How single family offices can protect themselves against cyberattacks.
Secrecy surrounds single family offices, particularly concerning cyber-breaches. Cyber-expert Martin Clements talks to a representative of one such office about how security measures protect beneficiaries’ money and secrets from online criminals, and then offers advice on how to make that protection even better.
Cyberattacks are a risk for single family offices
The ten biggest single family offices (SFOs) in North America together manage approximately USD 451 billion of assets.1 While their balance sheets might put them on a similar footing to a large multinational corporation, SFOs generally allocate far fewer resources to – and often have a lower awareness of – cybersecurity.
Imogen Tempest, whose remit at the SFO where she works includes cybersecurity, admits, “In my previous job I ran the IT infrastructure for a public company and had about 80 people working in my team. Here, I have one individual working via a third party. The resources available to us are much fewer and we probably do seem like an easier target.”
Cybercrime is the term used to describe a malicious breach of an organization’s IT security systems. The end goal is often fraud, but the criminals may also be after information that the family would pay for, to keep private – information that may even put the security of that family at risk.
Identify gaps in IT security in good time
For SFOs wanting to understand the level of their cybersecurity, a penetration test (pen test) to highlight vulnerabilities is a good place to start.
“When we did our first pen test, we looked at the results and prioritized what we wanted to introduce,” she says. This tiered approach worked well. According to Tempest: “Everybody is now very accepting of the things they have to do – even regular password changes requiring complex passwords, which can be laborious.”
Cyber attacks are becoming more sophisticated
Making sure the SFO is prepared is vital because it is not a question of if but when an attack will happen. According to Tempest, who spoke on the condition that her name be changed to avoid increasing any risk of a cyber-attack on her SFO, the mostly likely attack will be via CEO fraud. This is when criminals pose as senior management in emails to order a fraudulent payment. Worryingly, she believes it is increasingly difficult to spot.
“A few years ago, it was easy to weed them out because they were usually poorly worded,” she says. “But I’ve recently been shown examples that are more plausible. If someone is caught off-guard on a Friday afternoon, a popular time for these sorts of things, there’s a chance a payment could be requested. You’d have to hope that finance staff would be vigilant enough to realize it was an odd request and have other payment controls in place to mitigate. But there’s no guarantee of that.”
In addition to the CEO fraud Tempest highlights, the list of cyber-threats includes: phishing attacks, where criminals try to elicit information that allows them to access bank accounts; trojan attacks, where viruses are introduced to the IT system via malicious links; hacking the system for sensitive data that can be used for extortion; ransomware, allowing criminals to freeze IT systems until they get paid; and internal fraud.
These cybersecurity measures are worthwhile
In each case, protection demands not just vigilance, but also rigor and a sense of shared responsibility. Thankfully, it does not demand vast resources or sophisticated technology. Indeed, at the SFO where Tempest works, the watchword is prevention.
“Most mitigating measures can be implemented on a pretty cost-effective basis. But our staff, what they do and the information they have, are among our most valuable assets, so we should be prepared to spend some money on protecting them,” she says. As a result, her SFO has some effective controls from the fundamental to the more sophisticated. These include:
- Multifactor authentication
- Applying software patches/updates in a timely fashion
- Restricting system access to pre-registered devices
- Monthly password changes using complex passwords
- Retaining a third-party specialist to advise on cybersecurity
- Using proven software to monitor emails and clean them of viruses specifically using a content, disarm and reconstruct (CDR) methodology
- A senior executive whose remit includes cybersecurity
- Cybersecurity staff training and regular testing of their knowledge and practices
- Minimizing family and SFO online presence, including on social media, to reduce the ability of scammers to harvest useful information
Sensitize employees to the danger of cyber attacks
Even with a book full of controls, an SFO won’t beat the criminals without the right culture in place. This is partly a matter of making it clear that IT security is a priority, even if that means limiting the type of devices staff and beneficiaries can use. Tempest says, “It’s a Windows 10 Professional environment here. If somebody wants to use a MacBook I just say sorry, no. We only implement one standard. It makes it much easier to control.”
She is also vigilant in applying the security measures. For example, she meets her IT support function once a month to consider any changes needed in light of evolving threats. “I don’t ever want anybody to think that our IT security isn’t at the top of the agenda, because it most definitely is,” she adds.
Establish IT security standards for clients as well
This vigilance also extends to the principal – a key player in all SFOs and yet someone who too often thinks the rules don’t apply to them, despite the fact that they usually have multiple devices, homes and offices, which significantly increases the chance of attack.
To get the full support of the principal, Tempest had a frank discussion to explain why they might be a target and the possible consequences of a successful cyber-attack. These included compromised family security or reputational damage, as well as the more obvious fraud. At the same time, she made the importance of leading from the front quite clear.
“The principal sets the example that you expect others to follow. Once they are onside, other people take it much more seriously than they might otherwise,” she says.
Regular security checks prevent cyber attacks
Today, while her office clearly has good cybersecurity, she admits her approach can always be enhanced. Specifically, she has yet to simulate what might happen were an attack to occur. “We did it in my previous role, but it’s not something that we’ve done here. It’s certainly food for thought,” she says.
A simulation exercise does four things. First, it reminds people what to do in the event of an attack, such as shutting down the systems and reviewing access audits. Second, it shows staff that the SFO takes cybersecurity seriously and that they must follow the correct procedures. Third, it helps identify areas where more work needs to be done to ensure the best protection. Finally, should an attack be successful, having performed a recent pen test minimizes the opportunity for recrimination – legal or personal.
As Tempest puts it: “There’s no point in patting yourself on the back for all the measures you’ve put in place, when you still don’t know where the gaps are or how to respond.”
Analog copies cushion a cyber attack
Another area that can be overlooked is identifying the SFO’s crown jewels – information that needs special protection.
This category might include succession planning, beneficiaries’ health reports, and even photographs. Keeping these items only in a physical format in a safe will put them beyond the reach of cybercriminals. But if highly confidential information has to be in a digital format, it’s a good idea to keep it only on a thumb drive (also known as a UBS stick) with a master copy and up to two back-ups in case of loss, all kept separately.
Tempest says that while she has yet to come across an SFO with better cybersecurity defenses than her own, “that doesn’t mean they don’t exist”. Even in this short discussion, she agreed there were additional measures that could be introduced to better protect not only her beneficiaries’ wealth, but also the beneficiaries themselves. Given the determination of cybercriminals and the prevalence of cybercrime, it’s in every SFO's interest to make sure they understand their own cyber landscape and do everything feasible in the name of prevention.