How Can Family Offices Defend Against Cybersecurity Attacks?

In Part 1 of this series, I examined why family offices are particularly vulnerable to cyberattacks. The fact that many family offices have not prioritized cybersecurity in the past due to cost, complexity, and the belief that they were low-risk only increased their vulnerability to a data breach. Yet studies continue to show an increase in cybercrime, especially against smaller organizations, often with fewer than 500 employees. Here, I will discuss how family offices can manage and minimize the risk of a data breach and strengthen their cybersecurity defenses.

The most effective measure to protect against cyberattacks is proactive risk management. Managing risk through a robust cybersecurity plan and effective policies and training can help avoid a costly cyber breach. 

The following are steps family offices can take to protect themselves against the various types of cybercrimes:

Prepare a cybersecurity plan to address various types of cyber threats. 

Review the types of data a family office collects, how that data is stored, and who has access to it. This will help determine potential risks, choose technology, and develop policies and procedures to best protect that data.

Prepare an incident response plan.

An incident response plan allows you to, in the event of a security incident, quickly use pre-planned procedures to effectively deal with threats. The plan should cover events such as receiving a phishing email or phone call, losing a company-issued device such as laptop or cellphone, network intrusions, and ransomware attacks. The faster a family office can detect and respond to security incidents, the less likely it will incur significant financial losses or breaches of sensitive personal data.

Provide cybersecurity training and education to staff and family members.

People are the first layer of defense against cyberattacks. Providing staff and family members with cybersecurity training and education on best practices, policies, and procedures can help family offices avoid data breaches and other cyberattacks that are easily preventable.

Perform regular assessments, testing, and monitoring.

Regular vulnerability assessments and penetration testing, as well as 24/7 monitoring, are key components of a robust security plan. Vulnerability scans check for known weaknesses in systems and networks and generate a report on risk exposure. Penetration testing attempts to hack or penetrate systems to check for vulnerabilities. Testing and assessments are often performed by a combination of internally trained IT staff and third-party consultants and vendors.

Implement strong security controls and policies. 

1. Download and install software updates as they become available.
2. Regularly change passwords and make them complex using a combination of letters, numbers, and symbols.
3. Use email encryption tools.
4. Use two-factor verification.
5. Use VPN to access the family office’s network and maintain a connected device policy covering the use of public Wi-Fi and home routers.
6. Back-up data nightly. This could prove invaluable in a ransomware attack where your data is being held hostage.
7. Limit employee access to data and information.
8. Limit authority to install software to administrators.
9. Require security audit reports from vendors being considered before contracts are signed.
10. Maintain and communicate social media policy for family members.
11. Maintain an inventory of routers, computers, phones, and other devices and ensure that each one has updated antivirus and firewall software.
12. Establish policies and procedures on payment authorizations.
13. Perform background checks on employees and contractors.

Consider obtaining a cyber-liability insurance policy.

Cybersecurity insurance could potentially cover losses from data breaches, business interruption, and repairs and recovery from network damage. In summary, creating and implementing a cybersecurity plan may sound daunting, but it allows a family to take advantage of the benefits of emerging technology while managing the financial and reputational risks. Remember, cybersecurity does not always mean expensive and complex technology. For a family office, education, awareness, and simple security policies are often the easiest and most effective way to protect against cybercrime.