Cybercriminals are becoming more sophisticated in their tactics, and family offices are emerging as prime targets. Yet many offices aren’t taking some simple steps that could help plug security holes, cybersecurity experts say.
Some 26% of family offices have been targets of cyberattacks, with almost two-thirds of those coming in the past 12 months, according to a recent survey from Boston Private. Phishing and ransomware attacks are among the top threats, and many of those are aimed at the homes of family members or employees, experts said.
Family offices are “low-hanging fruit” for attackers, said Chris Pierson, founder and CEO of BlackCloak, a firm that provides digital executive-protection services.
With large sums of money under management, often-lax security measures, and personal and business information intermingled on family members’ devices and networks, a family office is a “target-rich environment,” Pierson said.
“Security’s kind of an afterthought” for many busy people, he said. All family members, kids included, are potential exposure points.
BlackCloak says 87% of executives’ personal devices have no security, and 39% of those devices contain malware. In addition, data brokers have access to the home IP addresses of 40% of executives, according to BlackCloak statistics.
The work-from-home trend has made home offices rich targets for phishing and ransomware attacks, security professionals said. Since home addresses are readily available online, it’s relatively easy for criminals to hack into devices on a home network and gain access to personal and business data from there, Pierson said.
“COVID changed everything,” said Steven Saltzstein, chief executive of Force Family Office, which provides a platform for family offices to connect with each other and with service providers. Every device and every family member is a potential access point, Saltzstein said.
“The bad guys — including nation-state intelligence agencies — realize it’s a lot easier to attack senior executives and board members at their home networks to gain access to the information they want,” so many don’t bother trying to get around corporate security systems, said Michael Janke, co-founder of DataTribe, an incubator that invests in cybersecurity companies such as BlackCloak.
Melvin Ejiogu, CEO of the security software company Veemost Technologies, said he’s concerned that overseas actors may step up their attacks on family offices as election season approaches, with the aim of using home devices as bots for election interference tactics such as denial-of-service attacks.
Artificial intelligence is making it easier for bad actors to hack passwords and accounts, Ejiogu said. “Everyone is using it, and hackers are using it, too,” he said. “AI can churn through data in microseconds” and "reengineer” attack plans if it finds a weak security system, he said.
BlackCloak’s Pierson said he sees family offices targeted every day. Phishing and other email-based schemes are the most common and fastest-growing ways that criminals attack these businesses, he said.
Not all cyberattacks are sophisticated. Cybercriminals still use landlines, calling a family member or executive and pretending to be a security expert working for the firm who needs remote access to a computer, Pierson said.
Too often, he said, the person answering the phone falls for the scam.
ESSENTIAL CYBERSECURITY MEASURES
Here are some steps that every family office should be taking:
- Cybersecurity concierge: Just about every family office has an IT department or person, but that’s not the same as cybersecurity, Saltzstein said. He recommends “a dedicated cybersecurity concierge” who can respond to threats and anticipate them.
- Crisis plan: Every family office needs a crisis plan spelling out how to respond to a potential attack, as well as a set of preventive measures and internal controls, according to the advisory firm PKF O’Connor Davies. That should include processes for verifying bank accounts, wire transfers and vendors; reconciling transactions between asset classes and custodians; confirming that transactions arrive on the other end; and detecting any problems or red flags, said Gemma Leddy, partner in charge of the PKF's family office practice.
- Be on the lookout: Human error is responsible for most cybersecurity breaches, so it’s important to train family members and employees to look out for scammers, said Thomas DeMayo, who leads PKF O’Connor Davies’ cybersecurity and privacy advisory group. “The risk is not going to be from a firewall perspective,” DeMayo said. Criminals “are going to get in through the employees of the family office or potentially the family members themselves.”
- Simulations: Training might also involve hiring a specialist to simulate an attack that could help family offices identify and respond to real events, said Judy Pearson, who heads Woodruff Sawyer’s trustee liability and family office practice. “The trend is becoming more and more clear that while the number of attacks is increasing daily, the number of successful attacks is still predominantly from within the organization,” said Helen Johnson, chief technology officer of the technology consulting firm Comply. “It’s still about somebody accidentally opening the wrong email or a rogue employee being upset.”
- Backing up data: Data should also be backed up periodically so it doesn’t end up held hostage in a ransomware attack, Johnson said. “Device management is something everybody should consider, especially if you’re doing anything business-related on a device,” she said. “That goes for iPads, phones, laptops — anything that you can use that may store information.” While security experts continue to recommend multifactor authentication and password managers, “criminals are leveraging ‘info-stealer’ malware to bypass these defenses,” said Josh Amishav, founder and CEO of the data monitoring firm Breachsense.
- Security audits: “Leaked credentials have become the number-one initial attack vector for cybercriminals,” Amishav said. “It's critical for family offices to undergo regular security audits from external offensive security consultants to highlight gaps in their defenses.”
- Cyber insurance: Families needn’t go it alone. As cybercrime increases, cyber insurance is also on the rise. Insurers are starting to offer products that cover things like data restoration and business interruption, security experts said. These companies evaluate a firm’s cybersecurity practices before issuing a policy, and that evaluation in itself might provide some insight, said Johnson.
- Affordable security systems: A robust security system doesn’t have to be expensive, Ejiogu said, as there are now subscription and pay-as-you-go models that allow firms to pay only for what they need. “You don’t have to cough up millions of dollars,” he said. “You can pay per user and have access to some of the technology that the bigger companies use.” Likewise, security technology doesn’t slow performance or micromanage users, Johnson said. Software can recognize multiple devices, so there’s no need for users to type in access codes, she said. Email filters are another “simple line of defense,” she said.
Cybercrime can wreak havoc on a family business’s finances, philanthropic efforts and reputation, security professionals said. “I can’t stress how important reputational risk is,” Johnson said.
“You just need to get hacked once. You just need to lose a customer’s information or be held up for ransom once. When people lose trust in you, are they going to give you their business?”