On-Demand: Family Office Technology Solutions Series | Cybersecurity: How Safe Is Your Family Office?

May 09, 2022

Part II of this series, we dive into cybersecurity and how to mitigate the risk that a security breach could cause.


Transcript

Varun Vig: Good morning, and good afternoon, everyone, wherever you are based, and welcome to the webinar; Cybersecurity: How Safe is Your Family Office?

By way of introduction, I'm Varun Vig, and I will be the moderator for the session. I'm with the personal wealth advisors group at EisnerAmper. Within the personal wealth advisors group, we focus on ultra-high net worth individuals and families; advising them on income tax, charitable gift tax, trust and estate planning. Across the personal wealth advisors verticals, we serve business owners, corporate executives, private equity, and hedge fund owners, including the associated family offices.

As far as my background is concerned, before Eisner, I spent approximately 15 years of my career at big four firms, and then I was an in-house head of tax at a leading private equity firm in Connecticut. As far as our family office practice at Eisner is concerned, we have a robust family office group with over 50 dedicated professionals. We are a trusted advisor and serve over 350 family offices, ranging anywhere from 50 million to 2.5 billion in assets. We provide customized technology solutions that are flexible to meet current needs and evolve as your need changes. We help create transformation roadmaps around people, processes, and technology; aligning with family offices, strategic goals, and objectives. We also provide technology solutions that provide transparency and better data management and data driven positions for you and your family offices.

I will let Jerry and Brandon introduce themselves here.

Jerry Ravi: Thank you, Varun. Welcome everyone. Hope everybody's having a great Monday, and hope you had a great weekend. All the mothers out there, happy belated Mother's Day once again.

It's great to be here and thank you all for taking the time out of your day to listen to this webinar today. My name is Jerry Ravi, I'm a partner here at EisnerAmper. I run a group, a service line called EisnerAmper Digital. Brandon is also part of that group, and he'll talk a little bit about his background.

But ultimately, my role, I've sat in roles; finance accounting, internal controls, technology across the board. So, EisnerAmper Digital really looks at both risk advisory, technology risk advisory, automation, how do you do more with less? How do you bring those technology tools, like Varun even mentioned data, how do you use your data the best you can, bring tools and technology with that and processes and controls, as well as even manage technology services?

So, the overall mantra that I always talk about with family office clients and my clients overall is peace of mind over what's next. So, what's next? Do we need to mitigate cybersecurity? Do we need to bring in new technology? All of the above? And it's people, process, and technology. So, we help navigate, transform, secure, and maintain.

So, we'd like to talk about that today, and that's my role today is to think about it more from the risk advisor, and I know Brandon's going to talk about it more from a technology standpoint. But risk mitigation can cover technology. And what I want you to think about in this conversation today is, risk doesn't necessarily mean that it has to be a downside. There are also upsides to mitigating risk. So, there's the element of the risk and the opportunity, and we'll talk about that as we move along. Brandon?

Brandon Bowers: Sure, sure. Varun, man, it happens to the best of us. I was actually at a conference recently and they were giving out shirts. It says, "Are you on mute?" And so, I try to wear that on the occasional webinar just as a little bit of comedy relief, but... So, my name is Brandon Bowers. I'm the director of managed technology services for EA Digital. I like to say that we help organizations be more protected, productive, and profitable by leveraging technology. We provide a myriad of services from technology support, security assessments, compliance assistance, anything and everything, IT and cybersecurity.

And really, I'm here to share from the viewpoint of a technology professional. Basically, I'm the IT guy here. My background is 20 plus years in the IT field, mix of small businesses to the enterprise. Today in the group, we work with businesses as few as a couple people to thousands, individuals of all sorts of compliance requirements to no compliance requirements.

Varun, I'll leave it to you for the opening remarks.

Varun Vig: And I was in mute again. Thanks, thanks Brandon. So, I'll walk you guys through the course introduction. The Family Office, as we all know, the community has rapidly transformed. While the industry metrics are limited, we know the community is growing in size and influence. Across the landscape, family offices differ substantially based on their purpose, based on their investment policy, as well as the infrastructure, which is more what we're going to talk about at today's webinar.

One thing we know is that family offices tend to operate like businesses, and any business is under cybersecurity threats these days. The family offices, as we all know, also deal with a lot of personal information, whether it's tax related information or otherwise, which is why they are at a higher risk of cyber attacks compared... and recent statistics show that family offices are at higher risk of targeted data breaches.

The risk could also be reputational risk. A lot of our clients in the family office space are in the ultra high net worth individuals with political or other social connections. The risk could be financial risk, could be wire fraud. As simple as that, somebody trying to take money out of your bank account.

Accordingly, this course will be very useful to help you navigate through the why and the what of cyber attacks, and also discuss ways to mitigate these cyber attacks and beef up your organizational cybersecurity plans. We will start with overview, trends, and cybersecurity landscape. We will then discuss actions for good governance, vigilance, and exposures. And lastly, as part of mitigation, we will discuss steps to protect your family offices.

If you have any questions, please send them along the way and we will try to take them either during or towards the end of the webinar. This brings us to our polling question one. Bella?

Bella Brickle: Poll #1

Varun Vig: And while we're doing this poll, I wanted to bring a recent statistic showing how family offices are at increasing higher risk of data breaches, which I mentioned earlier. According to a recent UPS global family office report, more than 22% of the family offices in North America experienced a recent cyber attack. So, just wanted to give you some perspective. I don't want to influence the outcome of this poll, but I just want to let you guys know.

Varun Vig: I think brings back to what I said earlier is majority of the people chose cybersecurity, which as we expected. So, that's good. A lot of people felt innovation and digital transformation, I guess, is part of it as well.

Jerry Ravi: And I'll jump in here, Varun. So, there's a reason why you said you're not going to influence. Unfortunately, we'll probably be influencing some folks today. And we try not, even with the cyber discussion, try not to use the scare tactic; although we're going to go through some cost of breaches obviously how that actually hits your financials, why you really need to be worried about it. And again, think about the risks and the opportunities. It's all great information, Varun.

And this is where Brandon and I will tag team on the wrist side, as well as the technology side; the what, the why, and how as Varun moderates. And please, bring your questions up. We'd love to hear from you. That makes it more fluid. And Brandon, I used to have a t-shirt that actually said, "I'm not the IT guy," because I was the risk guy originally, but that's a good one. I have to get one that actually says, "Take you off mute."

But a lot has happened, right? So, we're going to talk a little bit about that. I'll bring up what cybersecurity is today, right? This is just a definition, but a lot of times we have to understand what. What are we really getting after? So, cybersecurity is the body of technology that we use, right, inside processes and practices designed to protect networks, computers, programs, data, which is very important, from attack damage or unauthorized access, right? They revolve around goals and challenges.

So, we have these goals and challenges and we have to balance it, right? How much risk can we mitigate? And that actually can be a financial discussion. So confidentiality, how important is that? Integrity, availability? And obviously the challenges can be safety, functionality, usability. We often have clients, family offices that actually want to be in the cloud, right? They want to bring new technology to the table, but they don't understand really what risk approach to take, or risk based approach to take. So, I think a lot of this helps us frame it out.

So, when we put the goals together, what's really important? We could prioritize it, and we could talk about the challenges. So, we could actually make sure that our processes are as effective as they can be, and efficient. And that's what we find. A lot of family offices are using older technology, potentially older processes and practices that are dated and don't want to upgrade because they may be worried that they're taking on more risk. Bringing in vendors for instance, and we'll talk about that a little bit, how you deal with it. And clearly COVID has had an impact, right? And some good, some we need to be thinking about from a risk standpoint and we'll talk about that as well. It's all very important.

So, where are the trends and the threats? Today, we have numerous areas that we need to be thinking about, right? So, we'll talk a little bit about ransomware. That's the most frequent threat that you have, and what is it, right? We'll talk a little bit about how you can mitigate that as well. Phishing emails are at the top. They're still the preferred method of a hacker. So if you want to keep the bad actors out, you have to make sure that you're continually looking at your phishing emails or how phishing attacks are happening inside your family office.

The cost of being offline as a result of an attack is increasingly growing. We'll talk a little bit about what that cost looks like. It's increasing almost tenfold over the last few years. And even giving COVID, this fourth bullet, COVID has created a bigger impact. Some things to think about. So you want to have flexibility, a hybrid work environment. What do we need to be doing to make sure that we have proper practices, controls, good governance, and that we're good stewards, even at home? And following that proper good governance measure, right? Can we manage, measure, and monitor what's happening? Do you have a good risk program, and are you thinking about those risks? Those are all very, very important as we lead into putting together the how.

Brandon?

Brandon Bowers: Yeah. I mean, over the course of the last couple years, COVID has really presented businesses with many new challenges to where they've had to adapt. And honestly, it's interesting from that poll in terms of innovation, because one of the main byproducts has really been the acceleration of digital transformation.

If we look back at some slightly older stats, but going to August of 2020, 50% of the global workforce was working from home, which was already a 114% increase from the prior year, and then that number jumped further to 59% in January 2022. And what's amazing about that is that technology, innovation, ingenuity really drove this capability, and businesses that never thought that they could actually run as a remote workforce all of a sudden had to figure it out overnight. It was either you do that, or you're out of business basically.

But we're here to talk about security, right? So, the Cynet study showed that 47% fall to phishing while working from home, which I'm betting from the point where the Cynet study happened and now which it's been about a year, that that number has probably increased. And it makes you really think to wonder why. Why is it when people are working from home and not in the office, that people are clicking more?

When you start to think about it, your guard is sometimes down. You're at home, you're more comfortable, you might have kids in the other room or running in chatting with you. It happens to me. I feel like in every sales call I'm on my daughter just happens to run in and scream, "Daddy." There's less supervision there, right? Less security controls.

I like to use the analogy of a moat. So from a security standpoint, we like to think of things that the business and the local network, you got to moat around that, what you call land. You got a firewall at the top where the internet comes in, and that's your security gateway for everything coming in and out.

So, you build all of those protections and controls around your office. But then as soon as everybody is now working from home, you're extending that moat all the way to their home office, to the Starbucks, to the library, to the public Wi-Fi of wherever they're connecting; to which you don't know the hygiene of those networks, and you're losing a lot of security control by allowing this.

Furthermore, so over 500,000 people were impacted from targeted video conferencing breaches over the last few years, and why this is really interesting and it goes back to, where is everybody doing business today? We're on a webinar right now. I would bet that the majority of conference calls that you're on are no longer in the boardroom. They're on a Teams meeting, WebEx, GoToMeeting, whatever it is and it's really just the new norm of where business is being conducted today.

And the end goal for most attackers is espionage, cyber warfare. They're trying to get information, get intelligence to where they can make money, and where is it being done today? It's not in the boardroom. And even if it is in the boardroom, I bet half of the board members are remote via Teams or WebEx or one of these platforms.

And so, what we'll see a little bit later is that there's really just a significant cost to the work from home strategy that people need to think about, especially as it pertains to data breaches. And we're at our next poll.

Bella Brickle: Poll #2

Varun Vig: Yeah. And while everyone is submitting the answer, I'd like to share a family office story of mine regarding a wire fraud that happened. Essentially in a family office, there was two employees in this family office I'm talking about. They had normal processes in place. One, for an approval, the senior manager had to approve the wire transfer request, and everybody's booking remotely these days. So, what happened is the junior person received a wire transfer request and sent it to the senior person and then received an email. It wasn't a reply to the email, but received an email from the senior person. Actually, the name just said the name of the person, but within it was another email ID, essentially approving the via transfer request. And the junior person in this question approved the request and resulted in about... I think it was $180,000 of money that was transferred to an account that shouldn't have. So, just wanted to give some of the ways that the cyber criminals are attacking these family offices.

Varun Vig: And this does not agree to what I thought would be the...

Jerry Ravi: Ultimately, Varun, I think the data is definitely key of what you have, but there's a lot of different factors. This is a fun one, as you can tell. But obviously, looking at how the data's going to be going into the cost of things, and I'll talk a little bit about that. Brandon and I will take you through a few areas just to think about in terms of cost and where we are. Thank you for taking that poll.

Brandon Bowers: Hey, Jerry, really quick. We got a question in about the video conferencing breaches and where they're happening. Do we want to push the questions to the end based on timing, or do we want to take spots to stop and discuss?

Jerry Ravi: We could take it if you want. You want to take this one, Brendon?

Brandon Bowers: Sure, just because we were just highlighting on it. And what I'll mention just very quick and to the point, a lot of these tools, Zoom, Teams; there's safe ways that you can use those tools. The biggest thing is ensuring that you've got passcodes entered. So, as part of one of the Zoom breaches that happen a couple years ago, it was a configuration issue, and we're going to see as we go into some of the stats a little bit later on that a very big cost in data breaches is just due to misconfiguration or misuse of software that is seemingly safe. So, my answer there is just make sure that you've got a technology professional helping you with the configuration and roll out of those systems.

Jerry Ravi: That's a great point, Brandon. I think ultimately when you're bringing technology in, whether it's even looking at mobile devices and apps, it's just having an understanding of where the risk may be. And that's something I think that if you have that professional where you're looking at it from a risk lens, you could talk through, "What areas do I need to make sure I button up?" So, that's an assessment you can even do along the way. So, obviously video conferencing being that's important, and it's been more important the last two and a half years than it ever has been the previous 10; that's a really key area to focus on.

Because that's usability. When we talked about the goals and challenges, we're talking about functionality, usability challenges are there, and how do we want to address those? And clearly you could see from the cost of cyber crime just increasing every year, this is the data that came from McAfee and some others; I think it says 50%, I feel like it's even more than that. We see it increasing at least 50%. I think it's 10 times what it was, because this only takes into consideration key areas where they're paying out ransom, some incident response costs. Lost opportunities, I feel like there's more lost opportunities that come into these costs that are actually in here. You don't really know what that lag is, so... And this is by the way, $1 trillion, right? Not billion. We used to say it in terms of the B, and now it's the T and it's going to keep going up.

Even more lost opportunities related to PR, right? So, that's another key factor is, how do you actually measure that? And then compliance and breach funds. So, things of that nature that are coming in. This is an amazing statistic, and I think we need to focus on, what is our cost? We can talk about how to look at that from a financial perspective. A lot of insurers obviously are looking at it. Cyber insurance is increasing, and there's a reason why, because this number keeps going up. We have to look at our posture to be able to understand; how are we actually going to mitigate it? What is our risk of loss, financial loss? So, it's really key to talk about this.

And Brandon, you want to go through the next slide?

Brandon Bowers: Yeah. So, I want to first just classify what a breach potentially means. It could be a malicious attack. It could just be a system glitch. It could be a configuration error or just human error, and the key to pull or grab from what's on the slide right now is that these numbers are going up. So, that trillion dollars, that's absolutely insane, and everything is just continuing to increase. And the amounts are only going to go up, especially as we continue this work from home environment, more and more people working from home, expanding that moat.

My question is, what does everybody believe the biggest contributor to data breach cost is? Think about that for a second. As I started going through this recent IBM report; number one, lost business costs is the biggest contributor. So, what Jerry was alluding to; bad PR, all that hurts, right? Bad PR, lost revenue opportunity because of that. Downtime, last time, having people down.

I want to go through some stats. I don't like to read too often, but I feel like some of these are useful, and it was difficult to remember them all. But the time to identify a breach is up from 280 to 287 days, which is already quite a significant amount of time. If you think about that, imagine having somebody in your home, living with you for almost a year, and you not even realizing that they're there. That's basically the situation. They're looking through your data, they have access to your emails or whatever it is that they got into, and they're able to just sit around and "Hey, where do I go from here? What can I do to leverage and make the most money from you in some way?" Because that's really what the goal is at this point.

Breaches that took longer than 200 days to identify costs an average of 4.8 million versus 3.6. So, just by reducing the time to find that breach, you significantly save in terms of your overall costs. And organizations that had more than 50% of their workforce working remotely took 58 days longer to identify. Again, this goes back to the moat scenario. You've got people working all over, you don't have the same security controls in place, theoretically, depending on who's setting up these systems. And so now, it becomes incredibly more difficult to figure out, "Well, do we actually have an incident right now?

The average savings for containing a breach in less than 200 days was about $1 million, and we're going to talk a little bit more about that and how you can reduce that timeframe as we start talking about incident response in the future.

Running through just a little bit of a rapid fire. So, average cost per record is up. It's now, I think it was $150 per record before, it's now at $161. Highest country average is the US. Highest industry cost is healthcare with financial being next. And the key takeaway there is, where is the data? PII is personal identifiable information; so security numbers, information like that which can be used and sold on the dark web, which we'll talk about a little bit more, is very valuable.

Initial attack vector. So in 2021, the most frequent initial attack vector was compromised credentials. So, LinkedIn has a breach, Facebook has a breach, wherever that is. That information gets sold, that's the most common way that somebody is getting in. And why is that the case? It's because typically somebody's going to use the same password for 10 to 15 of their accounts, on average. Number two, phishing. So, 17% of the initial attack vector is phishing. Number three, which is 15%, is cloud misconfigurations. So, you've got a system in place, it was just not configured properly.

What was a really interesting stat though, although it wasn't the largest, so it was only 4% of all breaches, but it actually had the highest average cost was business email compromise at $5.01 million. The second most costliest attack vector was phishing. So, phishing and business email compromise being similar, we're going to go into that a little bit further through the slides.

Varun Vig: And Brandon, one thing I want to bring up here is with regard to the PII, the personal identifiable information. On the tax side of things, right, on family offices; we've seen an increase in the number of returns that have been already filed. So, we get the information from the client, we prepare the returns, we're ready to file; and what we learn is the return's already been filed by somebody else. In a lot of instances, obviously, the IRS has caught it at their end so it's not resulted in necessarily loss of either refunds going to the wrong place or misfiling, but it's created an extra level of filing procedure. It's all added to the cost, I guess, of the cyber attacks.

Brandon Bowers: And unfortunately, the dark web has really allowed this to expand because over time what's happening is personas are being created on each and every person. And every time there's a new breach, they get a little bit more information that they're able to add to that persona, and then your information now just all of a sudden becomes much more valuable to whoever wants to file that tax return, because now there's... I'll say a more surefire way that they're going to be able to get some ROI back on the data that they're purchasing.

Varun Vig: Absolutely.

Brandon Bowers: Okay. So, a little bit more in terms of stats. So, the FBI has a group called the Internet Crime Complaint Center, referenced as IC3. And the IC3 basically is providing a means for people to report professionals, individuals, any type of internet facilitated criminal activity. And what they do with that data is they analyze it and they disseminate it for investigations. That may be for law enforcement. They actually go to security professionals. Some of it is just actually education for public awareness, letting people know what's going on.

And every single year they provide an annual report of their findings. And I'm not going to harp over this too long, but what I like to just illustrate is if we look at pre-COVID, so if we look at 2019 and we jump down to 2021; the total number of incidents increased by almost 400,000. Went from 467 to 847. It was 380,000. So, pretty substantial. And then the total number of losses at $6.9 billion. I mean, that's a substantial number.

Top three crimes by victims in 2021 were phishing scams, non-payment, non-delivery scams, and third, which is actually new to third place, personal data breaches. And this is just because every single day you're looking at the news, there's a new breach going on, it seems like. And again, going back to that data is then being allocated into some persona based on your information, and then they're able to use that information to target an attack.

Victims lost the most amount of money. So, this goes back to the other reports based on business email compromise scams. So out of that, what is it, 6.9 billion? 2.4 billion was just business email compromise. Ransomware doesn't even make it to the top 10 on this list, which is interesting, but they don't calculate losses in terms of lost business, lost sales, bad PR, things of that nature. So, this is just direct costs immediately when an incident occurs.

And then 2021 saw a real continuation of exploits or exploiting COVID-19. So, more and more people still are working from home. Where are they doing business? I was reading an article on the report which was interesting. I haven't personally seen this at this point, but what fraudsters are doing is... So, they get in through some business email compromise or phishing scheme, and let's say they get access to the controller's email box. What they'll do is they'll send out an invite for some meeting based on a good time for this to happen, because maybe there's a pending deal closed.

So, how I've seen wire transfer fraud is typically they'll create some rules, hide some emails, and then they'll just ask last minute, "Hey, can you perform this transfer?" Now what they're trying to do is, they set up a meeting, and imagine you join the call, but the controllers there who. But because you're working from home, you don't just walk over and see the person. So, he joins the call, but he's not on video for some reason, it's just a picture of him. And using some of this newer AI technology, they're speaking. They sound like him and are using similar mannerisms. I thought that was insane.

And what they're doing is they're saying, "Hey, this deal's closing," they'll finish some conversation based on a recent email going on. And then they'll say, "Oh yeah, finish the transfer. Here's the information." Who's going to think that wasn't real? I mean, it sounds like him. I saw a picture. I felt like that was crazy when I was reading about that. We're going into a different time.

We're going to get a little bit more into prevention soon. So, I'm going to kick it over to Jerry for the next slide now.

Jerry Ravi: Thanks, Brandon. Yeah, it is quite amazing. I mean, there's an evolution of all of this, right? So, the evolution of cyber, the evolution of the internet as well, right? So, let's think about that. You had the surface web, or you have the surface web, which is everything that we can search all the search engines, this Web 2.0, if you will, which is what we're in now, the social web. And then you have the deep web, which you're going to have those elements of where we're logging in, our banks, subscriptions, whatever it is. And then you have the dark web, right? But then we have to take that and decide and try to figure out what's happening, right?

I received the call last week from a random number, thought I'd recognized the number, and literally just answered. The person asked me, "Are you Jerry Ravi?" I said, "Yes." By the time I got to, "Who is this?" They hung up. Wasn't sure what that was all about, where that came from. I get those calls fairly often, but that was the first that I got it where they actually asked my name, potentially even recorded it, but who knows what they're going to do with it. So again, be vigilant.

And as Brandon even said about where we're heading with those that have been hacked before, whether it be LinkedIn or any of these social platforms, we have to understand that there's an evolution to that too. Our information may be out there. Are you doing an analysis on the dark web? Do you know if your information's out there for these threat groups to potentially look at your information? Again, your credentials?

So, we know, most of us probably already know the who. And again, we'll get into prevention here real soon, but ultimately you have to look at insider threats as well. That's a key one, there's many examples of insider threats. So, we have to make sure we're looking at the weakest links and understanding and how we're monitoring that and managing that and to improve it.

And IoT, the internet of things is really key too, right? We have more devices on our networks now. I think at my house, I must have at least 30. Light bulbs from the Alexa, to the thermostat, to the laptops, everything.

Brandon Bowers: Refrigerator.

Jerry Ravi: Refrigerator, your washing machine potentially as well. That's the evolution. Just wanted to make sure that we're aware that. We continue to evolve. It's not new. It's not a surprise to anyone, but we do evolve.

So, who is under attack, right? Often over the years, and I've been working with family offices for at least 15 years, and some of you I know are on this webinar, and ultimately the ask was, "Are we really under attack? I thought it was the banks." I said, "Well, that's no longer a case." So, who's under attack; it's all of us, right? Our families, we need to protect them. Just like Brandon said, if you have someone living in your home. That's a great example, Brandon, because ultimately we want to protect our four walls, and we want to be able to go outside. We want to be able to do things, but we have to be more vigilant. So, it is all of us. It's not just that you're a smaller family office or a family office, it's important to understand the why.

And here's what I would say is the why, right? So, we have a couple key areas we want to focus on. You're particularly vulnerable as a family office because you're a target. You're an ideal target. You manage almost 50% of the high net worth in this not just the world, but certainly in the United States. You often handle the personal affairs of your families, right? You're working for the family, you are the family. You're looking at making sure that you're taking care of lots of different things. You have a smaller staff who have access to a lot of this information who may not have the depth and breadth of training that you would expect, and you don't need a lot, but we're going to talk about that in terms of prevention. You probably hear a lot about it as well. And just lack of strong cybersecurity defenses.

So, there's some information that you could look at and you can use professionals to help you decide where you go. So ultimately, we found that family offices typically under invest, and we want to make sure we address that.

Brandon Bowers: I want to add to that, Jerry, because with the number of family offices that we work with in MTS, I just notice there's a big mindset change that needs to happen to where they're thinking about this more like a business than just individuals and everybody is on their own, siloed. Because in most that we've worked with, when we come in and do an assessment, every single member of the family has a completely different platform they're using to share data, to store their passwords, how they're sending emails, how they're encrypting things. And that lack of security controls all of a sudden opens up a lot of different gaps in terms of risk, at the end of the day.

Varun Vig: And as we said earlier, right, the number 03 here in terms of the personal financial stuff, right? I think the family offices deal with, yeah, social security numbers, personal information, and I think that's what's easy wins for the cyber criminals, right? That's what I feel.

Jerry Ravi: For sure. And I know we want to get to prevention. If those of you that are on, if we want to go a couple minutes more, we potentially can. I know there's a lot here. Varun, do you want to take this next poll?

Varun Vig: Yeah, let's go to the next polling question. Bella?

Bella Brickle: Poll #3

Varun Vig: And if you check "I don't know," Jerry and I will speak on that.

Jerry Ravi: Very interesting. Yeah.

Varun Vig: Yeah. A third each way.

Jerry Ravi: Yeah. So, we'll talk about if you’ve been through it before.

Varun Vig: Do you want to talk about...

Jerry Ravi: Yeah, we'll talk about response. So, if you've been through it before, you probably have lessons learned for sure. There always will be. You haven't been a hit yet. So, there's some things you could do to prepare obviously and understand. And if you don't know, then ultimately there's another element of, it could have already happened, right? We need to think about it that way.

So as Brandon said, there's the attack vectors that are put out there. They could be sitting there and just watching. So, that's a monitoring technique that we could potentially deploy as a prevention measure.

So, I don't want to spend a lot of time going through the what of ransomware, but it obviously still is key. I want you to focus on one particular statistic here that, the bottom one. Your business is hit with ransomware every 13 seconds. 13 seconds. So, it's up quite a bit. We've talked about stats, so I'm not going to go through all of these stats including costs, but 91% of the attacks are launch from phishing attacks.

So, if you think about this information, there's ways to put prevention in place to address a lot of it. And I'm going to have Brandon talk a little bit about, I know he wants talk a little bit about email compromise, and then just having a little bit of background on that and then we'll go right into prevention and measures you could take. So Brandon, you want to take it from here?

Brandon Bowers: Yep, yep. So, not to harp on this much longer, but number of malware attacks, pretty significant in terms of how many are happening. So about 154,000 per day, two attacks every second. And if you think about that, to put things into perspective, you just can't have a simple firewall and antivirus anymore and think that you're protected. With these number of attacks, just having a firewall and antivirus is like trying to stop a tank with a squirt gun. They're just going to roll you over.

And in addition to going back to the moat concept, what and where are you protecting your information and how are you doing that? Because it's now ever expanding. So, why I like to reference the slide a little bit and to think a little bit more about cybersecurity in terms of a layered approach. Most typically when we come in, we start asking questions they're like, "Yeah, we got a firewall and we got antivirus," and that's usually where it ends. And you need to think of it in, how many layers can you have in place? So just like you have an onion, you peel one layer, there's another one sitting there. You peel another layer, there's another one. And you want to make attackers have to jump through as many hoops as humanly possible to be able to try and get to the center, which is your data.

We'll jump into email compromise here, and then we'll talk about prevention next. So, it doesn't look like... The slide I'm showing, I don't think updated with the cross, because it looks different on my screen for some reason. Oh, there we go.

So, I did make this a few years ago, there was a newer stat that came out in 2019. It still hasn't been updated since 2019, which it's going to be even more than this. But based on the FBI report, the number's jumped to 26 billion. So, it just over doubled, and I can only imagine that it's gone up even further since then.

And unlike traditional phishing scams, which a phishing email is just, "Hey, they're sending you an email with a link. They're trying to get your password or trying to get you to do something," most business email compromise, what's happening is they're sending emails that they've already got access to that mailbox, or they're just spoofing and making it look like they're sending it as that person. We're going to get to a few red flags. So, I don't want to spend too much more time here.

But last thing I wanted to mention was that in 2021, that IC3 report, they received about 19,000 business email compromise complaints with adjusted losses of about 2.4 billion. So this goes back to... Although it was only approximately 4% of the number of complaints, it's the biggest value target here.

And the good thing just to be aware of is the FBI, and... I can't remember the name. The short is RAT, and I'm trying to remember what it stands for, but the FBI has this group under IC3 known as RAT. They've actually had over the course of the last couple years an 82% success rate in freezing funds when people notify quickly enough. The issue that we see happening is a lot of times people don't want to notify because they're afraid of what those repercussions may be, and so they just don't say anything and they sit on it.

So, let me jump over to good email hygiene. So, I thought this was fairly relevant based on COVID right now and the CDC's recommendations that you take at least 20 seconds to wash your hands to avoid germs. So, our recommendation is do the same thing with your email. Take 20 seconds to review over that email before you click reply or do anything. Look over the display name, mouse over the email. Is it the actual email that's there, or did they just falsify what the display name is? Do the mannerisms or grammar seem the same as the person who you're typically speaking to? A lot of times, this is actually getting harder and harder to determine, especially if there's true business email compromise, because they may sit and wait for a while before they actually start to try and do something, but this is another key factor.

The other thing is attachments. So, if your organization uses OneDrive and you get a Dropbox link from somebody within the group, well, that should be a red flag. And then the other biggest thing to think about is if they're pushing some sense of urgency. "Hey, I need this done within the next hour." "Hey, wire this right away." "Hey, send me gift cards."

iTunes gift cards, for whatever reason, seem to be a thing that's going on right now. "Hey, send me iTunes gift cards. I need this within the next 30 minutes." Whenever you see something like that, pushing some sense of urgency; best thing you can do is stop and think about it for just a second. Pick up the phone and call the person. Best thing you can do. Call the person.

Don't call the number in the email. Just like you hear people with credit card fraud, they say, "Don't take the call." If they call you and say there's some fraud, hang up, call the number on the back of your card. Same thing here. Go to your contact list on your cell phone, make a phone call to that person and validate that what they sent or asking for is actually correct. Best thing you can do.

And with that, I think we are onto our next polling question. Sorry, I went quick because I know we're running out time. So just...

Varun Vig: Bella, you want to go with this?

Bella Brickle: Poll #4

Varun Vig: Jerry and Brandon, while we wait for the polls, what are your thoughts on some of the children or even adults in the family office members traveling internationally, and what they could be potentially exposed to and how should they mitigate that risk?

Jerry Ravi: Yeah. That's a great question, Varun. I hear it more often than not.

Brandon Bowers: A loaded question.

Jerry Ravi: Yeah. Yeah. It's loaded, but there are things that we can do, right? So, we'll talk about a lot of the areas that we want to focus on, but ultimately you have to consider where they're traveling to obviously. Some areas going to be heightened risk, and ultimately, what are they doing with their information? What do they carry on them, et cetera? It's not just about them being physically safe, it's also about them being safe on how they're using their mobile devices, information that they collect, et cetera. So, there are different things that you could use and new tools to make sure you lock that down, including what you see on here; training the family. It's that important, right? I'm glad 69% selected that, and also mobile device management and multifactor, all those things matter.

So, data loss prevention is really key. It's higher than what I would've expected, but I'm glad to see it. These are all things that you need to be doing, and it gets down to proper governance. All of this matters, right? The mobile device management, Varun, would matter. And even the device that they may have as they're going and traveling.

So, identifying the weaknesses. Let's get to this. I know we have 10 minutes, and we can go a little bit past the one o'clock hour if those of you that want to stay, we can go through a few things and some tools that we have in our toolbox here at the firm for our family offices to use.

So again, I come from a risk lens. This is really key. Good governance, and being a good steward of governance is very important. That bucket at the top right, governance and risk assessment, evaluating those risks, awareness, and communication; how do we want to do that? Even gets back to educating the family members. I spend time with my 12 year old and 14 year old talking about cybersecurity. I used to joke on cyber webinar, I've been at the firm 19 years, I've been talking about cyber even longer. But ultimately, I joked when my kids were really young when they were using the iPad, and they still do but they didn't understand it, right? One of my son gave out the credentials to my iPad, or the lock code, right, or the unlock code because his friend asked. I was joking, I sat him down when he was four or five years old and told him why you don't want to do that, because that's near and dear, right? Those are our credentials as a family. You have to have a way to protect that.

So, there's keys to good governance, and that's just an example of how you could do it across the board, right? Incident response and going counterclockwise training. Vendor management is so key. What vendors are you using? How the company conducts, the family office conducts degrees of due diligence on vendors. How risky are those vendors? Do we even know? Are we thinking about that? How do you monitor data loss, right?

I'm glad, again, a number of you answered that you do have a data loss prevention program. You don't want to lose that data. You want to know where it is, you want to be able to manage it and measure what's out the, and obviously protect it, which you could do that with technology and tools. And then, access rights and controls are going to be always very, very key, because that's how you get to the keys of the kingdom. That's how you get to the keys of the family information, financial or otherwise. That's really, really important.

Brandon, do you want to jump in into some prevention controls?

Varun Vig: We have one question. Should we take it now, or you want to take it at the end, guys?

Brandon Bowers: Let's try pushing to the end just in case we answer it during.

Varun Vig: Okay. Yeah, that's fine. That's fine.

Brandon Bowers: Yeah. So, what I want to say is most security recommendations or even compliance requirements, most typically today align to some framework, and the number one I'll call it adopted source is typically NIST. So, some sort of compliance requirement comes out, they usually reference the NIST framework. NIST is the National Institute of Standards and Technology.

And what NIST does is, they actually correlate prevention detection into different buckets, and we're going to talk about or hone in on three of those buckets. The first of which is prevention here on the slide. And prevention is, I mean, it's as simple as that. It's; what can you do, what controls can you put in place to prevent an incident from ever happening in the first place? And technology is going to help with a lot of that. But some of it is, I mean, having a conversation. Like Jerry was just saying to his kid, have the conversation. "This is why we don't do this."

We can leverage technology for some of that training as well. So, we can do awareness training. A lot of businesses or compliance requirements will require this on an annual basis. Where we see a lot more success is having a little bit more frequent touch points of a little bit of information. A couple minutes of, "Hey, these are some things that you should think about two or three minutes each month to keep it top of mind for everybody."

Access control is a big one that people don't really think about. I'm going to just skip around a little bit. But in most cases where we come in, people have access to everything. There are local admins on their computer. They can access all of the files. And instead of looking at things from a least privileged policy, meaning you only give people access to exactly what they need, which makes it incredibly difficult as an attacker once they get access to begin elevating or getting access to other areas of your data; that's one key thing you can look at.

Endpoint security. We talked about that, endpoint security being antivirus. The take away here is that traditional antivirus or endpoint security is just not enough anymore. I'll use COVID or the COVID vaccine as a good example or analogy right now. So, traditional antivirus would work similar to a vaccine.

So the first mutation when everybody was getting COVID was out, a lot of people get a vaccine, right, and then you're protected. But then all of a sudden, there's a slight mutation and they need to create a new vaccine or a booster so that you get amped up protection. Antivirus was typically working the same way. So, an attacker would change some binary code from a one to a zero, all of a sudden it's new code. It's zero day now, and your antivirus couldn't do anything about it.

And some of these newer products, which I'm going to just name a few common ones; Cylance, SentinelOne, CrowdStrike, Carbon black. What they use is they use newer technology, leveraging computer learning, artificial intelligence not only to no longer need those constant updates of new definitions and new vaccinations, but running the malware through a process of, "Why are they actually trying to do this?" And then stopping it when it deems, "Hey, what you're doing doesn't really make sense, so we're not going to allow that to happen." So, there's a little more intelligence around it.

And then just in the nature of time, I'm going to jump through a little bit quicker on the patch management side. What's critical to mention is a lot of people think, patch management, "Well, I've got Windows updates turned on," and what they're not thinking about is all of the other software that's on their machine. So, you've got QuickBooks running and you're running a version that's three years old and hasn't been updated, or you have Adobe Flash on your computer which is also on 70 to 80% of the world's machines. Attackers know this, so they target those products. As soon as there's some type of critical patch or vulnerability released, they know exactly what can be exploited and then will target that.

Let me jump over to the next slide real quick. This is actually from last year's report, I just felt like how the infographic was put together was actually pretty helpful. Just going to sit here for five to 10 seconds. What to illustrate is the amount of savings potentially based on you actually getting a breach doing some of these things or having some of these things in place will help reduce.

So again, going back to the onion or the layered approach, you want an incident response plan, you want to test that, you want business continuity, you want an AI driven endpoint protection system, you want to train your employees. All of these things will reduce your attack service, will reduce the potential of a breach, and will reduce the total cost of a breach.

But not only that, what's interesting on the bottom, I always isolate on the IoT, because no one is typically looking at those devices in terms of, "Hey, what do we need to do to secure those devices?" So, you put the thermostat or the light bulb or whatever else it is on your regular network where your server is or where all your confidential data and information is, and a lot of times those devices are not protected or hardened the same degree that something else is, or your IT is maybe just not even monitoring those devices. So, just food for thought.

Detection. Okay. So, manage, detect, and respond, or MDR. So, this goes a little bit beyond just that standard next gen antivirus. So, I mentioned Cylance and SentinelOne, some of those other products. A lot of those products have additional modules that can be embedded into them that what they do is, they look at the behavior of what it is that you're doing, and based on your behavior, "Hey, this is not something that should be done. This person is trying to elevate admin access. This person is trying to create a local administrator account. Why is he trying to do that? Why is Microsoft Excel trying to access PowerShell and then communicate with the internet? That's something that shouldn't happen. Okay, I'm going to stop it."

Vulnerability management. This is like patching, but goes beyond to the next level. So, this is understanding where you're at across your environment in terms of understanding, "Hey. Yeah we're patched, but there's these other known vulnerabilities that we've scanned and found," and then putting a plan in place in terms of how we can remediate and resolve.

SIEM is on here, security information and event management. I always refer to it as SIEM. So, it's mouthful. But it's really about maintaining logs, analyzing that for intelligent alerts. Some products out there; EventTracker, AlienVault, Azure, Sentinel. If you're on Office 365, things you can think about.

And then the big item that was listed on here is configuration management. So, it's so important to have somebody that, number one, is capable and qualified for doing the configuration. But on top of that, at some point you want to do a review of third party. Someone to do an assessment, understand, "Hey, this is where we're at. This is how it was configured. Here's some recommendations to close potential gaps that you may have."

And then... Let's see. I know we're over, so I'm trying to go really quickly. Key takeaway here is you need an incident response plan in place if you don't have one. Running through the process, "Hey, you determined that you believe that you have an incident," it is ultra important to isolate those devices as quickly as possible. And from a forensic standpoint, not do anything else other than isolate those devices. Because as soon as somebody starts doing something, once you get a forensic team in, it can botch up the whole process of actually finding information.

I think we can skip it, Bella. And then that'll also help prevent potential exposure and data containment. So as soon as you isolate that device, the data will no longer be able to get anywhere else.

And then the big thing in terms of, if you have an incident at the end is going through the lessons learned. How did this happen? Let's do a root cause analysis. How can we prevent this in the future, and do that due diligence? And you want to do that within a very short time span. Because we all know that we remember everything that we just ate for breakfast, let alone going through a stressful event like this; as the time ticks on, you just start forgetting things.

And again, I know we're out of time, so I am going to...

Jerry Ravi: Yeah.

Brandon Bowers: Push on. Jerry, I don't know if you want to touch on this or...

Jerry Ravi: Yeah, I could just touch on it briefly, and if you have any other questions certainly we'll be answering them offline. So, please feel free to continue to ask and we could reach out to you with other information as well, which we do have in this deck.

So I mean, this is just an element of event protocol, right? So when you do get a breach, what do you do? Stop the bleeding, try to look at your exposure, there's obviously notification and learn. So, that's just something that I would say that, you don't try to just resolve a threat just on your own. I think you have to pull together the team, and this is where you need to be prepared.

So, asking about the onion and the layers, what Brandon just went through, are really all the layers, right? And then you have detection and you certainly have response as part of it. So, this is really key, and this resonates with a lot of our clients.

We're not going to go through the last polling question. So, I'll just skip right through it just briefly. I wanted to mention one key thing is we created a tool called First Look that allows our clients to see what their exposure is. Benchmark it, not just from an element of foundation operational proactive, so that there's data points there that even Brandon mentioned that hit the framework of the layers of that onion, but also gives you a financial exposure.

So, we talked about cost. If there's things that you can do to allow this number to go down, you will see that across your cybersecurity posture. This is something to look at as you're moving through a couple key things. And ultimately, looking at these dials, I won't go through any of these, but certainly this is a good way to look at an assessment, right? Where do you need to be getting the best bang for your buck in terms of your IT investment as you're mitigating the risks? Because you still want opportunities to come and bring in new technology.

Brandon Bowers: I know someone asked...

Jerry Ravi: But Brandon... Yeah, go ahead, Brandon.

Brandon Bowers: Yeah. I was just going to say, I know someone asked about the layers. So this document right here we created, it should be accessible from within the presentation or ON24 here. It's by no means exhaustive, but it definitely gives you some clear, actionable work that you can review with your current service provider to strengthen your posture. And I don't know if somebody can comment with how they can download it, but I believe it is here within this platform right now.

Bella Brickle: Yeah. I can jump in and answer that real quick. So, it is available for download in the related content widget in your console. It is also available for download in that reminder email that you should have received this morning.

Varun Vig: Excellent. I think with that, Brandon, you're done, right?

Brandon Bowers: Yeah. Yeah.

Varun Vig: Okay. That's all we have for this session, and I'm hoping you all found it useful. On the questions, for the ones we haven't answered, we'll certainly get back to you via email. If you have any more questions, please do not hesitate to email us. I think the email IDs are there in the presentation. Once again thanks, and back to you, Bella.

Jerry Ravi: Thank you, everyone. Thanks, Bella.

Brandon Bowers: Thank you, everyone.

Varun Vig: Thank you.

About Brandon Bowers

Brandon Bowers is a Director within EisnerAmper Digital with over 15 years as an IT professional. He manages and develops the IT consulting and support services within the firm.

About Jerry Ravi

Jerry Ravi is a Partner and the National Practice Leader of EisnerAmper Digital. His focus is Enterprise Risk Management ERM and internal audit and compliance. He assists in designing enterprise risk management programs ERM which include deploying risk-based internal audit plans to enhance governance processes and monitor on-going compliance.

About Varun Vig

Varun Vig is a Director in the Private Client Services Group, and a member of the Financial Services Group.

Have Questions or Comments?

If you have any questions, we'd like to hear from you.