Cybersecurity Beyond Firewalls: Three Steps to Solving the People Problem

Faced with increasingly sophisticated cyber attacks, family offices need to look beyond technical solutions for protection.

“Front-end security is really, really important,” says Annmarie Giblin, partner at Tarter Krinsky & Drogin LLP, who works with family offices on cybersecurity. “But as front-end security gets better, one of the best windows becomes your people.”

This can make family offices particularly vulnerable: They are known to be lucrative targets, but they often lack the sophisticated cyber security staff and infrastructure that a large business would have. According to the 2023 Global Family Office Report from UBS, 37% of family offices have been the target of cyber attacks.

Evolving technology is making the problem even trickier. AI is making it harder than even to distinguish real communications from fraudulent ones.

- Advertisement -

“Producing the materials that exploit the human factors element has never been easier or cheaper,” says Josh Klein, an advisory board member of BP and Eyrir Venture Management, and an expert on cybersecurity. “What you were able to easily identify as a scam two or three years ago is going to become nearly impossible to identify.”

The wealth of information available online can allow fraudsters to create convincing messages. 

“Voice deep fakes need 30 seconds of audio to completely imitate you,” Klein says. “The more public you are, the more vulnerable you are.”

Image by Cassidy Reed

If cyber criminals obtain information about a family’s investments, for example, they could use that to persuade a family member to send money or information.

Having good technical defenses is, of course, essential. But many of the steps needed to protect the family office against cyber attacks will be less technical and more human-oriented. Here are three steps experts suggest family offices take to complement their technical security efforts:

* Start with a discussion. Many decisions about cyber security require trade-offs between protection and ease of access. Both family members and the professional staff of the family office need to be involved in these decisions.

“You could run your family office exactly like a company and run quarterly security audits and have a strike team. You could force everyone to use a VPN, or say no one can use the same phone for personal and business calls,” Klein says. “This is part of what makes family offices so uniquely vulnerable, because most families are not going to want to do that.”

One the family members and family office leaders have determined what their risk appetite is and what sorts of precautions they would like to see, they can bring in professionals for advice and implementation. For some of the questions, particularly about how to structure access to money in a way that is both secure and not too cumbersome, may be worth asking a financial advisor as well as a security expert.

* Use non-technical tools to decrease risk. How many people — in the family office or among family members — have access to the family’s money? How easy would it be for them to send it to a cybercriminal if they were fooled into thinking, for example, that a family member needed it?

There are a variety of controls that can help make fraudulent spending less likely. Family offices can require two people to authorize expenditures over a certain amount, for example, or put caps on the amount of money that can be transferred out of an account at one time. They can also make sure they know how to contact family members to verify that a phone call or email that appears to be from them actually is.

“It’s not a one-size-fits-all,” Klein says. “You’re introducing inefficiencies into the system in order to increase authentication. How do you diminish the most risk for the least amount of effort?”

* Educate early and often. Cyber security education can range from bringing in an expert to teach classes to sending family members and employees security-focused newsletters or videos to watch online. Education could start with general tips on cyber security and then move on to the specifics of how the family office is set up.

Image by Cassidy Reed

How much education do family members and employees need?

“It depends on how much technical acumen they have, what the appetite is for understanding, and how much access they have to individual resources,” Klein says.

One goal of the training should be to be sure people know when to report attempted cyber attacks — and that they are encouraged to do so.

“Make sure employees are comfortable reporting cyber mistakes,” Giblin says.

And because cyber attacks continue to evolve, training will need to be more than a one-time event.

“Put a practice in place,” Klein says. This could mean a quarterly review of cyber security, for example, or an annual family workshop. “You’re going to need to re-up this education quarterly or biannually.”

About the Author

Margaret Steen

Margaret Steen is the editor of FO Pro, The Family Office Professional. Based in Silicon Valley, she has written for Family Business Magazine for more than 15 years.


Related Articles

FAMILY OFFICE + FAMILY BUSINESS

Sign up for FO PRO: The Family Office Professional. FO PRO connects family office leadership with the family.