Cybersecurity: How Safe Is Your Family Office?

By Jorge Bolaños

Cybersecurity has never been more necessary for family offices. On May 9, EisnerAmper hosted the second of its Family Office Technology Solutions Series, “How Safe is Your Family Office?”

Panelists included:

• Varun Vig, director, EisnerAmper’s Personal Wealth Advisors Group
• Jerry Ravi, partner/national practice leader, EisnerAmper Digital
• Brandon Bowers, director, managed technology services, EisnerAmper Digital

The following themes were discussed:

Family Offices at High Risk for Data Breaches

Family offices are at high risk of targeted data breaches. According to a recent report from UBS, more than 22% of the family offices in North America have experienced a recent cyberattack. The panelists shared reasons, including family offices are using older technology, as well as potentially older processes and practices that are dated. They also felt that, often, family offices may not want to upgrade or bring on more vendors because they’re worried that they're taking on more risk. Yet, most family offices are run like businesses, which means they would need to endeavor to have the proper protections in place.

COVID-19 Impact

COVID-19 also impacted family office operations with firms operating remotely.  In January 2022, 59% of the global workforce was working from home. A study from Cynet showed that 47% of those remote users fell to cyberattacks. The panelists discussed reasons, including users were more distracted with kids running around, or maybe they were feeling more comfortable with less supervision and less security controls so they might access sites or install software they otherwise wouldn’t in an office setting.

Actions to Prevent Cyberattacks

By understanding attack vectors and vulnerabilities, family offices can take steps to protect themselves against cybercrime. The key is prevention, detection, and response. The best way to deal with a cyberattack is to prevent it from happening in the first place. This is done by layering in multiple levels of protection: providing security awareness training to employees, implementing an access control policy of least privilege necessary to perform the job, patching your computers, anti-spam filters, firewalls, and endpoint security. This is just the tip of the iceberg on what can be done to bring that “peace of mind” over cybersecurity to life.

If a threat manages to bypass all the prevention methods, it is important to have the ability to detect when it occurred. Some threats perform their attack as soon as the defenses are penetrated, such as ransomware or denial of service attacks. Others lie dormant in their system, listening to communications, collecting information, waiting for the perfect opportunity to get the best return on investment. The key is reducing the time to detect and responding as quickly as possible. Some of the tools discussed to help are endpoint detect and response systems (EDRs), threat hunting systems, security information and event management systems (SIEMs), or other similar tools.

How to Respond to Threats

Once a threat is detected, an appropriate and timely response is vital. It must be one that mitigates the most financial – and, often, reputational -- damage. The largest business costs due to cyberattacks are downtime (the time spent bringing systems back online rather than conducting business), bad PR, paying off a ransom, and the resulting loss from being scammed by someone impersonating executives and soliciting fraud via wire transfer. Having an incident response plan in place before an incident happens is the most critical piece to this. There is nothing more stressful than having to build this out or not knowing what to do next in the middle of such an incident.

By reducing the time to find a breach, whether it be a malicious attack, a system glitch, configuration error or just human error, you significantly save in terms of your overall costs. According to IBM, breaches that took longer than 200 days to identify cost an average of $4.8 million and organizations that had more than 50% of their workforce working remotely took 58 days longer to identify. The average savings for containing a breach in less than 200 days was about $1 million.

Incident Response Plan/ Business Continuity Plans are Key

The panelists finally discussed the importance of both an incident response plan and business continuity plan implemented and tested. They also stressed the importance of an AI-driven endpoint protection system, and training employees to reduce your attack surface and therefore the total cost of a breach.

The webcast can be viewed here.