This is the second half of a two-part feature by Annmarie Giblin and Theresa Pratt looking at cybersecurity best practices for family offices. Based in New York, Giblin - who wrote part one - works at a US law firm while Pratt is director of IT at Market Street Trust Company.
This article is part two of last week’s discussion of the basics of cybersecurity. The previous article, which can be viewed here, explored the legal best practices related to cybersecurity and discussed key concepts like having an information inventory, data retention policy, incident response plan and a response team. These are all very important, and nothing said now should be taken to minimize how critical they are.
As the definition of cybersecurity from TechTarget.com suggests, proper cybersecurity is one third technology and two-thirds practices and procedures. Due to my role as IT director, I take security very seriously and that carries over to how I protect my home and possessions. We have a security system, cameras and other “techy” items in place to protect us. None of these are helpful however, when I come home and find the house is unlocked and my spouse has left his login names and passwords, written out on a piece of paper, laying on the coffee table. My flashy cameras are useless without the policy of not writing passwords on paper and the practice of locking the door when we leave. These three must work symbiotically to achieve effective cybersecurity.
There are some realities of “boots on the ground” running a family office that are, in my opinion, unique to this industry. With these in mind, let me augment the comments from part one of this series with a few practical suggestions.
Preparing for the worst, hoping for the best – a realistic perspective
Many family offices are small organizations with limited resources. Obtaining additional resources usually means asking the family, either via the board who is often populated with family members or going directly to the patriarch or matriarch. Additionally, the family members who wield the most control may be in a generation that typically does not understand or fully appreciate cybersecurity. I am of course generalizing and many exceptions apply, but this situation can create a unique challenge for family offices who wish to step up their cybersecurity game. So, as an executive caught in this interesting dilemma, what do you do?
First, training. Train yourself, train your staff, train your board, train your clients. The biggest threat any organization faces, whether large or small, is that someone will click on something bad or take action on a fake or phishing scam. There is not a technology in the world that can protect you from the random clicking of the unwary.
Proper cybersecurity awareness begins with an attitude of “question everything”. Are you really sure the email you just received is from your client? And if it is, are you really sure they want you to wire $200,000 for a painting to France? (This is a real example of a fake request we received from a hacked client email account.) Create a mindset of risk management where decisions to act include the question, “Is this action worth the risk?” We receive fake requests every single day. Fake invoices demanding payment, email requests from “clients” asking for money to be wired, surveys asking for detailed information about our IT infrastructure, phone calls asking for details about staff and/or clients. The list goes on and on. I spend a significant amount of my time as IT director working one on one with staff members, looking at individual situations, determining whether or not they are legitimate and taking advantage of teachable moments. I tell the staff each and every time I would rather answer the same question ten times a day than have them do something that creates a security incident. Your staff is your main line of defense. Tell them that and teach them what to look for.
Training does not have to be expensive. There are many good online resources to help you become and stay aware. The SANS Institute is one of the best resources available. They have a monthly newsletter called OUCH that talks about real cyber threats in plain English. Additionally, they publish a video of the month and have free security awareness posters. The SANS Institute also provides best in class training which can be pricey. This is where the FBI goes for training. CIO.com is another great resource. You can sign up for email alerts that will literally fill your inbox with the latest and greatest of all things technology. As a next step, consider building relationships with your local FBI agents. Generally, the FBI wants to help you become educated and aware. Our local agent has come to the office twice in the past year to provide awareness training to the staff and board. When the FBI says it, the board listens. Once they understand the threats, they are much more likely to approve resources for other, more expensive tools.