Skip to main content

6 Essential Practices to Protect Your Firm from Cyberattacks

December 01, 2022

From the Winter 2022/23 issue of New Jersey CPA magazine

By John Graziano, CPA, CFP, PFS, FFP Wealth Management
Reprinted with permission of the New Jersey Society of CPAs,

Is your accounting firm taking steps to protect against a cyberattack? If not, you may be putting your firm’s future at risk. On average, cyberattacks cost companies $4.24 million in 2021, up from $3.86 million in 2020. On top of that, an estimated 60 percent of small businesses go out of business within six months of a cyberattack.

The following best practices can help protect your firm from cyberattacks:

  1. Know Your Threats
    To protect your firm from an attack, you need to know your enemy. While there are many different types of cyberattacks, accounting firms are more likely to be the targets of:

    - Malware and ransomware: Ransom­ware is a type of malware that encrypts files and blocks owner access. To regain access, cybercriminals demand payment, usually via cryptocurrency. Malware can infect an entire system quickly and easily, leaving a firm completely immobilized.
    - Phishing texts and emails: Ransomware and viruses are often delivered to accounting firms through phishing schemes deployed via text or email. Phishing schemes hide malicious files inside seemingly innocent ones (like office documents). Once the attached file is opened, the entire system is infected.
  2. Train Your Staff
    Reports show that more than 90 percent of cyberattacks are carried out by either stealing credentials or using phishing scams to trick employees into providing access. Proper staff training can help reduce the risk of someone gaining unauthorized access to your system. All staff should be trained how to:

    - Spot phishing attacks. For example, emails asking for their login information or other sensitive data should be viewed as suspicious. Verifying these types of requests in person or over the phone can help prevent a data breach.
    - Protect their credentials.
    For example, login information should never be written on a piece of paper or typed in a text file.
  3. Know the Regulations
    Every accounting firm should know and understand the data regulations in their respective states. Some states have more stringent rules than others.

    All firms, regardless of location, must protect any client data they collect under the Gramm-Leach-Bliley Act. As part of this Act, the FTC created the Safeguards Rule, which requires businesses to:

    - Designate employees to coordinate a security program
    - Identify and assess risks, and evaluate the effectiveness of current measures to protect against these risks.
    - Create and implement a safeguards program.
    - Choose service providers that maintain appropriate safeguards.
    - Evaluate and change the program as needed.

    In addition, all states have data breach notification laws. Research yours to ensure that you’re prepared to comply and properly notify clients in case of a breach.
  4. Design an Approval and Validation System
    An accounting firm’s system should create strict control over data access. The right approval and validation system can help prevent fraud and identity theft. For example, staff may verify or validate client requests to ensure that the client is indeed the person making the request.
  5. Establish Security Requirements
    Accounting firms should have clear security protocols, and all staff should be aware of these requirements. These security requirements may include drive encryption, antivirus and antimalware software, firewalls, two-factor authentication and virtual private networks (VPNs) for remote working.

    Additionally, firms should create strict access control systems to ensure that only the right people have access to data.
  6. Choose the Right Accounting System
    Finally, firms should choose the right accounting system. Ideally, the system should include encryption, data redundancy, automated backups and more to protect data.

    Cybersecurity should be a top priority for accounting firms. Failure to comply with regulations or properly protect against data breaches can result not only in fines but also in a lot of stress, headaches and a damaged reputation that can be difficult to recover from.


John Graziano, CPA, CFP®, PFS, is the president and wealth management partner at FFP Wealth Management. He is a member of the NJCPA and can be reached at