Creating a culture of cybersecurity awareness, where employees understand the importance of their role in maintaining a secure environment, is crucial, argues the author of this article.
Family offices face privacy threats and attacks from cyber-hackers and other malevolent actors. And yet family offices aren’t always well equipped to confront these attacks. Ben Barrontine (pictured), vice president of executive services, 360 Privacy, writes about the topic and the strategies that family offices should employ.
The editors are pleased to share these views and invite responses. The usual editorial disclaimers apply. Email firstname.lastname@example.org
While every organization deals with the risk of being targeted by a cyber-attack, family offices face a unique set of challenges when it comes to cybersecurity. High net worth individuals face enhanced risks, both financially and reputationally. While executives may have safeguards surrounding them, family members and support staff are often left relatively exposed.
Understandably, the Royal Bank of Canada/Campden North America Family Office Report found that 61 per cent of respondents felt cybersecurity incidents and data breaches were a major concern. However, many family offices are still missing the mark in terms of cybersecurity best practices, according to a report from UBS, and 37 per cent of all family offices have experienced at least one attack. This denotes a worrisome gap between the risk level and the security level of these organizations.
Cybersecurity solutions have advanced significantly, drawing threat actors to target the weakest link: the humans in the loop. Cybercriminals exploit the human element, using sophisticated tactics to craft convincing and personalized phishing attempts. Compounding the issue, the lack of in-home countermeasures and the inability for corporations to assume liability for devices in a work-from-home setting creates a gap in cybersecurity defenses.
Cybersecurity training to combat these attacks has been around for some time, but the traditional methodologies have continually shown to be ineffective. Equipping all members of a family office with sufficient training to deal with modern, advanced threats is key to properly securing the organization.
The problem with traditional training
Traditional cybersecurity training methods often fall short due to a lack of engagement, reliance on static content, and a generic one-size-fits-all approach. These methods may not effectively address the evolving nature of cyber threats, and their focus on compliance can overshadow the practical aspects of cybersecurity.
Additionally, traditional training often neglects the human factors and behaviors that play a crucial role in cybersecurity. Simulating real threats and providing continuous, context-specific and practical training is essential for creating a security-conscious culture.
Modern approaches should prioritize hands-on experience, real-world scenarios, and addressing the human aspects of cybersecurity to better prepare individuals and organizations to deal with evolving cyber threats.
Threat actors look for the path of least
As the attack surface expands, criminals are particularly targeting individuals operating in less secure environments. Employees with limited cybersecurity awareness or those in roles with high administrative access are often targeted due to their potential to provide valuable information or access. Executive assistants, who frequently handle confidential information, are noteworthy targets. Moreover, spouses of executives may be susceptible due to their proximity to sensitive details shared within the household.
The level of vulnerability is influenced by a combination of an individual's role, access privileges, cybersecurity awareness and the nature of the industry, emphasizing the need for tailored security measures across various roles and contexts.
All these factors are affected by the family dynamics found within these organizations, which can add to the complexity. The challenges of interpersonal relationships are magnified in this setting. The Roy family in the show Succession provides an example of just how complicated and sometimes emotional these work/family relationships can be. Family offices regularly manage both financial and personal matters, requiring them to carefully straddle the path between familial trust and professional security measures.
Finally, there’s the additional issue of interconnected roles. It’s possible for family members to wear multiple hats at the office, which makes it tricky to separate duties and enforce stringent access controls without affecting the family dynamics.?
Family offices may have to address security concerns specific to their setting. For instance, they may be targeted for “cyber kidnapping” because they manage significant wealth and sensitive financial data. This tactic deceives family members into believing that another member is being held prisoner and can only be freed by paying a ransom. Campden Wealth reports that family offices hold about $2 billion in assets on average, which makes them prime targets for bad actors looking for ransom opportunities. Attackers are trying to exploit the low-hanging fruit of close family relationships, which they perceive as a vulnerability. In addition, there’s often a higher risk of insider threats, whether intentional or unintentional, due to the tight-knit nature of family offices.
With the expanding attack surface and individuals operating in less secure environments, there is also a need for third-party solutions to assume the burden of enhancing security measures in home-based setups. This underscores the necessity for a comprehensive approach that addresses both user vulnerabilities and the challenges posed by the remote work landscape, combining user education, advanced threat detection technologies, and third-party security solutions to effectively mitigate the risks associated with user-targeted attacks.
What it takes to create a meaningful education
Successful training comes down to two main concepts: early and often. Creating a culture of cybersecurity awareness, where employees understand the importance of their role in maintaining a secure environment, is crucial. Leadership should actively endorse and participate in these frequent training initiatives to set an example – and to ensure that they, too, are fully prepared for cybersecurity challenges.
Regular assessments and feedback loops will help to measure the effectiveness of training, allowing for continuous improvement. Use real-world scenarios and table-top exercises to bolster engagement of personnel. The shift in thinking towards dynamic, personalized, and frequent training is essential for building a resilient cybersecurity posture.
Securing the family office
Managers and executives in charge of family offices have their work cut out for them – and that’s before they must consider their cybersecurity stance. The financial and reputational risks to a family office are significant, both for their high net worth and for their unique challenges. Meshing family relationships with business can be tricky, and malicious actors lie in wait to attack wherever they perceive weakness.
That’s why cybersecurity training must happen early and often. Furthermore, it must take the special circumstances of family offices into account. Consistent, context-specific training is what will tip the scales in the family’s favor.