This is the second half of a two-part feature by Annmarie Giblin and Theresa Pratt looking at cybersecurity best practices for family offices. Based in New York, Giblin - who wrote part one - works at a US law firm while Pratt is director of IT at Market Street Trust Company.

This article is part two of last week’s discussion of the basics of cybersecurity. The previous article, which can be viewed here, explored the legal best practices related to cybersecurity and discussed key concepts like having an information inventory, data retention policy, incident response plan and a response team. These are all very important, and nothing said now should be taken to minimize how critical they are.  

As the definition of cybersecurity from TechTarget.com suggests, proper cybersecurity is one third technology and two-thirds practices and procedures. Due to my role as IT director, I take security very seriously and that carries over to how I protect my home and possessions. We have a security system, cameras and other “techy” items in place to protect us. None of these are helpful however, when I come home and find the house is unlocked and my spouse has left his login names and passwords, written out on a piece of paper, laying on the coffee table. My flashy cameras are useless without the policy of not writing passwords on paper and the practice of locking the door when we leave. These three must work symbiotically to achieve effective cybersecurity.

There are some realities of “boots on the ground” running a family office that are, in my opinion, unique to this industry. With these in mind, let me augment the comments from part one of this series with a few practical suggestions.

Preparing for the worst, hoping for the best – a realistic perspective

Many family offices are small organizations with limited resources. Obtaining additional resources usually means asking the family, either via the board who is often populated with family members or going directly to the patriarch or matriarch. Additionally, the family members who wield the most control may be in a generation that typically does not understand or fully appreciate cybersecurity. I am of course generalizing and many exceptions apply, but this situation can create a unique challenge for family offices who wish to step up their cybersecurity game. So, as an executive caught in this interesting dilemma, what do you do?

First, training. Train yourself, train your staff, train your board, train your clients. The biggest threat any organization faces, whether large or small, is that someone will click on something bad or take action on a fake or phishing scam. There is not a technology in the world that can protect you from the random clicking of the unwary. 

Proper cybersecurity awareness begins with an attitude of “question everything”. Are you really sure the email you just received is from your client? And if it is, are you really sure they want you to wire $200,000 for a painting to France? (This is a real example of a fake request we received from a hacked client email account.) Create a mindset of risk management where decisions to act include the question, “Is this action worth the risk?” We receive fake requests every single day. Fake invoices demanding payment, email requests from “clients” asking for money to be wired, surveys asking for detailed information about our IT infrastructure, phone calls asking for details about staff and/or clients. The list goes on and on. I spend a significant amount of my time as IT director working one on one with staff members, looking at individual situations, determining whether or not they are legitimate and taking advantage of teachable moments. I tell the staff each and every time I would rather answer the same question ten times a day than have them do something that creates a security incident. Your staff is your main line of defense. Tell them that and teach them what to look for.

Training does not have to be expensive. There are many good online resources to help you become and stay aware. The SANS Institute is one of the best resources available. They have a monthly newsletter called OUCH that talks about real cyber threats in plain English. Additionally, they publish a video of the month and have free security awareness posters. The SANS Institute also provides best in class training which can be pricey. This is where the FBI goes for training. CIO.com is another great resource. You can sign up for email alerts that will literally fill your inbox with the latest and greatest of all things technology. As a next step, consider building relationships with your local FBI agents. Generally, the FBI wants to help you become educated and aware. Our local agent has come to the office twice in the past year to provide awareness training to the staff and board. When the FBI says it, the board listens. Once they understand the threats, they are much more likely to approve resources for other, more expensive tools.

Another practical, inexpensive tip is to develop sound cybersecurity practices that everyone understands and follows. Develop a practice of using strong, secure passwords (14+ character phrases) and changing them regularly (at least every 90 days). When using these passphrases, avoid common phrases. We recently hired an outside consultant to test the strength of our passwords, and he was able to crack (in less than 30 seconds) a 14+ character, complex pass-phrase because it was based on a common “greeting card” like statement. Develop a procedure for verifying the requests you receive. If a client emails asking for a wire, verify the request by calling them back on a number you already have. Develop a procedure for sending sensitive information securely (not in the body of an email or as an unencrypted attachment).

Develop a procedure for keeping track of all the visitors in your building, including the regular delivery and service people. Empower your staff to politely confront anyone they do not know or were not expecting. Physical security is very important and many breaches happen because nobody questioned the “FedEx guy” who picked up and walked off with a stack of sensitive papers. The security firm I employ to conduct our penetration testing says they have near 100 per cent success in gaining physical access by posing as UPS and/or FedEx delivery personnel. Implement a clean-desk policy where all sensitive documents must be kept out of sight and under lock and key. Tell your staff, this is our house and it is up to us to protect it. 

Once you have taken care of these “low hanging fruit” items, turn your eyes towards the technical. 

Make sure every computer in your family office is running anti-virus. This too does not necessarily have to be expensive. Microsoft provides a decent antivirus called Windows Defender for free. It has been part of the operating system since Windows 7. If you already have antivirus, centralize the management of it so you can easily tell if everyone is up to date. Also, know which antivirus you are running and make sure your staff also knows. A very common scheme is called the fake anti-virus. A window will pop up claiming to be your antivirus, but if you click on it – you get a virus. If you know you are running MacAfee, and a Norton window pops up, it is fake and you won’t be fooled. Additionally, consider antivirus on your mobile devices. Norton makes a good one and it is available in the app stores.

Another important thing you can do is implement regular patching. Patch your user computers, patch your servers, update your mobile devices. Keep your internet browsers up to date. Regular patching means weekly patching. Many viruses and infections take advantage of weaknesses that have been known about for a long time. Patches are written to fix those weaknesses. Applying those patches shores up the deficiencies in your protective armor. There is also what is called the “zero-day exploit” which is when a criminal finds out about a flaw, creates a way to take advantage of it and levels it at you before the fix or patch is available. This type of attack is much less likely so put your resources into protecting yourself from the greater risk by patching regularly. If you do not know how, find a person or a service who does.

A monitoring/management service such as LogMeIn or LabTech can help you stay on top of this so you know for certain the patching has been done. Patching is all too often overlooked, even by much larger organizations. If you are not patching, you are wearing old, broken armor. If you have a legacy system (as in we used to use it, have moved on, but need it for historical purposes) that can no longer be patched or updated, remove it from your network. Place it on a computer that has no internet or network access and require your staff to walk up to it and use it. Therefore, if it is compromised, the virus, hacker or other threat has nowhere to go.

Once you have done these things, turn your eyes to sound, daily back-up procedures, disaster recovery, business continuity, incident response and all of the other very important things discussed previously. Cybersecurity is most effective when implemented in layers. Training, procedures, antivirus and patching provide the foundational layer on which everything else rests.

Conclusion

Cybersecurity is a complicated issue for the family office, and as demonstrated above, not an easy one to address. It is an on-going, evolving subject that requires constant attention and work. Cybersecurity will never be effective if addressed from a “check the box” or a “set it and forget it” mentality. As part one discussed, there is evolving research, thought and best practices that help set the framework for an effective program. This is a new and growing area of legal thought that cannot receive enough attention. This section tried to address the pragmatic realities of managing cybersecurity in an active family office. The best overall approach is to intertwine policies, practices and technology, while being diligent with training and physical security.  The unfortunate reality is that a family office will be a victim of a cyber-attack; now is the time to prepare.