Whatever your cybersecurity needs, your Morgan Stanley Advisor can help you evaluate the particular challenges of your situation to best address the vital issue of staying safe in an increasingly complex digital world.
It’s the stuff of nightmares. You stroll into the office on Monday morning to start a busy week. When you turn on your computer you see it—a large, ominous skull and crossbones followed by taunting text that says your most sensitive files have been encrypted. The only way to get them back and prevent them from being dumped onto the dark web is to send the perpetrator $1 million in Bitcoin within the next 24 hours.
This isn’t a farfetched scenario or the plot of a Hollywood blockbuster. It’s a ransomware attack. According to a 2018 report by Verizon, ransomware is the most popular form of malware (malicious software) out there. It’s easy to obtain and relatively simple to deploy, and as the scenario demonstrates it can be extremely lucrative.
If your family office were struck by a ransomware attack, would you know what to do? For many, the answer is no. At Morgan Stanley’s Private Wealth Management 2018 Single Family Office Symposium, 33% of family offices surveyed said they had not taken any notable measures regarding cybersecurity.
Yet family offices are particularly vulnerable to cyber threats. The ultra high net worth individuals who utilize a family office often are in the public eye. Moreover, many family offices rely on a lean staff with employees who travel regularly and who access important financial and personally identifiable information (PII) from a variety of locations. The balance between efficiency and security can be tricky, but protecting your technology and locking down access to valuable data should be an existential priority.
According to recent studies:
- 76% of breaches were financially motivated.
- 68% of compromises went undiscovered for months or longer.
- As much as $600 billion may be lost annually due to cybercrime.
- 61% of cybercrime victims were businesses with fewer than 1,000 employees.
Here are some initial steps you should take to bolster your cybersecurity.
Do you have a documented cybersecurity policy? If not, it’s time to create one. Your personnel are both your first line of defense and your greatest point of vulnerability. Be sure your employees know your expectations and their responsibilities, and be sure to regularly train and test them to ensure compliance. How should sensitive information be stored or transmitted? If an employee clicks on something suspicious, what should he or she do? It only takes a single person to make one very costly mistake. There’s no substitute for clear, enforceable policies and procedures.
According to a survey by Virginia Tech University, 52% of users reuse the same or similar passwords.
Password reuse is risky business. When individuals reuse passwords across multiple accounts, a breach of one account threatens all the others. To avoid this risk, the best strategy is to use complex, lengthy and unique passwords for each account—but such passwords are very difficult for anyone, let alone an office or group of individuals, to keep track of. This is where a password manager comes in. A reputable password manager will create strong passwords for you and then store them in a cryptographically-sound way.
In addition to using strong passwords, enable Multi-Factor Authentication (MFA) whenever available, and especially to protect access to your high-consequence systems. MFA allows you to add additional verification—beyond a username and password—to confirm users’ identities and protect access to your accounts. Registered trusted devices, fingerprint scans and security keys are all examples of MFA.
Email is often a cyber criminal’s favorite tool. If an employee clicks on a link or opens an attached spreadsheet without thinking, that employee could unwittingly be downloading malware onto your network. Business Email Compromise (BEC) is another popular, if nefarious, tactic. A BEC attack is a scheme whereby a fraudster impersonates an executive or client with the aim of getting a target to send money or sensitive information. Sometimes the fraudster is simply spoofing a publicly available email address. In other cases, the criminal has compromised a server or has hijacked account credentials. Whatever the method, the lesson is the same: Never reflexively trust an email you receive. Always rely on multiple methods beyond email to confirm the sender’s identity and intent before engaging, and never transmit sensitive information via unsecured email or text.
Training your employees to spot and thwart social engineering schemes is part of the puzzle but on its own is insufficient. Just as you would use antibiotics and vitamins to bolster your body’s immune system, you need to do the cyber equivalent at your family office. Start by running a reputable, anti-virus product on all personal computers and laptops being used for business activities. Doing so will protect these devices from future malware invasions and clean up any existing infection. It’s also critical to keep all software, operating systems and browsers up to date across your devices—and to turn on automatic updates where available. Software companies often include security upgrades (called “patches”) in every update they release. Installing those updates immediately will help protect your devices. Of course doing this properly requires having an accurate inventory of all devices and software the business is using.
Traveling or accessing information from a remote location poses a unique set of cyber-risks and challenges. One best practice is to avoid using public Wi-Fi hotspots, which make your communications and internet traffic vulnerable to being intercepted. Instead, create a personal hotspot with your phone and connect through an LTE, an end-to-end encrypted channel. You can and should apply additional protection in the form of a Virtual Private Network (VPN). In general, when traveling, be picky about the devices you bring with you, never leave them unattended and refrain from using public computers or publicly available charging cords or USB ports.
While social media allows us to share information and connect with friends, it can also be exploited by cyber criminals for fraud schemes or even blackmail attempts. For example, posts related to vacation plans could be used to determine when your house will be empty. In the case of those with very high profiles like athletes, entertainers or other celebrities a takeover of an Instagram account could have financial and reputational consequences. Be sure to limit how much you share on social media, and lock down the privacy settings on your accounts. Furthermore, only give applications the permissions they really need because granting access to your photos, location, camera, contacts, etc., makes your data and personal information available to the application owner.
To bring your cybersecurity to the next level, you may wish to engage the services of a cybersecurity expert. An expert can conduct a vulnerability assessment, educate your staff and clients, evaluate your vendors and advise on encryption tools, cyber insurance, document storage, network monitoring and more.
Consider enlisting an expert to evaluate where your family office may be most vulnerable, and to help train employees. Follow the other ten key steps listed below.
- Establish a written cyber-security policy so all employees know their responsibilities.
- Set up an annual or semi-annual training program for employees to inform and update them on how to keep accounts, e-mail, and other data safe.
- Ensure strong passwords are used by all employees, and insist on unique passwords.
- Enable Multi-Factor Authentication (MFA) on all your \ high-consequence systems.
- Consider email the soft underbelly of your business operation. Never trust incoming email without verifying the sender, avoid clicking on links or attachments from unverified senders and don’t transmit information via unsecured email.
- Regularly run an anti-virus product on personal computers and laptops.
- Keep software, operating systems, and browsers up to date.
- Beware of sharing too much personal information on social media
- Avoid public Wi-Fi hotspots when traveling. Use a personal hot spot, and a Virtual Private Network (VPN).
- Limit the permissions you allow applications to have, since access to photos, contacts, and location may also give the application owner access to your data and personal information.