Cyber security for family offices

Return to Family office

In a previous blog post, I discussed new digital technologies and which emerging technology trends family offices should be looking out for.   As I highlighted, digitization and automation offers family offices major benefits ranging from better information to greater efficiency⎯but may also bring new dangers and vulnerabilities as it relates to data security and cyber threats. 

In this latest blog, I team up with my cybersecurity colleague Nick Blaesing to zero in on some of the key cyber threats facing family offices, and highlight steps they can take to manage, mitigate and minimize these.

Q:  Nick, what are the cyber risks for family offices relative to other types of organizations, and how should they approach them?

A:  Many organizations are vulnerable to cyberattacks⎯but wealthy families are particularly attractive targets in the eyes of cybercriminals. 

What’s more, the threat is often increased by the fact that family offices may be unaware just how much of their family members’ personal information is publicly available, meaning it can be easier than many people realize for fraudsters to piece together disparate data points, steal identities and launch sophisticated criminal attacks. 

A further factor is that family members may be early adopters of leading-edge technologies⎯including connected devices⎯which may not yet have robust protections for cybersecurity and privacy built in.

All of this means family offices’ overall approach to cybersecurity should be proactive rather than reactive, with the key being to understand and manage the risk before trouble strikes. Experience with major global incidents shows that effective protection has less to do with any particular technological factor, and more to do with proactive risk management in general. 

So robust cyber hygiene, supported by strong awareness of the risks, is a front-line defense⎯and family offices should consider creating a strategic plan to address the various types of cyber threats, and continually review and update that plan as new threats emerge. 

Q:  What are some of the best ways to protect a family office and its network against external threats?

A:  Firewalls are a foundational element of network security strategy, and should be installed between the network and the internet. Most firewalls can support additional security appliances such as intrusion detection/prevention systems, malware detection and website filtering, and these features should be closely considered when selecting a firewall. Also, appropriate configuration is key with any network appliance: an improperly configured appliance can be as ineffective as having no controls at all. So organizations should review their firewall configurations and rules regularly, and keep operating systems and firmware updated to protect against the latest threats. 

While securing the network can be a complex undertaking, it can be made simpler by using a managed service security provider to set up and monitor network security appliances. This can be an especially useful option if the family office does not have the relevant skills in-house to appropriately maintain and monitor security logs and alerts. 

Alongside firewalls, it’s also important to use using encrypted Wi-Fi protocols like WPA-2 or WPA-2 Enterprise to protect wireless networks from unauthorized users. Where possible, visitors to the family office should be provided with a separate guest Wi-Fi network with internet-only access, rather than sharing the passwords for the internal Wi-Fi network.  

Q:  What are the primary methods that cybercriminals use to compromise systems and data?

A:  Cyberattackers can use many different avenues to gain access to different organizations’ systems and data⎯but there are two methods that I see used most often in relation to family offices. 

The first is associated with insider threats, which are those originating from individuals with inside information related to the organization's security, data, systems and controls. The sources of insider threats can include employees, former employees, contractors, or other individuals who have⎯or have previously had⎯access to sensitive systems and information within the family office.  

The insiders who gain unauthorized access to data are not necessarily malicious in their intent: in many cases they are just well-intentioned employees who have been duped or exploited by unscrupulous people.  

But whatever the cause of insider threats, it’s vital to remain aware and vigilant around the risks they present, since typical cybersecurity controls are often focused externally⎯and, as a result, may not prevent or even detect attacks from inside the organization’s perimeter.

The other⎯sometimes related⎯avenue of attack on family offices is from third-parties. Organizations are increasingly reliant on third-party providers and contractors for many business activities, often sharing sensitive information with them, allowing them to connect to the internal network, and granting them physical access to the office premises. 

Family offices should consider the resulting risks to their systems and data, and implement controls to mitigate them.  History has shown us that third parties that may be considered lower risk, such as heating, ventilation, and air conditioning (HVAC) contractors, may still have access to your sensitive systems and data, which can lead to loss of critical information. 

These measures can include making basic cybersecurity and privacy requirements a contractual starting-point for doing business, and then adding on further controls⎯both internally and at the third-parties⎯depending on the degree of risk associated with their access to the family office’s data or network.  

Q:  We hear a lot about “phishing” attacks these days. What are the leading practices to defend against them? 

A:  Phishing attacks aim to take advantage of individuals who are unaware of the risks, or too busy to notice the phish. So, while there are effective email filtering tools that can cut down the amount of phishing emails a family office receives, the fact is that robust protection against phishing depends crucially on educating the user base to recognize suspicious emails. 

This means that, alongside preventative technology such as email filtering and monitoring, an anti-phishing program should also include repeated and targeted training of high-risk employees, and formal reporting mechanisms for employees to report a potential phishing email.

An important consideration to bear in mind is that phishing attacks are often targeted around holidays and tax seasons. Users are more likely to drop their guard if they think they have an exciting package being shipped to them⎯even they did not order it⎯or if it looks like they’ve been allocated an unexpected tax refund. 

By ensuring users understand not only what phishing is, but also the mechanisms and tactics that threat actors employ, family offices can significantly reduce the risks they face from phishing attacks.

Q:  Another type of security breach we hear a lot about is “ransomware”.  What is this⎯and how can it be protected against?

A:  At its most basic level, ransomware is a type of malware⎯malicious software”⎯that encrypts the victim's files and prevents them from gaining access to the data in them. Once the threat actor has successfully encrypted the user’s data, they then offer to provide instructions and a decryption key to unlock the information in return for a ransom payment. The ransom can range from hundreds of dollars to hundreds of thousands, and is often requested in some form of untraceable digital currency. 

Ransomware is often delivered via phishing attacks, meaning anti-phishing measures can help to protect against it. However, threat actors mounting ransomware attacks can also utilize other avenues of attack, such as exploiting technical security vulnerabilities in organizations’ networks and applications. So closing these gaps is important in defending against ransomware. 

An additional useful measure is to have all important data backed up and kept offsite⎯possibly in the cloud⎯so the family office is not completely dependent on one set of data held on one system.  

Last, but certainly not least, should be a formalized incident response plan that considers where your most critical data is within the organization, how you would respond in a cybersecurity crisis or incident and communication of that plan to the individuals who would be part of the response and recovery processes.  

Proactive planning for an incident can not only identify potential gaps in your plan, but also allow for a more rapid response and recovery in a real world scenario.

Q:  While the flexibility, scalability and cost benefits of cloud and SaaS solutions are making them increasingly attractive to family offices, many still worry about putting their information “in the cloud”.  Are these concerns overdone?

A:  My ongoing client conversations show that family offices are becoming more and more comfortable with adopting cloud computing technologies, and are increasingly open to the idea of using them. This growing acceptance reflects the fact that the leading providers of cloud technology⎯whether SaaS, PaaS or IaaS⎯are sophisticated organizations that have invested heavily in their cybersecurity capabilities and controls. As a result, it’s often the case that data will be safer in the cloud than in a family office’s in-house systems.

Against this background, a family office considering moving to the cloud should think carefully about the type of information it wants to host in the cloud and the security controls and capabilities of the cloud provider, and weigh these against its own ability to protect that data internally. 

When evaluating cloud technologies, it’s also important to remember that just because a family office hosts an application or data with a cloud provider, this does not mean it has no responsibility for managing the related cybersecurity risks. So it’s vital to understand who is responsible and accountable for various security controls, configurations and monitoring. 

Establishing a baseline cloud security framework can help a family office to navigate the responsibility for protecting its data in the cloud, and can also be useful when evaluating cloud service providers.

Q:  What would be your single most important piece of advice to family offices and high-net worth individuals looking to start assessing and managing their cyber risks? 

A:  To me, it all starts with understanding what data you are trying to protect, and where that information is within the organization. This was underlined by PwC’s recent Digital Trust Insights study into cyber resilience, which found that 91% of companies with a high resilience quotient (RQ) maintain an accurate inventory of data assets and systems, and refresh this list as needed. Among lower-RQ companies, only 47% do this. 

Once you have an understanding of what is most important to you, you can begin to identify the specific threats and risks related to that information, and prioritize the implementation of cybersecurity controls that will provide the most effective protection for those assets. 

While establishing baseline cybersecurity capabilities is an important step towards protecting systems and data, layering a focused approach on top can help a family office to better utilize the resources it has to protect what’s most important. But if you’re unsure of anything, the key thing is to leverage experts in the field as the threats and corresponding leading practices for risk management are constantly evolving. 

• To learn more about cyber protection for family offices, please click here

• Please also visit PwC’s Cybersecurity and Privacy webpage  here for more information on this topic

This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.