04.28.22
2022 Priorities for Mitigating Family Office Cybersecurity Risk
Matthew L. Weiskopf
Over 50% of ultra-high net worth family wealth is being managed through family offices, yet even the largest family offices lack the security resources of most banks and large corporations. This makes them a huge target for cybercriminals and cyber threats are becoming more pervasive for family offices of all sizes. Not surprisingly, cybersecurity is the number one concern for Family Office Exchange (FOX) members, according to the 2021 FOX State of the Family Office Industry survey. Yet many family offices continue to operate without the proper tools to monitor and prevent cybersecurity attacks.
In this piece, we cover what family offices should be prioritizing in 2022 to mitigate cybersecurity risk.
Why Are Family Offices at Risk?
The US Family Office Club estimates that there are 500 to 1,000 single-family offices in the United States and around 2,500 to 3,000 multi-family offices that manage $300 billion+ in assets. With cyber threats becoming more widespread, cybersecurity should be a top priority for family offices. Below are some of the current cyber trends.
Cyber Security Trends
- $4.24 million is the average cost of a data breach globally.
- 80%+ of breaches expose customer personal identifiable information (PII).
- 56%+ of organizations don’t have a cyber incident response plan.
Family offices have what cybercriminals want: Valuable assets. However, many family offices can fall victim to cyber-attacks that are not financially motivated. Unlike other types of organizations, family offices are at higher risk of cyberattacks due to the potential for blackmail, extortion and smear campaigns since they represent a tremendous amount of wealth from well-known, influential individuals.
Unpreparedness for COVID-19 has also put family offices at risk. Remote work is one of the biggest challenges for family offices. Not only does it put them at risk for more cybercriminal activity, but many family offices admit they wish they had better prepared their employees for remote work. Now more than ever, family offices should focus on cybersecurity and continue to improve their workforce’s ability to work remotely.
Best Practices for Mitigating Risk in the Family Office
As cybercrime evolves and cybercriminals become increasingly sophisticated in their attack methods, family offices must adapt. Just like any other organization, family offices must be diligent in relation to the potential risks posed by current and former employees and relationships with third-party vendors, especially those that have some level of access to family office data.
At the bare minimum, every family office should do the following things:
- Create and use strong passwords. Make sure that everyone within your organization knows what constitutes a good, strong password. No two passwords should ever be the same and they should always be complex — longer is better. Use a password manager, such as LastPass or Dashlane, to manage and secure your credentials.
- Implement multi-factor authentication (MFA) via built-in tools or use applications like Duo. MFA is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence. It could be knowledge (something only the user knows), possession (something only the user has) or inherence (something only the user is). MFA can be quickly rolled out and will greatly increase security.
- Use a modern behavior-based anti-virus on all computers. Older anti-virus software, including most of the kind that comes with your computer out of the box, usually rely on signatures of known bad programs which can change rapidly, leaving you in a blind spot. Modern behavior-based antivirus relies on detecting when programs act suspicious or malicious and are more likely to catch advanced threats like Ransomware.
- Back up your data using scheduled backup software. The gold standard of computer backups is the 3-2-1 rule. Keep 3 copies of your data on 2 separate types of media with 1 copy kept offsite. You have one original set of data and you should copy to it two different types of media with one offsite (e.g., an external drive and the cloud). You should protect your offsite copy with a lock and key or username/password and multi-factor authentication. And you must test your backups. They are no good to you if the data is not backing up and you cannot restore later.
- Secure your e-mail and e-mail handling policies. A majority of cyberthreats come into organizations via e-mail. You should be filtering these out. Major e-mail vendors do not protect against most of these advanced threats out of the box and you may need to add on some other solution to catch them. Employees also need to be trained on how to spot suspicious emails and threats like phishing, which is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.
- Use private networks. When employees use public Wi-Fi, they are putting sensitive company information at risk. Encourage team members to use private networks or other encryption solutions such as a VPN to secure communication. Additionally, you should always modify any default ID and password that ships with items for your home or office. Hackers frequently attack the default ID and passwords for products we do not think to secure because default credentials are known and published on the Internet.
Seven additional tips for how family offices can stay secure and mitigate risk:
- Draft, Perfect and Practice an Incident Response Plan
Having an incident response plan is one thing, putting it into practice and continuously questioning it is another. Every family office should have a document that outlines their approach when responding to incidents. The plan should include things like activities that happen in each phase, each person’s responsibilities and how the plan supports the organization’s mission. Once a plan is drawn up, put it into practice and continuously make revisions as you see fit.
- Have a Disaster Recovery Communication Process
Disaster recovery plans, unlike incident response plans, outline how an organization would resume normal operations after a disruption. A disruption could be anything from a cyberattack to a natural disaster to a simple equipment outage. How will your family office resume work in the event of an unforeseen disaster? Thinking about these scenarios ahead of time will ensure that you are fully prepared. A disaster recovery plan should do more than just outline how your organization plans to resume normal activities. It should clearly define who people should communicate with and how they should communicate with each other during distinct phases. If the communication process is not figured out ahead of time, an outage could be detrimental to your organization.
- Offer Continuing Education to Everyone
According to a study by Boston Private, only 58% of family offices have trained internal employees and their family members about risks. Offering continuing education should be a top priority for family offices. Often, your own employees can be the biggest threat to the organization. Offer continuing education to all professionals. Make sure they know what to look out for and are prepared for anything that may pose a threat to the organization.
- Test All Internal Employees with Cyber Incident Exercises
Take continuing education a step further by putting employees to the test. See if they can spot a cyber threat themselves. With realistic exercises, your employees can practice responding to cyber threats and be better prepared for whatever may come their way.
- Create a Culture of Awareness and Reporting
It is important to create a culture within the business that not only makes employees aware of cybersecurity but also encourages them to report incidents whenever they occur. Cybersecurity should not just be a top priority among executives, it should be a part of the culture within your organization.
- Make Sure You Have Access to Robust and Timely Threat Data
Knowing how to respond to threats is important, but you must also effectively manage risk. This means having access to robust and timely threat data (i.e., the data that hackers and criminals seek the most). Family offices should have access to information about any significant risks that are affecting the business. The business should be constantly reviewing these to improve its security posture.
- Have Adequate Insurance Coverage
It should not matter how confident you are in your security posture; every family office should still have insurance as a safety net. Insurance can afford financial protection should the worst-case scenario happen. The presence of insurance can also give peace of mind to the business owner as well as key stakeholders.
Every family office and high net worth individual needs to protect their valuable assets. This is why it is crucial that cybersecurity be a top priority. We recommend speaking with an IT and/or cybersecurity specialist to discuss your organization’s specific threat landscape in greater detail.
For more information, contact Matt L. Weiskopf at [email protected] or call him at 312.670.7444. Visit ORBA.com to learn more about our Wealth Management Services.