Recently my personal website, (
ToddNielsen.com) in which I write about leadership and business, was hacked by an Islamic terrorist sympathizer.
Being a very security-minded person, it was quite a shock. I use two-factor authentication, encryption, super complex passwords and bam – I had overlooked my website security.
Tax and financial professionals are similar to businesses of all types and sizes, in the sense that cybersecurity is often not front and center. Cybercriminals are not partial to company size, location, business type or anything else; they want to cause havoc and make money. If they can exploit you with a piece of malware that locks your machine until you pay them $1,500, or steal financial or client personal information, it is all the same to them.
It’s important financial professionals do not overlook cybersecurity. Here are 11 areas to be aware of when creating a strategy:
1. Asset risk identification. When organizations plan a cybersecurity strategy, they often ignore the physical and digital assets. These assets can include your intellectual property, employee information, client data, financial records and computing equipment. It’s important to perform a risk assessment and address all of the risks to various types of assets.
2. Legal and regulatory. It’s important to not follow compliance regulations for the sake of being compliant. Adopt a security mindset and take it seriously that there are cybersecurity risks that could damage a reputation and destroy a business. Good policies and policy management are central to detailing out the operating controls that run the organization.
3. Cloud management. Financial professionals using cloud services need to be acutely aware of the privacy regulations and liability from using them. Safeguarding your organization’s data and digital assets will improve your brand and your clients’ trust.
4. Process and technology controls. Documented processes are vital. Not only for efficiency, but also for improved security. Processes should explain how to do things with technology and the intellectual property assets. This will help decrease the chances of a security breach, and it will help mitigate risk if one does occur.
5. Third-party ecosystem management. Third parties often have weaker security controls than many financial professionals. Be aware of the security certifications and audits that brokers, payment providers, fund managers and even your IT support firm claim to have. Ask for verification of stated certifications or passed audits, verify inbound and outbound access methods, and review agreements and contractual obligations. “Trust but verify” is important when working with third parties.
6. Proactive monitoring. Former FBI Director Robert Mueller put it perfectly when he said, “I am convinced there are only two types of companies: those that have been hacked and those that will be.” A good information technology support firm will know security risks and warning signs well before anything could happen, because they employ advanced proactive monitoring that looks for anomalies and issues. Many times they can thwart an attack before it reaches its climax.
7. Service availability. In reviewing your risk assessment, it’s important to understand how long you can go without certain services and still be able to operate effectively. This includes internet, cloud and backup services.
8. Incident response. When a cyberattack does occur, how will you respond? That is exactly what an incident response process explains. With a solid and vetted process, you will know exactly what has to happen if you are affected by a cybersecurity breach.
9. Social and online management. Protecting your brand image is important in cybersecurity. It’s bad enough to have your website defaced, but to have a bunch of employees posting on social media that the company they work for was hacked will bring all kinds of branding problems. Additionally, hackers can use social media information to gain access to your company and to private client and financial data.
10. Mobile management. Do you know the data that sits on employee devices? If that device was lost, could it allow a hacker to gain confidential and private information? It happens all the time.
11. Education and user awareness. One of the most important aspects of cybersecurity is education. As end users understand what they should and should not do, your risk and liability will be decreased.
A solid cybersecurity strategy will help your organization deliver the correct response to mounting regulatory demands, it will decrease your exposure and risks, and it will improve your uptime and brand image. Preparation is much better than recovery, both for you and your clients.
Todd Nielsen is chief strategy officer for JMark Business Solutions Inc. in Springfield. He can be reached at tnielsen@jmark.com.
