What steps should family offices take to protect cybersecurity at a time when family and non-family members are working from home? Coping with a biological virus can actually increase the risks of falling victim to digital ones. This article sets out some pointers.
When people work remotely – as more are because of COVID-19 – cybersecurity risks increase. And that’s particularly important for people working with large blocks of money, as is the case with family offices. Single family offices and even some large multi-family offices are not traditionally noted for spending big on security. Smaller FOs may lack the resources to handle security in-house, explaining why they turn to outsourced solutions. As this news service has been told in recent years, family offices can be fazed by the choices they have to make, and which “experts” to follow.
To try and walk readers through some of the issues in play is John Manganiello, head of business development, RFA. The US-based organization is an IT, financial cloud and cyber-security services provider to the investment management sector.
At the onset of COVID-19, businesses were faced with the very real prospect of moving their entire workforce to a remote working environment, in a very short space of time. For many, this prospect was an entirely novel reality, with the majority of staff primarily based in offices before the pandemic. While successfully implemented by many, this move threw up a number of operational challenges and heightened cybersecurity risks that continue to persist today.
For family offices, in particular, this has been an historic change in the corporate environment. Despite modern technology allowing remote working to flourish, it is essential to carefully consider how the family members interact with each other, the office, and other critical parties. Taking a holistic view of the family office through the lens of cybersecurity, the primary concern is always about privacy and control of data and information.
Threats from all directions
Very few companies would ever have thought that they would need to move to a model where 100 per cent of their staff worked remotely. As a result, remote platforms were not designed or configured with licensing accordingly. So, in moving to a remote working environment, smaller companies, such as family offices, were not nearly as adept at making the change quickly, making them more susceptible to cyberattacks.
Increased remote work has resulted in hackers taking advantage of cybersecurity vulnerabilities caused by widespread telecommuting, increased pressure on IT teams, users bypassing standard cybersecurity practices, and remote administration of critical information. Increased phishing and malicious content are on the rise while malicious sites and business email compromise attempts linked to the pandemic are also increasing in prevalence. Many family offices do not have the proper email security and training protocols to prevent phishing and BEC scams. Once hackers get into your network, they can be there for weeks, even months, monitoring communications to access confidential information. This even extends to employees’ social media accounts, which hackers can hijack for use in social engineering schemes.
Data theft has also risen significantly, with hackers using data for extortion, disruptive or destructive ransomware attacks, a type of malware that threatens to publish a victim’s data, sell it to the dark web or perpetually block access to it unless a ransom is paid. Ransomware attacks increased over 25 per cent in the first quarter of 2020 alone, costing businesses, on average, $1.4 million to recover.
This highly conducive environment to cyber threats means that it is more pressing than ever to develop control structures and processes that create a protective stance and readiness to respond to threats of all shapes and sizes.
Remote working challenges:
There are several key challenges surrounding remote working, namely insufficient remote access solutions capacity, secure home networks and personal devices, extended corporate security controls to home offices, sharing data securely with third parties, and secure collaboration and communication.
In the family office space, something that has been front and
center during the pandemic is that the work culture has changed.
An office of 20 has suddenly transformed into 20 different
satellite offices, where individuals are no longer protected
behind the corporate controls and firewalls. Firms then need to
consider how everyone is accessing confidential information. Is
it through a corporate or personal device? If the latter, are
there any controls in place? When someone logs into their email
or accesses sensitive information from a cloud-based device like
SharePoint, Google Drive, or DropBox, problems can start to
arise. It’s essential from the outset that family offices
understand how the devices staff are using for remote working are
controlled and how the data is protected.
When addressing how to protect your family office from nefarious cyber activity, it is essential to note that while there are a number of very robust cybersecurity tools available today, there is no silver bullet. You need a thoughtful, layered approach addressing both the products you use and how you educate the end-users themselves.
Virtual Private Network (VPN) access should only be permitted on corporate devices. If employees must use personal devices, then it is essential that they are educated on best practices: ensuring devices have the latest operating systems and antivirus software installed, segregating home Wi-Fi networks, creating a separate network from guests, children and other personal devices, and avoiding working in public places or conducting business on public networks. Any external access in this way should be protected with multi-factor identification, which adds an extra layer of authentication outside of username and password. When communicating with individuals outside of the family office, such as critical third parties for CRM, accounting, portfolio management, or fund administration purposes, it is also worth considering implementing a secure mail solution, particularly when the information is sensitive or confidential.
To summarize, in the short term, it is important to conduct a cyber assessment:
1. Make and keep an inventory of all routers
and devices and sensitive data on them, including those used in
family members’ homes.
2. Maintain devices with updated antivirus and firewall software; keep software current and assess for vulnerability at least annually.
3. Use email encryption tools for any confidential messages and ask clients to validate any new account requests and similar activity.
4. Monitor (or use an external firm to monitor) all networks 24 hours a day looking for signs of an intrusion and shut them down if there is an attack.
5. Store backups offsite or in a secure cloud repository.
6. Conduct financial and criminal background checks on new staff and vendors and annually thereafter.
7. Create a cybersecurity policy that includes connected devices, passwords, multi-factor authentication, social media and payment authorization steps.
8. Identify and mitigate against 3rd party risk.
With proper configuration, cloud-based technology is a secure and modern way to work, and COVID-19 has certainly accelerated its adoption. Looking beyond the immediate dangers, though, with many family offices adopting new operating models, they should also look at their long-term strategy:
9. Implement institutional quality IT
infrastructure, cybersecurity solutions, and standardizations.
10. Continually educate all principals, families, and households.
11. Identify the scenarios that would impact you most, your risk tolerances, and your pain points.
12. Analyze the most likely scenarios and rate the risk level for each.
13. Customize a good controls framework to measure and mitigate risk to an acceptable level.
14. Explore, create, and most importantly test business continuity and incident response plans regularly.
15. Obtain a cyber-liability insurance policy.
16. Consider a Borderless Access Control solution (BDAC) for strict identity, verification, and inspection and monitoring of all your users.
A well thought out, long-term cybersecurity strategy is a must-have presently. This new remote way of working puts even more onus on educating the end-user on possible cyber threats. You can have the best tools, solutions, and processes available to you, but it will not be very meaningful if the end-users don’t understand how they are accessing your company’s data. Cybersecurity starts and ends with educating the user.