Family Offices: All For One And One For All?
14 September 2017
For Family Offices that seek to remain 'below the radar', dissociating the name of the Family Office from the family’s name or its associated businesses is a relatively obvious step. But on those occasions when a Family Office, family member or family principal piques the interest of a cyber-criminal, a simple name change will not suffice.
This is underlined by a recent statistic from Campden Wealth and Citibank showing that 15% of Family Offices have fallen victim to a cyber attack. With the number of reported cyber-attacks on the increase, Family Offices face a growing threat – an issue that Schillings will address when it publishes its research into Family Offices and cyber security later this year.
According to FireEye, the average time an attacker is in a company's systems before detection is 99 days. In that time, volumes of private and confidential information can be stolen before the first inkling that security systems may have been breached. The implications of this from a reputation, privacy and monetary perspective can be dire.
In September 2017, US based credit reporting agency, Equifax, revealed that cyber-criminals were in their systems undetected for two and a half months from May to end of July 2017. In that time, initial reports suggest that customer names, Social Security numbers, birth dates, addresses and personal information such as Credit Card numbers were stolen. Upon announcing the breach, Equifax’s share price dropped 18%, two law suits were launched on behalf of customers seeking class action status and governmental investigations are now underway.
Of course, no one is suggesting that Family Offices aren’t well versed on the threat posed by cyber-crime. But how can they go further to ensure that they are adequately protected, not only in terms of preventing a cyber attack but in being able to mitigate the consequences if and when a cyber attack occurs?
Perhaps inspiration can be taken from Alexander Dumas’ all for one and one for all? When it comes to cyber security, it’s the bonds that exist between Family Offices, as well as the families, that are their greatest asset. For example, if one house has a security alarm and the other doesn’t, a thief will target the house with weaker security. A cyber-criminal is no different; the trick is to make Family Offices as a sector, harder to target.
To help cultivate a security mentality, what follows are a few simple steps that can help to make all Family Offices less vulnerable.
Keep a low profile
Successful business people often find themselves, by accident or design, as commentators on social media. If this applies to you, be aware that you are giving away clues that can be used against you for social engineering - to steal data, passwords or organisational information.
Marshall your staff and family
Family Members and staff giving away personal information, posting photographs to social media with commercial documents in the background, clicking on malware or being subjected to a phishing campaign are all examples of how employees and family members can expose the Family Office to risk.
Train your staff and family
Cyber criminals seek to exploit the weakest link in an organisation’s cyber security; people. Phishing scams can be relatively unsophisticated and rely on employees and family members not detecting an attack until it is too late. Ensure your staff are trained to spot a phishing email, and that they know what to do. Cyber-crime can also be incredibly sophisticated, making it hard to spot when you are being manipulated without training and keeping your guard up.
Know your remedies
In addition to taking immediate technical steps to recover your data and secure your systems, you may need to take proactive steps to mitigate the effects of a cyber attack. Private and confidential information may now be in the hands of competitors or the media who will seek to take full advantage. You may be able to take legal action to prevent publication or disclosure of information, but speed is key, so have a plan in place.
In an environment where Family Offices are increasingly at risk of being targeted, these simple steps can help to reduce vulnerability and make the sector a harder target. To summarise, Family Offices must identify areas of potential weakness, lock down private and confidential information, minimise exposure and plan for what to do should the worst happen.
In our next article for Family Offices, we will address the risk of infiltration by hostile individuals, insider threats and dealing with threats posed by ex-employees.Receive our monthly newsletter