Ben Tercha is COO of Omega Systems, a provider of managed IT and security services. He spoke with Crain Currency about the arms race in cybersecurity and whether we can expect more threats during trade wars and market volatility.

We hear so often about cybersecurity; are people taking the warnings seriously?

When cybersecurity became prominent and important about seven to 10 years ago, when a customer got ransomware in their environment, it was like, “Oh, my gosh, why did this happen to me?” And it's very rare, and it’s a shock. Fast-forward to today, where Omega is involved in incident response situations — whether it's business email that is compromised or systems compromised — and it’s accelerated.

The scale of the attacks can be very small or they can be widespread, but the common theme is ensuring you've got a basic cyber hygiene — multifactor authentication, end-point protection and 24-by-7 SOC [security operations center]. A lot of people aren't adopting those things. A cybersecurity posture needs to be constantly reevaluated and leveled up.

It’s an arms race. The threat actors do one thing, then they do cyber controls; and those get implemented, and then the threats get more complex, and so on. It’s a constant cycle. And it's speeding up; it's not slowing down.

In terms of preparedness, are family offices a little behind or ahead of the curve?

The ones that we've worked with and taken on as clients have been a little behind, to tell the truth. They're coming from another provider who was maybe not focused so much on security like Omega is. Or there was an in-house IT person who thought he was doing everything that should be done. And as we started our work with them and advising and consulting, it became apparent that there was a lot of things that were missing. So as we bring clients on, we are proposing 24/7 MDR [managed detection and response] services, everything that they should have and telling them why they needed it, versus asking for us to implement in their environment.

About 57% of North American family offices have been hit by a cyber attack in the past two years. Has that increased in recent years?

No, it's a pretty consistent stat, but the type of attack is changing. We used to see a lot of business email compromise a few years ago. Now we're seeing some very advanced and sophisticated attacks. There's one that comes to mind where there's this thing called a session token — like if you log into Office 365, that has that token. And if you get that token, you can log in and masquerade as yourself or other users. And what we're seeing happen is that session-token hijacking is becoming more apparent. And we can't necessarily say exactly how it happened, but the theory is they're connecting to unsecured networks. So you're at a hotel, you connect to the free guest wireless that's included — well, that's not encrypted all the time, that’s not secure. So if you're accessing your email or Salesforce or your banking account, all that data can be grabbed, even though it may be encrypted across the wire. So that's one way that we're seeing accounts and environments getting compromised.

To expand on that, have family offices become a weak link, as ultrawealthy people can be easily breached and exposed to massive financial loss?

There’s this assumption, even among the very wealthy, that it's not going to happen to me, right? They aren't targeting me. The latter might be wrong, but the former might be true. What we're seeing is a lot of these attacks come from opportunistic threat actors, meaning they are looking for the weakest link. And so if you're not keeping your cybersecurity posture up to date, you become that weakest link by not having basic cyber controls such as multifactor authentication. I hate to harp on that, but that is a very simple thing that can be implemented that really shuts down the threat actors pretty easily.

They find that weak entry point into the network, and then they'll exploit it. And family offices are truly slower to adopt the stronger cybersecurity controls for various reasons. Sometimes it’s what we internally call the ostrich effect: I'm going to put my head in the sand and believe it's not going to happen to me. Or they assume they’re receiving proper advice from their managed service provider or their internal staff on what they need to do.

Everyone is a target now. A lot of people think, “Oh, we have a small office, with just five or 10 or 15 people; no one's going to be interested in my information or data.” And that is entirely untrue.

What are some of the most sophisticated attacks and methods — like deepfake frauds — that are emerging?

The evolution of AI has really empowered threat actors to take on and carry out sophisticated attacks. Now, we haven't seen any of these happen yet for clients. But we've simulated them for clients, where we've taken a CEO of a company, record their voice, ran it through an AI engine and fed it prompts. And then we call up their customer support line pretending to be the CEO, and we're able to really brute-force our way into the environment and gain access to sensitive information just using a public voice recording. So if we can do that as the good guys, you know that the bad guys are gonna be able to do this.

That has to be explicitly targeted; you have to know what organization you want to break into. And if there's a will, there's a way, right? So a lot of times what we see is, not so much the AI threat actors are using AI to carry out attacks; but what we're seeing is a lot of lack of multi-factor authentication. The end users click on the link or they get a phishing email, and they fall victim to that and supply their Office 365 login, assuming that Microsoft needs them to log in again. And they think it’s all OK, but really that threat actor has now captured their login credentials. Now they're in their mailbox, they're looking around, they're setting up rules, they're redirecting messages. Unfortunately, that’s very common, and it's really hard to combat some of those threats, because you have someone who's in a privileged role inside an organization that has access to the information. They're gonna access it on a regular basis.

What we look for is kind of those odd patterns. So our platform uses this technology called UEBA — user entity behavior analysis, meaning if you're always working in the office from Monday through Friday 8 to 5, at logging and accessing data, it builds that pattern. It gets to know you and how you access the data and where you do it from, right? But then all of a sudden, it sees you logging in at 2 a.m. on the VPN, and you're accessing the information or you're logging in on a weekend. That creates spikes in the charts and timelines. Now we can go back and identify that this is atypical behavior and find out what happened here. So we use those data points to spot insider threat activity.

With all the recent market volatility and turbulence in global trade, are you seeing new threats or an increase in threats?

None yet, but you know, it's going to happen. We're evaluating the impact to our business and our clients from the tariffs. Ultimately, what's going to happen is those costs are going to get passed on to the consumers. So I'm waiting for potential phishing attacks that promise to “bypass the tariffs if you buy stuff through us.” That will happen. If there's an opportunity, threat actors are going to find a way to exploit it.