An Ounce of Prevention Could Be Your Million-Dollar Cure: Family Offices and Cybersecurity

It’s the stuff of nightmares. You stroll into the office on Monday morning to start a busy week. When you turn on your computer you see it—a large, ominous skull and crossbones followed by taunting text that says your most sensitive files have been encrypted. The only way to get them back and prevent them from being dumped onto the dark web is to send the perpetrator $1 million in Bitcoin within the next 24 hours.

This isn’t a farfetched scenario or the plot of a Hollywood blockbuster. It’s a ransomware attack. Ransomware is a popular form of malware (malicious software), easy to obtain and relatively simple to deploy, and as the scenario demonstrates it can be extremely lucrative.

If your family office were struck by a ransomware attack, would you know what to do? For many, the answer is no. Yet family offices are particularly vulnerable to cyber threats. The ultra high net worth individuals who utilize a family office often are in the public eye. Moreover, many family offices rely on a lean staff with employees who travel regularly and who access important financial and personally identifiable information (PII) from a variety of locations. The balance between efficiency and security can be tricky, but protecting your technology and locking down access to valuable data should be an existential priority.

Here are some initial steps you should take to bolster your cybersecurity.

Do you have a documented cybersecurity policy? If not, it’s time to create one. Your personnel are both your first line of defense and your greatest point of vulnerability. Be sure your employees know your expectations and their responsibilities, and be sure to regularly train and test them to ensure compliance. How should sensitive information be stored or transmitted? If an employee clicks on something suspicious, what should he or she do? It only takes a single person to make one very costly mistake. There’s no substitute for clear, enforceable policies and procedures.

Password reuse is risky business. When individuals reuse passwords across multiple accounts, a breach of one account threatens all the others. To avoid this risk, the best strategy is to use complex, lengthy and unique passwords for each account—but such passwords are very difficult for anyone, let alone an office or group of individuals, to keep track of. This is where a password manager comes in. A reputable password manager will create strong passwords for you and then store them in a cryptographically-sound way.

In addition to using strong passwords, enable Multi-Factor Authentication (MFA) whenever available, and especially to protect access to your high-consequence systems. MFA allows you to add additional verification—beyond a username and password—to confirm users’ identities and protect access to your accounts. Registered trusted devices, fingerprint scans and security keys are all examples of MFA.

Email is often a cyber criminal’s favorite tool. If an employee clicks on a link or opens an attached spreadsheet without thinking, that employee could unwittingly be downloading malware onto your network. Business Email Compromise (BEC) is another popular, if nefarious, tactic. A BEC attack is a scheme whereby a fraudster impersonates an executive or client with the aim of getting a target to send money or sensitive information. Sometimes the fraudster is simply spoofing a publicly available email address. In other cases, the criminal has compromised a server or has hijacked account credentials. Whatever the method, the lesson is the same: never reflexively trust an email you receive. Always rely on multiple methods beyond email to confirm the sender’s identity and intent before engaging, and never transmit sensitive information via unsecured email or text. 

Training your employees to spot and thwart social engineering schemes is part of the puzzle but on its own is insufficient. Just as you would take vitamins to bolster your body’s immune system, you need to do the cyber equivalent at your family office. Start by running a reputable, American-made anti-virus product on all personal computers and laptops being used for business activities. Doing so will protect these devices from future malware invasions and clean up any existing infection. It’s also critical to keep all software, including operating systems and browsers, up to date across your devices—and to turn on automatic updates where available. Software companies often include security upgrades (called “patches”) in every update they release. Installing those updates immediately will help protect your devices. Of course doing this properly requires having an accurate inventory of all devices and software the business is using. 

Traveling or accessing information from a remote location poses a unique set of cyber-risks and challenges. One best practice is to avoid using public Wi-Fi hotspots, which make your communications and internet traffic vulnerable to being intercepted. Instead, create a personal hotspot with your phone and connect through an LTE, an end-to-end encrypted channel. You can and should apply additional protection in the form of a Virtual Private Network (VPN). In general, when traveling, be picky about the devices you bring with you, never leave them unattended and refrain from using public computers or publicly available charging cords or USB ports.

While social media allows us to share information and connect with friends, it can also be exploited by cyber criminals for fraud schemes or even blackmail attempts. For example, posts related to vacation plans could be used to determine when your house will be empty. In the case of those with very high profiles like athletes, entertainers or other celebrities a takeover of an Instagram account could have financial and reputational consequences. Be sure to limit how much you share on social media, and lock down the privacy settings on your accounts. Furthermore, only give applications the permissions they really need because granting access to your photos, location, camera, contacts, etc., makes your data and personal information available to the application owner. 

To bring your cybersecurity to the next level, you may wish to engage the services of a cybersecurity expert. A cybersecurity expert can conduct a vulnerability assessment, educate your staff and clients, evaluate your vendors and advise on encryption tools, cyber insurance, document storage, network monitoring and more.