How constant vigilance in a Covid-19 world is key…
Whilst many organisations are vulnerable to cyber-attacks, family offices have always been particularly attractive targets thanks to the quantum of the wealth they manage and the sensitivity of the information they hold. Long before the current coronavirus pandemic took hold, family offices were becoming more and more frequent victims of targeted data breaches, a trend that has accelerated rapidly in 2020.
With the world preoccupied battling an unprecedented biological virus, cyber criminals have seized the opportunity to spread their computer viruses and whilst these don’t have the devastating health consequences of Covid-19 they still have a hugely negative global impact. As work patterns have shifted for untold millions, organisations and businesses have had to rapidly deploy remote systems and networks to support staff working from home. Family offices are no exception with employees using IT infrastructure to communicate, analyse and complete deals.
Of course the pressure on IT departments back in the spring was immense. Almost overnight they were expected to spin up remote desktop connections, so it’s hardly surprising that mistakes were made and even now many of these hastily set up connections are not secure. Cyber criminals could hardly believe their good fortune as they were presented with a brand new target-rich environment to exploit!
What are the key cyber threats that family offices face today?
Fraud, extortion and cyber-enabled physical threats can all drastically impact family offices. The damage can be financial, reputational and can even, at its most serious, endanger the safety of family members and there is no doubt that attackers are leveraging the pandemic through an ever increasing variety of scams. Finance and accounting personnel are most commonly targeted along with executive assistants due to their access to systems and information. They and the families they serve are targeted in many ways with the most serious and common threats detailed below.
Business E-mail Compromise
Family offices typically deal with a high volume of e-mails, so it’s perhaps little surprise that the most common type of attack remains a Business E-mail Compromise or BEC in acronym form. Because of the rushed digital transformation triggered by the pandemic, it’s almost certainly the case that some staff are now more likely to accept e-mails that look a little less professional than before. Throw in a reference or references to the pandemic with words such as coronavirus, quarantine, tests or vaccine being mentioned and the odds of a phishing e-mail being opened improves dramatically!
BEC attacks account for the vast majority of malware that is downloaded, usually as a result of these targeted phishing e-mails. Essentially these e-mails look to trick the recipient into downloading an attachment, clicking on a malicious link or otherwise disclosing his or her credentials for logging into a corporate structure such as an e-mail system. Once “in” the fraudsters can potentially steal data, make fraudulent wire transfers and capital call notices or even use downloaded malware (ransomware) to encrypt a victim’s files. In order to decrypt said files a cryptocurrency ransom is usually demanded.
Another variation in the form of attack is personnel impersonation. Typically a cyber-criminal will aim to impersonate someone, possibly a senior executive within a company or financial institution the family office works with. They may even look to cultivate this communication over a period before sending their target or targets at the family office an “urgent” e-mail, requesting either access to information (perhaps on a senior executive in the family office), or payment of a spoof invoice via a wire transfer.
The third major threat relates specifically to attacks on the funds flow process in a family office’s investment transactions. In its purest form cyber-criminals will look to substitute their own bank account details for those of the intended recipient. In order to minimise the risk of detection they will usually do this as close to the transaction taking place as is physically possible. Once again recent months have seen a significant uptick in cyber-attacks to divert the flow of funds.
Social networking has fast become the preferred communication platform for many individuals and businesses but these platforms pose a significant risk thanks to the sheer amount of data that is often openly available online. A further factor is that family members may often be early adopters of leading-edge technologies including connected devices such as mobiles, tablets, cars and even yachts where robust protections have yet to be built in. By extracting sensitive information from a variety of sources, organised criminals can inflict devastating reputational damage or worse still even threaten the physical well-being and security of family members.
How can these cybersecurity threats be mitigated or even prevented?
Having painted a fairly bleak picture of a cybercrime threat to family offices that’s been turbo-charged by Covid-19, its time to stress that there are many security controls, technologies and practices available to build effective layers of defence. Whilst family office security controls are generally much less stringent than most large organisations, this doesn’t mean they can’t ensure they have plans and capabilities to prevent, detect and ultimately remedy cyber-attacks. If they haven’t already implemented a cybersecurity review, now is the time to take action, to be proactive rather than reactive.
All of the threats detailed above can be tackled by the implementation of some key controls. Something as simple as requiring staff to use two-factor authentication to log into family office systems, including of course e-mail, can help prevent a wide range of common cybersecurity attacks. Add to this well-configured firewalls that support additional prevention systems such as malware and intrusion detection, together with regularly backed up anti-virus software and securely stored IT systems and the opportunistic cyber-criminal might just start to look around for softer targets!
The introduction of physical defences should then be complemented by staff training to ensure they are aware of the threats, know how to prevent and detect them, why it is important to do so and when exactly they need to escalate matters. A combination of online and classroom training together with regular testing, perhaps by sending fake phishing e-mails to evaluate responses, will ensure staff, wherever they are working, are better able to spot and frustrate attacks.
Last, but by no means least, the best prepared family offices will always look to have an incident response plan in place, often including the use of retained external expertise. By planning and rehearsing for anticipated cyber incidents and attacks, family offices will be able to respond more effectively and quickly limit the damage from any actual attacks.
Where are the cyber criminals? They’ve all gone phishing!
In conclusion good cybersecurity has arguably never been more important to family offices than it is in the midst of the current pandemic. In today’s hyper-connected and digitally enabled Covid world there is simply no room for complacency when it comes to implementing the right systems, policies and procedures. At any one time there is an army of cyber criminals sitting on metaphorical river banks with their phishing rods looking to get a bite! Give them the chance and they will exploit any weakness. It is therefore beholden on every family office to be constantly vigilant and ensure that there are softer targets to be had elsewhere!