We spend a lot of time working with affluent families and family offices – determining how to best protect and secure their various interests from estates to businesses, here and across the world. Cyber and information security often comes up in our discussions. Typically, we’re making sure these families and family offices have secure networks that prevent inadvertent information breaches. For many of our private clients, we are seeing evidence that cyber-criminals are employing the same methods they use in corporate espionage to target them and the offices that support them. Several of the schemes our team has encountered recently are very sophisticated and contain elements that corporate entities are tracking and trying to counter with protective strategies. Wealthy families are an attractive target for cyber-attacks because their cyber defense systems are usually not as robust as those in a corporate environment supported by a full team of experienced information security experts with access to advanced technology and robust practices, procedures and training.
The Cyber Risk for Affluent Families
According to a cyber security report published by Campden Wealth, research confirms this trend. Almost a third of the families, family offices and family businesses surveyed for the report stated that they have experienced a cyber-attack in the past. As corporate entities harden their network security and train employees on how to recognize potential cyber-attacks, some cyber-criminals find it more difficult to penetrate large corporations and instead opt for the less prepared – often less knowledgeable – family offices. Cyber-criminals may be employing the same tactics that earned them early success in corporate hacks: email with attachments and ransomware. Based on the Campden Wealth study, 77% of respondents had been subject to phishing.
Cyber-Attacks Can Come from the Inside
Interestingly, the report indicates that a third of the cyber security attacks cited by respondents are conducted by insiders. The U.S. Department of State Bureau of Diplomatic Security and Overseas Advisory Council states in its 2018 annual briefing that some of the most damaging cybersecurity threats do not originate from malevolent external actors but from insiders and third parties. The briefing describes an insider threat as a person within an organization – a current or former employee, third-party contractor or business partner – who has or had authorized access to an organization’s networks systems, data or premises, and uses that access to compromise the confidentiality, integrity, or availability of the organization’s information or systems, with or without malicious intent. Malicious insider threat actors can be defined as:
- Disgruntled employees (current, past or present)
- Entitled employees
- Planted employees
- Third-party vendors
- Trusted employees with extensive access
Two recent inquiries made to Hillard Heintze from private family offices aptly illustrate the risk insider threats pose. In one instance, a long-term member of a family office authorized a $2 million transaction for a business venture overseen by the family office, and conducted within the family office technology environment. Further analysis including a computer forensic investigation revealed the employee had been targeted and corrupted by a powerful drug cartel and manipulated to launder funds through the family office for personal financial gain. This put the family at risk of both the cartel and also the authorities.
In another situation, an employee in the process of being terminated sabotaged IT systems and changed all passwords to the systems – making it impossible for the family office to access its IT structure. While this might not have posed an immediate threat to the family network, it does demonstrate how vulnerable the systems were during a volatile event: an employee termination.
Mitigating the Risk, Protecting the Family
Given the growing risks associated with insider threats and targeting by external attackers, family offices need to invest in capabilities and resources – i.e. the people, services, technology, processes, procedures and training –that decrease the likelihood of a breach. Cyber environments should include everything from password management and antivirus patches to firewalls, network segmentation, controlled permissions and independent email domains.
Insider threat programs need to concentrate on both employees and vendors – anyone with access to family systems – and include ways to deter, detect and avoid threats. Cyber breaches originating internally may not be malicious and completely accidental – for instance, opening an Excel spreadsheet from an unknown source which places malware on a system. Educating users about cyber intrusion techniques from either an internal or external source is a best practice. The return on this type of training will pay for itself many times over.
Physical security of the family or family office cyber environment is also key and should include access control to any area containing sensitive equipment or information such as hardware, devices, network information or passwords. Additionally, the family should ensure that due diligence investigations are conducted periodically of any personnel who work near or around the family or in the family office – and comprehensively for all new hires. Red flags such as excessive litigation with former employers, substance abuse, financial events such as bankruptcy filings or unexplained wealth moments are indicators that may signal higher risks of an insider threat.
A common thread among high net worth families is they believe they are ‘flying under the radar’ and that they will not be subject to a breach, intrusion or theft in their personal lives. Unfortunately, it has become much harder to fly under the radar and bad actors have become much more sophisticated in their criminal enterprises and successful at identifying the soft spot for a breach – which may include the family office or the family residence itself. For malicious cyber actors, the game is no longer about notoriety, but quick windfalls of income.