Maintain an updated inventory of everything internet-related
Laptops, smartphones, tablets, routers and connected devices ranging from printers to refrigerators to cars can provide access points for cybercriminals. We encourage family offices to review each device at least once a year against the following questions:
- Is password protection enabled for each device?
- Is there virus protection and a firewall installed on each device, whether in the office or at home?
- Is the software current and routinely updated on each device?
Smartphones by themselves are not typically a frequent source of vulnerability, assuming password protection is activated, the software is current and they aren’t used over public Wi-Fi. However, thieves can use inexpensive tools to monitor and listen to calls. If family members are using phones in certain foreign countries, or if they are actively involved in confidential business dealings that may be targeted, they should consider encrypted phone services.
Assert control over internet access points
Public Wi-Fi is one of the most common sources of breaches. When a family member logs into their email from the type of open wireless access systems often used in coffee shops or hotels, thieves can intercept passwords as they are typed, along with pictures and data stored on the device. Many security experts tell families to not use public Wi-Fi under any circumstances. However, there are times where data service is not available or perhaps too slow. Using a Virtual Private Network (VPN) on top of the Wi-Fi is a relatively inexpensive solution that significantly increases protection.
Home and office routers are other points of vulnerability. Routers are often used beyond their “end of life,” or the time where manufacturers stop issuing software updates for them. Here's a basic checklist to improve your router's security. Routers should:
- use up to date software
- be replaced every few years
- be password-enabled
- have robust passwords
- have remote administration turned off
- be non-discoverable. (This means that the router won’t automatically appear in your network listing. The user has to know the name of the network as well as the password.)
Write down your cybersecurity policies
…and review them together.
Family offices should have a series of written cybersecurity policies, providing guidance to family and staff. Although there are few good ways to enforce such policies, writing them down and reviewing them at family meetings substantially increases compliance rates. Such policies often include the following:
- Connected device policy: This describes use of public Wi-Fi, VPNs and home routers.
- Identity protection policy: This describes how the family office protects the personal identity of each family member. Often, family offices provide credit monitoring service for each family member, perhaps even freezing their credit so that new accounts can’t be opened without separate approval.
- Social media policy: This explains how family members use social media. The policy covers items that protect the physical security of the family, maintain private information and protect the image and reputation of the family and business.
- Password policy: This describes what the family decides is a reasonable standard for passwords on phones, tablets, routers and similar devices. This policy may include having the family office cover the cost of using a password utility for managing and simplifying password use.
- Payment authorization policy: This is similar to how a bank approves wires or other payments. Family emails have been particularly susceptible to hacking in recent years, with thieves copying family member language and style to send requests (purportedly from the family member) for wire transfers.
Proactively address the people risks
A robust cybersecurity strategy also must take into account the human side of the equation. Insiders—think of suppliers, vendors and employees—can create major risks either by accident or on purpose. IBM reported that 60% of cyber attacks during 2015 were conducted by insiders.
Family offices should ensure they have current signed contracts with each vendor or company they work with. These contracts should describe what the firm is doing to protect the family from human and technology threats, including conducting background checks on their staff at least every three years. Even major institutions such as banks are grappling with cybersecurity obstacles tied to third-party vendors. In our Global State of Information Security® Survey 2017, financial sector respondents reported this as their top information security challenge in 2016.
The family office also should repeat background checks every three years on their own employees, along with household and other staff with access to family houses, offices and resources.
Reinforce good cybersecurity practices
Family offices can use the best cybersecurity vendors in the country, paired with robust policies and staff, but security ultimately comes down to decisions made by each family member or staff. Family members need to understand how a post on social media might lead to a kidnapping or their house being robbed; how logging into their email account at a coffee shop might lead to identity theft and wire transfer fraud; how clicking on an email link might trigger a ransomware attack on the family business’ servers; and why using “password” as your home router password could provide hackers easy access to security cameras.
Unfortunately, most of our brains seem to “leak” over time. We need regular refreshers on the threats around us and how to protect the family. One of the most effective ways is to leverage annual family meetings to share lessons learned from actual cybersecurity incidents that have impacted other families and businesses. While this may sound like a scare tactic, the real intent is to create awareness and reinforce the family’s policies.
As a possible approach, consider engaging an outside firm to conduct ethical phishing on staff and family members. The results can be used in annual training to ensure family and staff know how to avoid such threats.
Deploy technology tools and assessments to support protection
Most of what we’ve addressed until now covers behavioral and policy challenges. That is intentional, as we believe these areas lead to most of the risk for wealthy families. However, there are several technology areas that should be addressed as well.
- Data backups: Technical staff should ensure data is backed up. This includes the family office server, smart phones, tablets and laptops. They should maintain multiple backups of each, so clean backups are not overwritten prior to someone discovering there is a virus or ransomware.
- Vulnerability assessment: Have a technology firm conduct an annual vulnerability assessment to look for weaknesses in your technology much like looking for unlocked doors in a parking lot. These should be done for the family office, for each family member’s home and for each business supported by the family office. Penetration testing (known as 'pen testing') goes beyond vulnerability by actually attempting to hack or penetrate systems. It is commonly done for businesses, but rarely for family offices, as, depending on the family's digital assets, it may not be necessary.
- Encryption tools: Families often need to share tax information with an outside accountant, estate details with their attorney or perhaps business dealings with each other. Standard emails are stored on both originating and destination servers, as well as in-transit servers. Any of these devices can be breached. Families can either use secure document storage, where they give a user access to a particular document or folder, or they can use encrypted email tools to secure the emails.
- Monitoring: Despite the best defenses, highly experienced and determined hackers are often able to breach the systems they target. Family offices should use a technology support partner with monitoring capabilities that can enable real-time responses when hackers strike. In addition, activity logs can be used to detect suspicious activity (including unusual keystroke behavior) and can help in case of a post-intrusion investigation.
Be ready for a crisis
A final component of the strategic cybersecurity plan is identifying how you would respond to a crisis. The plan should address common items such as lost phones or laptops, in addition to which actions family and staff should take if they believe they have a phishing email or phone call. It also should cover how to handle a ransomware event, hacked emails and network intrusions. It might be worth rehearsing your response to a cyberattack
Cybersecurity insurance may be an option, but it is still mostly designed for businesses rather than families. They typically cover remediation costs, liability for loss of data and settlement costs, which don’t apply to most families. While cybersecurity insurance may be useful in a moment of crisis, it is no substitute for proactively mitigating risk.
The worst possible time to think about how to handle a crisis is during the crisis itself. The family office should have a plan for each type of event. Resources can be an outsourced IT support firm, their insurance company or a relationship with a personal security or cybersecurity firm.
As noted recently by Sean Joyce, who was formerly the FBI’s deputy director and now leads PwC’s US Cybersecurity and Privacy practice, managing cyber risks in a strategic manner requires tradeoffs, just like any other kind of business risk. Creating a strategic approach to cybersecurity may sound daunting, but it allows a family to take advantage of the benefits of technology while managing the risks to the family’s wealth, security, privacy and reputation.