Cybersecurity: Is your family office practicing good digital hygiene?
Read
This blog post was originally published on May 18, 2023 and updated on October 16, 2024.
Training staff on good habits is among the most effective ways to mitigate cyber risk
Family offices and their personnel are high-value targets for fraudsters. They face a wide range of sophisticated threats, including potential cyber attacks. The greatest cybersecurity risks, however, may come from within the family office itself.
Family office staff and family members can make mistakes with their devices and systems that lead to a security breach — and in some cases, those breaches may have catastrophic results. Fortunately, these mistakes can often be prevented by educating staff and family members on the importance of practicing good digital hygiene.
The term “digital hygiene” (aka “cyber hygiene”) has been around for approximately 25 years and refers to a set of widely recognized best practices that end users can adopt to improve their resilience to online threats. In the same way that people use good personal hygiene practices to maintain their own health, utilizing good digital hygiene can go a long way in safeguarding your data, protecting your assets and mitigating the wide-ranging, damaging effects of a major security breach.
Did you know 68% of data breaches involve the human element?*
68%
Understanding the cybersecurity risk for family offices
In many cases, it’s not that family offices aren’t aware of cyber threats, but they may not be doing all they can to protect against them.
Cybersecurity and data privacy are among the most dominant concerns for organizations of all sectors today. In fact, 97% of companies surveyed by Cisco Systems plan to increase their cybersecurity spending in 2024, according to the 2024 Cisco Cybersecurity Readiness Index.
Among family offices specifically, 71% of those surveyed in The Evolving Risk Landscape for Family Offices 2024 Report by Dentons believe they are more likely to suffer a cyberattack now than they were a few years ago. Globally, 21% say they have suffered a cyberattack in the last 12 months, and less than half (49%) of respondents say they regularly update cyber policies to address rising risks.
There are many reasons for family offices to make cyber protection a priority. Family offices and high-net-worth individuals are among the highest value targets for cybercriminals because they typically hold and manage large amounts of assets. The individuals behind a family office may be in the public eye, which can draw unwanted attention from cybercriminals and other fraudsters. In addition, family members and family office employees may travel extensively, accessing financial records and other sensitive information from geographies and unsecured areas wherein wireless communications and connections may be exposed and breached. As a result, their assets, communications and operations are especially vulnerable to cyber attacks.
With this high vulnerability, many family offices know it is critical to properly secure their sensitive data, systems and financial accounts. They may have invested in security technologies to protect their networks. And many have adopted policies and procedures that help them operate efficiently and mitigate risk.
However, despite these precautions, some of these organizations may suffer a major breach this year. And that breach will most likely result from a mistake made by someone connected to the organization.
According to the 2024 Verizon Data Breach Investigations Report, 68% of data breaches involve the human element. Security breaches can result from internal personnel who unintentionally do something they shouldn’t do, such as clicking a suspicious link in an e-mail, opening a malicious e-mail attachment, using weak passwords, losing portable devices with confidential data or being tricked into giving up their credentials through phishing and other types of social-engineering attacks. Because of this, educating staff on the importance of using good digital hygiene should be a key component of the cybersecurity program for any family office.
Improve digital hygiene to mitigate cyber risk
But what is good digital hygiene anyway? As cyber threats increase, many family offices are starting to invest more in securing their data, accounts and systems. But smaller and newer family office organizations won’t have the same resources as the larger, longer established and more mature family offices. This makes them easier targets for cybercriminals.
Fortunately, employees – and even family members – can be trained to practice good digital hygiene, which can help to make your organization more resilient in the face of cyber threats. And if you don’t have the resources in-house, consider engaging a qualified cybersecurity professional to assist.
First, access to the data itself needs to be restricted in various ways, including:
- Only authorized users should have access to family office computers and networks. Family office user devices and systems should be configured to avoid shared connections from other users and to confirm that the various apps on mobile devices are locked down to prevent access to an employee’s personal information.
- Sensitive information should be encrypted when it is collected, stored and transmitted. Data encryption means that the information is translated into a code that only those with a password can access and read. Sensitive and important data should also be properly backed up.
- Using multifactor authentication is another useful protective measure and should be implemented when possible. This essentially means that employees must provide two or more levels of credentials when accessing an account, such as a password followed by a fingerprint or a pass card.
- Computers and other devices can be set up to automatically lock out users when left inactive for a certain period of time.
Second, family offices should implement policies, procedures and training to mitigate cybersecurity risk related to employees, such as:
- Require employees to use strong and unique passwords, as well as anti-virus software that updates automatically.
- Train employees to be skeptical of all e-mails, text messages and attachments. They should verify the source prior to clicking on links and attachments.
Third, employees and family members should be careful when accessing family office systems and data while traveling or working remotely, including:
- Family offices should encourage staff and family members to avoid using unknown public WiFi connections.
- Stick to wireless networks protected by a service set identifier (SSID) and, preferably, a virtual private network (VPN) connection.
- Look for mobile apps from reputable sources, such as Apple, Amazon, etc. If you’re unsure about the authenticity of an app, they should research it thoroughly prior to downloading it. Also, unused apps should be deleted.
- Avoid using free charging stations in airports, hotels or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices. To be safe, carry your own charger and USB cord and use an electrical outlet instead of a charging station whenever possible.
Be ready to respond to cyber attacks
So what if a cybersecurity threat is discovered at your family office? While employees can increase cybersecurity risk, if they are well trained, they can be an asset in helping to protect the organization. Employees of a family office should be told to speak up and seek immediate help from internal IT personnel if they make a mistake or think the security of the organization’s data or systems may have been compromised in some way.
It’s also critical for family offices and other vulnerable organizations to have a robust incident response plan in place so they can move quickly to minimize damage in the event of a cyber-attack. In addition to improving digital hygiene, having a solid process for evaluating potential threats and defending against them can help your organization mitigate cyber risk. This involves comprehensive planning for incident response, business continuity, and business planning. A qualified cybersecurity consultant can help your organization assess cyber risk, put the proper plans in place, and align all internal documentation required for response, continuity, and recovery plans.
Think about how much access to data, financial records and other sensitive information could be accessed through only a single computer system, then consider the potential financial impact that a data breach could have at your family office. Several recently reported breaches have involved the theft of many millions of dollars, which is why a major cybersecurity compromise or data breach can be fairly likened to a pandemic.
Preventing a major data breach is not unlike stopping the spread of a disease, and it’s especially important for family offices and high-net-worth individuals, who may be more vulnerable and less prepared to address cybersecurity risks. Practicing good digital hygiene by implementing the steps outlined above and working with an experienced cybersecurity professional can go a long way in helping to lower the risk of some of the most common cyber-borne threats facing family offices today.
Contact Kaufman Rossin’s Cybersecurity and Data Privacy team or Family Office Services team to learn more about mitigating cyber risk at your family office.
*Source: 2024 Verizon Data Breach Investigations Report
Jeffrey Bernstein is a Risk Advisory Services Director of Cybersecurity and Data Privacy at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.
Todd Kesterson, CPA, is a Family Office Services Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.