When addressing how to protect your family office from nefarious cyber activity, it is essential to note that while there are a number of very robust cybersecurity tools available today, there is no silver bullet. You need a thoughtful, layered approach addressing both the products you use and how you educate the end-users themselves.
Virtual Private Network (VPN) access should only be permitted on corporate devices. If employees must use personal devices, then it is essential that they are educated on best practices: ensuring devices have the latest operating systems and antivirus software installed, segregating home Wi-Fi networks, creating a separate network from guests, children and other personal devices, and avoiding working in public places or conducting business on public networks. Any external access in this way should be protected with multi-factor identification, which adds an extra layer of authentication outside of username and password. When communicating with individuals outside of the family office, such as critical third parties for CRM, accounting, portfolio management, or fund administration purposes, it is also worth considering implementing a secure mail solution, particularly when the information is sensitive or confidential.
To summarize, in the short term, it is important to conduct a cyber assessment:
1. Make and keep an inventory of all routers and devices and sensitive data on them, including those used in family members’ homes.
2. Maintain devices with updated antivirus and firewall software; keep software current and assess for vulnerability at least annually.
3. Use email encryption tools for any confidential messages and ask clients to validate any new account requests and similar activity.
4. Monitor (or use an external firm to monitor) all networks 24 hours a day looking for signs of an intrusion and shut them down if there is an attack.
5. Store backups offsite or in a secure cloud repository.
6. Conduct financial and criminal background checks on new staff and vendors and annually thereafter.
7. Create a cybersecurity policy that includes connected devices, passwords, multi-factor authentication, social media and payment authorisation steps.
8. Identify and mitigate against third party risk.
With proper configuration, cloud-based technology is a secure and modern way to work, and COVID-19 has certainly accelerated its adoption. Looking beyond the immediate dangers, though, with many family offices adopting new operating models, they should also look at their long-term strategy:
9. Implement institutional quality IT infrastructure, cybersecurity solutions, and standardizations.
10. Continually educate all principals, families, and households.
11. Identify the scenarios that would impact you most, your risk tolerances, and your pain points.
12. Analyse the most likely scenarios and rate the risk level for each.
13. Customise a good controls framework to measure and mitigate risk to an acceptable level.
14. Explore, create, and most importantly test business continuity and incident response plans regularly.
15. Obtain a cyber-liability insurance policy.
16. Consider a Borderless Access Control solution (BDAC) for strict identity, verification, and inspection and monitoring of all your users.
A well thought out, long-term cybersecurity strategy is a must-have presently. This new remote way of working puts even more onus on educating the end-user on possible cyber threats. You can have the best tools, solutions, and processes available to you, but it will not be very meaningful if the end-users don’t understand how they are accessing your company’s data. Cybersecurity starts and ends with educating the user.