Today, finance and accounting companies provide financial services to consumers across the globe. It seems as if many of these firms have grown into some of the most data-dense organizations within the global economy. This has occured as the volume of information generated by clients has grown significantly. These businesses also have access to significant amounts of sensitive data, which is frequently more extensive than that maintained by banks or healthcare organizations.

Recent events like the Mosley Glick O’Brien, Inc. data breach serve to illustrate this point. While most of us think about large corporations when we hear about data breaches, smaller financial service providers are just as likely targets of cybercriminals.

The reason behind this is simple: trust. When a consumer provides their financial data to a financial services provider, that organization receives extremely sensitive information such as social security numbers, income records, tax ids, and much more, usually including health-related financial data and so forth. Financial services providers collect a wealth of highly confidential personal information about their clients which is highly valued due to its inherent value and its potential for fraud, identity theft, and financial exploitation. This is especially true as the personal data collected will create a full identity profile, or identification key for an identity thief.

Mid-sized accounting and consulting firms have relatively low security budgets when compared to large commercial banks that operate extensive dedicated security departments and utilize millions of dollars for each breach they experience. Many of these mid-tier financial service organizations make do with a very limited security infrastructure. These businesses are primarily focused on their core business—we provide financial service to clients; we need to comply with government laws; we want to show profitability. The consequences of failing to adequately protect their clients' sensitive personal information can lead to many thousands of exposed records due to a single exploitable vulnerability.

Ransomware is a very popular attack method for cyber criminals targeting businesses. Ransomware attacks can not only result in data theft; they can also completely disrupt a business' operation by locking them out of their systems, delaying client services, and forcing firms to make difficult decisions under pressure. Even if a business is able to restore access to its systems after an attack, there can be long-term damage.

Another area of concern with data breaches is the nature of the data being breached. Financial services firms maintain highly-sensitive information about their customers, including:

1. Personally identifiable information (PII);
2. Financial account and transaction information;
3. Tax documentation; and
4. Health-related financial information (in some cases).

Having this level of detail in the financial system allows cyber criminals to conduct targeted fraud against victims. For example, stolen tax information can be used to file fraudulent tax returns, while financial account information can result in fraudulent transactions or unauthorized account takeovers.

Additionally, there is another risk that is often overlooked with data breach incidents: the discovery delays of data breaches. Depending on the circumstances, it can take weeks or even months to determine the extent to which data has been breached and accessed. During this time, the victims may not be aware that their information is on underground markets.

For individuals, the potential impact could be severe but manageable by taking appropriate steps such as monitoring their financial accounts, reviewing their credit report and maintaining heightened vigilance for any unusual activity. In some cases, individuals may have legal recourse if there is evidence that reasonable security measures were not implemented by affected organizations.

For organizations, the message is simple: cybersecurity should no longer be regarded as an option. Organizations that do not typically view themselves as "technology-driven" should now be making investments in secure systems, employee education and proactive monitoring of systems. Prevention is far less costly than recovery (financially and reputationally).

Ultimately, the failure of a financial advisory organization to protect data is not solely a technical issue, but a breakdown of trust. Clients have increasingly come to rely on these organizations for critical financial advice and to keep their personal and financial data safe.