was confirmed by a recent survey of 25 chief information security officers (CISO) from leading financial institutions, with 80% reporting an increase in cyberattacks over the past 12 months. 

The following 2020 cybersecurity statistics from Fintech News reveal the scope of the threat: 

  • 630% rise in cloud-based attacks between January and April  
  • 600% increase in phishing attempts since the end of February 
  • 80% of hacking breaches involve brute force or stolen credentials 
  • 75% of cyberattacks start with an email 
  • 67% of data breaches resulted from credential theft, human error or social attacks 

The steady growth of mobile device use for work, cloud-based data storage and services, and digital payment systems, plus more people working from home, means cybercriminals have an ever-expanding range of opportunities to exploit, explained Jonah Force Hill, a cyber policy expert and executive director of the FBI’s new Cyber Investigations Advisory Board created in September to fight cyber-enabled fraud. "Every organization – providers of financial services, in particular – must remain vigilant in the face of these evolving threats.” 

So, how can you protect your firm against today’s cyber threats? Here are eight steps to mitigate the risks: 

1. Password policy and controls

Much like employees have an office key or card reader to access your physical space, proper password policies and procedures must be implemented to prevent unauthorized access to your digital space.  A password policy should include the following: Use complex passwords. Set a minimum password length. Require regular password resets and send reminders to your employees. Restrict password reuse. To further make your firm less vulnerable to hacking, add multiple-step authentication to accounts requiring password access. 

2. Avoid installing bundled freeware

Some companies will bundle a program download with an offer to install an unwanted application, in some cases without providing a clear opt-out method. Known as a potentially unwanted program (PUP), they include adware that displays intrusive advertising and spyware that tracks the user's internet usage to sell information to advertisers. The U.S. Department of Homeland Security warns that these unwanted programs make computers vulnerable to serious cyberattacks. If you want a particular program, security experts recommend downloading the latest version from the program’s official website. 

3. Be careful about what you download

The same caution applies to downloading Word documents, PDFs, photos and other files. Make sure you have updated antivirus software and an effective firewall running before you start downloading. Only use trusted download websites, rather than peer-to-peer systems, to obtain programs. If you must use file-sharing software, consider paying for the premium version that is not funded by advertising to reduce the risk of adware being installed. 

4. Be cautious about clicking on unfamiliar links

Newsweek reported that more than 50% of people will click on an unknown link out of curiosity. Don’t be that person. Clicking on unknown links in emails (a cyber-scam known as “phishing”) or on unfamiliar websites can put you at risk of downloading malicious ransomware that infects and restricts access to your computer or malware that allows cybercriminals to retrieve your passwords, access your files, and even switch off your anti-virus software. 

5. Use HTTPS on all websites

A website that uses “HTTPS” at beginning of its URL instead of “HTTP” is safer and more secure because it uses a widely-adopted encryption protocol to ensure privacy and data security for communications over the Internet. Think “S” = Secure. Considered a standard practice for most websites today, it is also easily identifiable by the padlock icon. 

6. Educate, educate, educate

Employees are the weakest link when it comes to cybersecurity. You can have the best IT infrastructure in the world, but your firm is still vulnerable if an employee neglects to follow the rules and inadvertently clicks on a defective link or responds to a fraudulent email.  

When it comes to education, the American Institute of Certified Public Accountants (AICPA) says, “Proactive and ongoing security training to protect client data should be part of the firm’s annual CPE curriculum. In addition to providing an annual update on IT policies, all employees should be educated on current threats including ransomware, phishing and other social engineering examples designed to make employees download malware that compromises the firm’s security or inadvertently give out sensitive information.” 

7. Back up your data offsite

This is an important component of any business continuity and disaster recovery plan. What happens to your data in the event of a ransomware attack or natural disaster like a hurricane or fire? A fully managed cloud hosting service is an ideal solution that can not only provide a secure, reliable and remote connection to your IT infrastructure and data, but also peace of mind that comes with knowing that damage to your company’s office or other cyber disruption will not impact the ability to access your protected data or your employees’ ability to do their jobs. 

8. Hire cybersecurity expertise

If all of this seems overwhelming, consider hiring an outside consultant who can review your firm’s network security and provide direction and implementation support to achieve an optimum level of cybersecurity to protect your firm. When a hurricane or other natural disaster strikes, FEMA is there to assist. But, who do you turn to when you get a malware? There is no FEMA for that and most people don’t know what to do.  

The AICPA warns that CPA firms are of interest to hackers because of “the treasure trove of client financial data housed within firm networks” and says, “It is imperative that firm owners realize they have a fiduciary responsibility to protect this data which clients entrust to them and that this information is being directly targeted by hackers.” A solid plan to meet this responsibility and protect your firm must include employee education, secure network operations and strong cybersecurity policies.  

For more cybersecurity best practices, the AICPA offers this checklist on how CPAs should consider protecting their firms and client data. 

As an endorsed program of the FICPA, Coaxis offers special member pricing for its CPA program package. To learn more, visit or contact Lisa Bryant, executive vice president of corporate development, at (850) 391-1022 or

Return to Blogs