Ben Tercha is chief operating officer of Omega Systems, a managed security services provider whose customers include family offices. He talks about the cybersecurity risks family offices face, and what they can do about them:
What trends are you seeing in your customers’ cybersecurity needs?
Identifying where data lives and who has access to it is becoming increasingly important when it comes to protecting that data. Today, everyone has data on their laptop and they’re working from home, on vacation, on the train, at a Starbucks. Data is not behind four walls of an office anymore – it’s in the cloud or on a PC.
What concerns do you hear from family offices?
Family offices are taking a proactive approach to protecting the data that resides on their systems. Data in the wrong hands can do very strong reputational damage in addition to the financial implications. Tax return data, access to bank accounts, access to trade information – all that is extremely valuable to a threat actor.
We are also finding that many family offices don’t have cyber liability insurance – which means in cases of ransomware attacks, the family has to pay that ransom versus relying on a cyber insurance provider.
How do family offices keep their data secure while still making it easy for family members to access it?
It’s kind of like a teeter totter: You want to have a good balance. If you make the system too secure, you start to jeopardize productivity.
Sometimes there’s the impression that the security posture is too restrictive – so we’ll get an edict to turn off multifactor authentication (MFA), for example, for a particular family member, because they don’t want to use it. But what they don’t realize is that that one change is not just impacting that one person – it’s potentially impacting the entire organization. To play out that scenario: We disable MFA, then the threat actor gains access to that mailbox and starts pretending to be that family member, authorizing wire transfers or payments to new vendors, while everyone else inside the family office thinks it’s OK because a family member told them to do this.
How are advanced AI capabilities changing cybersecurity threats?
With AI, threat actors could take a video of a family member that is posted on YouTube, take that voice and feed their own text to it. We did this as a test for one of our banking customers. The CEO had spoken at a banking forum. We grabbed the video and ran it through an AI engine. Then we called the bank’s service desk with the video impersonating the CEO, and we were able to get his password reset and log into his mailbox. If we’re doing that as the good guys, imagine what the bad guys can do.
This is why it’s even more important to have stricter policies and procedures.
What causes family offices to seek out a cybersecurity solution?
There are probably two or three main drivers that make customers come to us. One is regulatory requirement: A governing body says they must have a particular solution or they can’t conduct business. The second driver is cyber liability insurance. People who apply for this insurance are given a 12-page form with questions. They’re looking for help in filling out that form accurately, but also in implementing the controls that are required to lower their premium – or in some cases even to bind coverage. The last driver is an incident response: There has been a compromise, or at least a scare, that has caused them to really think about this in a more serious fashion. Unfortunately for family offices, they aren’t currently regulated and many also don’t carry cyber liability insurance; if they’re waiting until there’s a breach to seek out cybersecurity support, they’re already too late. The security-conscious family offices who look for proactive support – they are going to be best positioned to mitigate future risk.
What advice do you have for a family office that wants to improve its cybersecurity?
Start with the basics, including user security awareness training, an MFA solution, and a team that can respond if something does go bump in the night.
A lot of customers are missing some of these basics. And not having one basic thing doesn’t create risk in just that area – it creates risk for the entire business. For example, threat actors are often able to gain access to an environment by just guessing a username and password, or sending a specially crafted phishing email.
Many family offices assume no one would come after them with a cyberattack. But threat actors are looking for easy targets. If your defenses are low, it’s going to make it easier to gain access to your data, steal it, hold it for ransom, extort you – whereas if you have a stronger security posture, threat actors are going to try, but they’re going to move on to easier targets.
