Family Office
Protecting Family Offices In Remote Working Age
What steps should family offices take to protect cybersecurity at a time when family and non-family members are working from home? Coping with a biological virus can actually increase the risks of falling victim to digital ones. This article sets out some pointers.
When people work remotely – as more are because of COVID-19 –
cybersecurity risks increase. And that’s particularly important
for people working with large blocks of money, as is the case
with family offices. Single family offices and even some large
multi-family offices are not traditionally noted for
spending big on security. Smaller FOs may lack the resources to
handle security in-house, explaining why they turn to outsourced
solutions. As this news service has been told in recent years,
family offices can be fazed by the choices they have to make, and
which “experts” to follow.
To try and walk readers through some of the issues in play is
John Manganiello, head of business development, RFA. The US-based organization is
an IT, financial cloud and cyber-security services provider to
the investment management sector.
The editors are pleased to share these views; the usual editorial
disclaimers apply. Jump into the conversation! Email tom.burroughes@wealthbriefing.com
and jackie.bennion@clearviewpublishing.com
At the onset of COVID-19, businesses were faced with the very
real prospect of moving their entire workforce to a remote
working environment, in a very short space of time. For many,
this prospect was an entirely novel reality, with the majority of
staff primarily based in offices before the pandemic. While
successfully implemented by many, this move threw up a number of
operational challenges and heightened cybersecurity risks that
continue to persist today.
For family offices, in particular, this has been an historic
change in the corporate environment. Despite modern technology
allowing remote working to flourish, it is essential to carefully
consider how the family members interact with each other, the
office, and other critical parties. Taking a holistic view of the
family office through the lens of cybersecurity, the primary
concern is always about privacy and control of data and
information.
Threats from all directions
Very few companies would ever have thought that they would need
to move to a model where 100 per cent of their staff worked
remotely. As a result, remote platforms were not designed or
configured with licensing accordingly. So, in moving to a remote
working environment, smaller companies, such as family offices,
were not nearly as adept at making the change quickly, making
them more susceptible to cyberattacks.
Increased remote work has resulted in hackers taking advantage of
cybersecurity vulnerabilities caused by widespread telecommuting,
increased pressure on IT teams, users bypassing standard
cybersecurity practices, and remote administration of critical
information. Increased phishing and malicious content are on the
rise while malicious sites and business email compromise attempts
linked to the pandemic are also increasing in prevalence. Many
family offices do not have the proper email security and training
protocols to prevent phishing and BEC scams. Once hackers get
into your network, they can be there for weeks, even months,
monitoring communications to access confidential information.
This even extends to employees’ social media accounts, which
hackers can hijack for use in social engineering schemes.
Data theft has also risen significantly, with hackers using data
for extortion, disruptive or destructive ransomware attacks, a
type of malware that threatens to publish a victim’s data, sell
it to the dark web or perpetually block access to it unless a
ransom is paid. Ransomware attacks increased over 25 per cent in
the first quarter of 2020 alone, costing businesses, on average,
$1.4 million to recover.
This highly conducive environment to cyber threats means that it
is more pressing than ever to develop control structures and
processes that create a protective stance and readiness to
respond to threats of all shapes and sizes.
Remote working challenges:
There are several key challenges surrounding remote working,
namely insufficient remote access solutions capacity, secure home
networks and personal devices, extended corporate security
controls to home offices, sharing data securely with third
parties, and secure collaboration and communication.
In the family office space, something that has been front and
center during the pandemic is that the work culture has changed.
An office of 20 has suddenly transformed into 20 different
satellite offices, where individuals are no longer protected
behind the corporate controls and firewalls. Firms then need to
consider how everyone is accessing confidential information. Is
it through a corporate or personal device? If the latter, are
there any controls in place? When someone logs into their email
or accesses sensitive information from a cloud-based device like
SharePoint, Google Drive, or DropBox, problems can start to
arise. It’s essential from the outset that family offices
understand how the devices staff are using for remote working are
controlled and how the data is protected.
The solution?
When addressing how to protect your family office from nefarious
cyber activity, it is essential to note that while there are a
number of very robust cybersecurity tools available today, there
is no silver bullet. You need a thoughtful, layered approach
addressing both the products you use and how you educate the
end-users themselves.
Virtual Private Network (VPN) access should only be permitted on
corporate devices. If employees must use personal devices, then
it is essential that they are educated on best practices:
ensuring devices have the latest operating systems and antivirus
software installed, segregating home Wi-Fi networks, creating a
separate network from guests, children and other personal
devices, and avoiding working in public places or conducting
business on public networks. Any external access in this way
should be protected with multi-factor identification, which adds
an extra layer of authentication outside of username and
password. When communicating with individuals outside of the
family office, such as critical third parties for CRM,
accounting, portfolio management, or fund administration
purposes, it is also worth considering implementing a secure mail
solution, particularly when the information is sensitive or
confidential.
To summarize, in the short term, it is important to conduct a
cyber assessment:
1. Make and keep an inventory of all routers
and devices and sensitive data on them, including those used in
family members’ homes.
2. Maintain devices with updated antivirus and
firewall software; keep software current and assess for
vulnerability at least annually.
3. Use email encryption tools for any
confidential messages and ask clients to validate any new account
requests and similar activity.
4. Monitor (or use an external firm to monitor)
all networks 24 hours a day looking for signs of an intrusion and
shut them down if there is an attack.
5. Store backups offsite or in a secure cloud
repository.
6. Conduct financial and criminal background
checks on new staff and vendors and annually thereafter.
7. Create a cybersecurity policy that includes
connected devices, passwords, multi-factor authentication, social
media and payment authorization steps.
8. Identify and mitigate against 3rd party
risk.
With proper configuration, cloud-based technology is a secure and
modern way to work, and COVID-19 has certainly accelerated its
adoption. Looking beyond the immediate dangers, though, with many
family offices adopting new operating models, they should also
look at their long-term strategy:
9. Implement institutional quality IT
infrastructure, cybersecurity solutions, and standardizations.
10. Continually educate all principals,
families, and households.
11. Identify the scenarios that would impact
you most, your risk tolerances, and your pain points.
12. Analyze the most likely scenarios and rate
the risk level for each.
13. Customize a good controls framework to
measure and mitigate risk to an acceptable level.
14. Explore, create, and most importantly test
business continuity and incident response plans regularly.
15. Obtain a cyber-liability insurance policy.
16. Consider a Borderless Access Control
solution (BDAC) for strict identity, verification, and inspection
and monitoring of all your users.
A well thought out, long-term cybersecurity strategy is a
must-have presently. This new remote way of working puts even
more onus on educating the end-user on possible cyber threats.
You can have the best tools, solutions, and processes available
to you, but it will not be very meaningful if the end-users don’t
understand how they are accessing your company’s data.
Cybersecurity starts and ends with educating the user.