Buzzwords like technology and cybersecurity are used constantly — but how those terms are defined can be elusive for many family offices. Crain Currency asked Tony Gebely, CEO of Annapurna Cyber Security Advisors, to demystify cyber and share what he views as the top threats facing wealthy families this year.
Let’s start here: Can you demystify cyber? Where do families even begin?
Let’s start by defining cybersecurity. In its most simple sense, cybersecurity is a continuous process and set of practices aimed at protecting your electronic devices, networks and private information from unauthorized access, use, disclosure, disruption, modification or destruction by cybercriminals and other malicious actors — and recovering quickly and efficiently in case of an incident.
For many family offices, the complexity and ever-changing nature of cyber threats can be overwhelming and confusing, hindering their ability to effectively address cybersecurity. Many factors contribute to the challenges of comprehending and effectively managing cyber threats.
First, addressing cyber threats involves both technological aspects and human factors, processes, policies and education. This necessitates a holistic approach to ensure that all potential vulnerabilities and attack vectors are considered while crafting a robust cybersecurity strategy, which serves as a solution to these threats.
Furthermore, the landscape of threats and vulnerabilities is perpetually shifting. New vulnerabilities emerge as technologies evolve, and threat actors continuously adapt their tactics, techniques and procedures to exploit these weaknesses. This dynamic nature of cyber threats requires constant vigilance and ongoing adaptation of cybersecurity strategies to keep pace with the ever-changing threat landscape.
A practical starting point for families is to adopt a recognized cybersecurity framework such as the NIST Cybersecurity Framework or the Center for Internet Security’s Framework. These frameworks are comprehensive, providing guidelines to assess current security measures, identify improvement areas and develop strategies to enhance overall cybersecurity.
How does a family begin to forge a clear path forward? What’s cyber road-mapping?
When a family seeks to forge a clear path forward in cybersecurity, the first step is often utilizing a recognized framework as a guide. An assessment of your current state using a framework serves as a foundational step to systematically approach cyber risks and develop strategies for robust defenses.
Families have two primary options for assessments: a self-assessment or leveraging a third-party service. While self-assessments can be a starting point, they often lack the objectivity and depth that a third party can provide. Therefore, even if families start with a self-assessment, it’s generally advisable to eventually engage with a third party. These experts can offer an unbiased view of the cyber risks and are skilled at identifying vulnerabilities that might otherwise go unnoticed.
The culmination of this assessment process is what we refer to as a "cyber road map." This road map is essentially a strategic plan derived from the threat assessment. It outlines specific steps and initiatives that need to be taken to align the family’s cybersecurity posture with the standards set by the chosen framework. This might include recommendations on improving technological safeguards, enhancing security policies, updating response strategies or conducting regular training for staff.
In essence, a cyber road map translates the complex, often technical findings of a cybersecurity assessment into an actionable and understandable plan. It prioritizes the identified risks and provides a sequenced approach to addressing them, ensuring that resources are allocated effectively to bolster the overall cybersecurity of the family office.
What is something most families don’t know about cyber vulnerabilities?
A common oversight in cybersecurity within family offices is to underestimate the prevalence and impact of vulnerabilities in our devices and systems. To clarify, a vulnerability refers to a weakness in a system or device that can be exploited by cyberattackers. The remedy for such vulnerabilities often comes in the form of patches, which are software updates designed specifically to fix these weaknesses.
Both Microsoft and Apple release numerous patches each month. These patches are critical, as they address newly discovered vulnerabilities that could potentially be exploited by cybercriminals. What families and their offices often overlook is the sheer frequency and volume of these updates. Each patch released is a response to a potential threat, and the delay or omission in installing these updates can exponentially increase the risk of a cyberattack.
If a device misses several months’ worth of updates, it doesn’t just become vulnerable; it also becomes a potential gateway for cyberattackers to access broader networks. This risk isn’t confined to the device owner alone; it extends to anyone who communicates with them or shares the same network.
The critical takeaway for businesses and family enterprises is the necessity of a systematic process for updating all devices. This process should be a standard practice, overseen either by in-house IT staff or by a managed service provider.
What does 2024 look like in terms of new cyber threats?
There is an encouraging trend of increasing preparedness among family offices who are taking proactive steps to build robust cybersecurity programs. This trend is a positive development in the ongoing battle against cyber threats. However, as our defenses evolve, so do the tactics of cybercriminals.
One significant area of concern for the coming year is the rise in insider threats. These incidents involve employees or individuals with internal access who misuse their privileges to steal data, assets or sensitive information. This type of threat is particularly insidious because it comes from within an organization, often bypassing many of the traditional external defenses.
Additionally, we anticipate a persistent baseline of random cyberattacks. These are the types of threats that indiscriminately target systems and users, such as widespread phishing campaigns and opportunistic attacks that exploit vulnerabilities in unsecured systems. These kinds of threats remain a constant in the cybersecurity landscape and require ongoing vigilance.
However, more concerning is the expected increase in targeted attacks, especially in the realm of high-net-worth families and family offices. As attackers become more sophisticated and informed, we foresee a spike in spear-phishing attacks and other targeted strategies. These attackers will likely employ methods that specifically focus on a targeted family or individual, utilizing detailed reconnaissance to identify and exploit personal networks, locations and devices. This targeted approach combines technical expertise with personalized tactics, making it more challenging to detect and prevent.