Cybersecurity has become an important element in our professional and personal lives, as cybercriminals target both individuals and organizations on a daily basis.
Unfortunately, family offices are one of the most appealing targets for cybercriminals. The reason is simple: Family offices possess extremely valuable information on high-worth individuals and have significant financial resources. Also, family offices have likely not taken all the preventive actions to reduce their cyber risk profile.
Place yourself in the shoes of a cybercriminal. Does it make more sense to attack a large organization that has dedicated cyber personnel and tools, or a small office that doesn’t?
Here is some practical advice for family offices:
Build a layered defense: Implement strategies to help prevent, detect, respond to and recover from cyberattacks.
Best practices in prevention and detection:
- Written cyber policies that are explicitly communicated and enforced.
- Require complex and unique passwords. Never reuse a password! If this is too challenging, get a password manager program. They work. Your organization can set up password managers for your entire team.
- Turn on or implement multi-actor authentication (MFA). Many programs and sites have an option to use MFA. MFA typically involves receiving a text or email containing a clickable link or code, in addition to entering your password.
- Keep your software and hardware up to date. At a minimum, make sure you have automatic updates turned on.
- The biggest risks faced by a smaller organization come from humans, not technology. Clicking on a button in or opening an attachment to an infected email is often the path to big trouble. To help with this category, provide cybersecurity awareness training and phishing exercises for all your staff.
- If you have people working remotely due to your office policies or travel, have them use a virtual private network (VPN) when they join a nontrusted network. It is an additional layer of software that helps protect them while on Wi-Fi. Going on Wi-Fi at an airport or other public place without a VPN is an invitation for cyber trouble.
- Additional considerations: external vulnerability scanning, firewall protection, Wi-Fi settings and physical security measures.
Response and recovery measures: Please do these few things at a minimum!
- Develop and test an incident response plan that details what you are going to do if you experience a cyberattack. This is a frequently overlooked item. When I ask business leaders whether they have a fire evacuation plan or response plan for a natural disaster like a hurricane or tornado, most of them say “yes.” Then, I ask whether they have an incident response plan, and the response is either a blank stare or “no.” Which of these items is most likely to happen? Draft your cyber incident response plan today.
- Do backups on a regular basis, and test restoring your backups. If you get hacked, having the ability to quickly restore your data is critical.
- In addition, consider getting cybersecurity insurance. It is another layer of your defense protection strategy. But be careful — these policies are complicated, so make sure you properly fill out the application and understand what is covered and for how much.
Identify responsible resources: Designate which internal and external resources are responsible for helping manage your cybersecurity needs. Know who is monitoring, helping manage and reporting on your cybersecurity profile. Cybersecurity is a complicated and alien topic to most people, and it is only going to become more challenging. Ad hoc or part-time attention to this topic is not a sufficient model. Also, remember that information technology and cybersecurity are different topics.
Cultural integration of cybersecurity: The most important step on this list is to integrate cybersecurity into the culture of your organization. While cybersecurity will only be your No. 1 priority when you suffer a cyberattack, it needs to be on your list of cultural priorities well before that happens. Everyone in the organization should be cyber-trained and use best practices. Often, senior leadership is the problem; in a number of cases, I’ve had to call out an organization’s top people for not doing their cyber-training sessions. Regular executive briefings on cybersecurity status and issues can help contribute to this cultural shift.
The analogy that I give people about cybersecurity is that it’s similar to having diabetes: It’s a chronic condition with no cure. If diabetics take their insulin, watch their diet and exercise, they can live a full and normal life. If they ignore these items, they are on a path to tragic consequences.
If you follow cybersecurity best practices, you can feel safer and sleep better at night, so you have the energy to focus on your top priorities. If you don’t, your days before a devasting attack are likely numbered.
Remember, while you can never guarantee 100% safety from cybercrime, with the proper cultural attitude and technical expertise, you can be safer.