They moved slowly, hidden from everyone. Computer by computer, they stalked their prey. Phone by phone, they sifted through thousands of emails, documents, and access credentials until they built a map of the entire network.
They collected and cataloged every password they found. Every system they could access.
Then they struck.
One swift blow redirected the liquid assets of a family office to an offshore location before the money was quickly split into thousands of payments, and the laundry process started…
The game was over. It took almost a year from the first computer they hacked until they were ready to strike.
Nobody noticed them; nobody knew they were in the network.
The IT experts were confident in the firewalls and antivirus systems – after all, the security company that sold them promised miraculous protection at an acceptable price.
Why did the family office fall? Who was to blame?
Was the first victim who opened an infected spreadsheet to blame? Were the IT admins at fault for not noticing that every computer in their network was compromised?
Was it the antivirus that did not detect the hackers? Were the firewalls at fault?
If you launch an investigation into such a breach, and they are frequent, considering the calls we get – you could find hundreds of reasons, but they all come down to this:
A lack of a proper cybersecurity architecture.
IT experts are not supposed to create secure systems. That’s not their expertise. And antivirus and firewall sellers are supposed to sell. So, if you combine IT experts and snake oil defense salesmen, you usually get a security breach sooner or later. This is the case in every breached family office we’ve ever encountered.
Overview of the cybersecurity landscape for Family Offices
Family offices usually have small IT infrastructure unless we discuss the largest ones. With a small IT infrastructure, you also typically have a small, trusted team of IT experts who handle everything from access to emails to setting up new computers and a few servers. Nothing fancy.
You may see the standard email and collaboration services hosted at Microsoft 365 or Google Workspaces. Windows computers. Some famous antivirus/EDR/XDR providers, a firewall…
A website and a few asset managers. Sometimes, the Family Office might own a few software development companies, and then those companies become a digital extension and expand the company’s IT infrastructure, not necessarily being fully interconnected.
The challenge here is that we usually see a complete lack of proper cybersecurity architecture and guidance.
People get told to enable and have 2-factor email authentication, but nobody thinks about what happens if a computer gets compromised. Because a hacker having access to the computer of one of your asset managers or accountants or even to the computer of your CFO or their administrative assistant, will not be detected. They usually don’t use computer viruses in the form that an antivirus would detect.
And thus, hackers don’t care if you have 2-factor authentication. They gain access to a computer or network because of a lack of security controls – such as security hardening, regular patching, vulnerability management, etc.
And so the story ends… a Family Office, built with care and attention over generations, can fail due to a few missing security controls. Something that could have been prevented in a couple of months to a year by a small IT security team.
But there is a solution to this. Just avoid shortcuts. Invest the same care and attention in your cybersecurity as you did in accumulating and preserving your assets, and the hackers will merely choose an easier target!
The stakes are high: a breach can result in significant financial loss and damage a family’s reputation, potentially undoing years of careful wealth management. Thus, cybersecurity is no longer an optional safeguard; it’s a critical asset protection component.
Understanding the Cybersecurity Risks for Family Offices
Family offices manage a broad spectrum of assets, from traditional investments like stocks and bonds to more modern holdings like cryptocurrencies. This diversity, while beneficial for financial growth, introduces complex cybersecurity challenges. Phishing attacks, ransomware, and insider threats are among the most prevalent dangers, each capable of exploiting even minor security oversights to devastating effect. Moreover, the consequences of a data breach extend beyond immediate financial loss to include regulatory penalties and irreparable reputational harm.
- The unique cybersecurity challenges faced by family offices are many, but mostly are the overreliance on commercial solutions and products and trusting IT experts to secure systems when the same should only be trusted to build the IT infrastructure, not secure it.
- Common cyber threats targeting family offices: phishing, ransomware, insider threats, and zero-day attacks against unpatched software and hardware.
- The implications of data breaches for family offices: financial loss, reputational damage. Hackers usually target liquid assets they can immediately transfer, so it is unlikely such a breach would be a deadly blow to your company, but it might as well be if the impact initiates a decline, be it a slow or a rapid one.
Technical Strategies for Protecting Family Office Assets
Secure Asset Management Platforms
The cornerstone of any cybersecurity strategy for family offices is the secure management of asset platforms. Choosing software that integrates robust encryption standards ensures that data remains inaccessible to unauthorized users, whether in transit or at rest. Encryption acts as a digital vault, guarding the confidentiality and integrity of sensitive information.
Best practices for selecting secure asset management software
- Ask for the platform’s SOC2, ISO27001, and NIST security compliance reports, as well as their penetration test reports.
- Do your due diligence and ask an expert to check the platform’s security practices and capabilities.
The role of encryption in safeguarding data in transit and at rest
Encryption plays a huge role, but not in its default implementation. Let’s say your computer and your phone are encrypted, too. But every file you share with the outside world usually leaves your premises unencrypted, which is a huge mistake. Encryption should be used as a daily practice in every way possible. Encrypt files, folders, emails, chats, everything you can.
Implementing multi-factor authentication (MFA) for access control
2-factor, or multi-factor authentication, is a good rule of thumb. But it can be hugely insecure if implemented the wrong way. Let’s say your users have SMS-based multifactor authentication. Did you know that the cost of a device capable of intercepting SMS messages is in the 3-5k euro range? It’s as cheap as a couple of iPhones.
Protecting Online Accounts and Digital Assets
Strategies for secure password management
Strong passwords are the first defense against cyber intrusions. Family offices should adopt comprehensive password management policies, utilizing complex, unique passwords for each account and employing password managers to store and manage them securely. But most create a policy document and rely on users to follow it. Wrong! Teach your users what a strong password is. Teach them what a passphrase is, and regularly check if they use their password management software (you have one, right?).
Audit online accounts regularly
Use spot checks. Pick a random asset management account and audit it for password complexity, 2-factor authentication use, and last IP addresses that have logged into the account (you should have access logs for that or demand that your asset management platform allows you to review access history).
Understand and mitigate the risks associated with cryptocurrency investments.
Cryptocurrency is often managed on exchanges, which puts your money at risk regardless of how well you’ve protected the accounts on the exchange. We recommend using the so-called “cold storage” for crypto assets.
Network Security for Family Offices
A well-designed network architecture that segments sensitive data and systems can enhance security. Using this approach, you could limit the potential impact of a breach by isolating it to a specific segment of the network.
Virtual Private Networks (VPNs) offer a secure solution for family offices requiring remote access to their networks. VPNs encrypt internet traffic, ensuring that data remains private and safe even when accessed from public or unsecured networks.
- Deploying firewalls and intrusion detection systems (IDS) to protect internal networks.
- Secure network architecture design to segment sensitive data and systems.
- The benefits of Virtual Private Networks (VPNs) for remote access.
Device Security for Asset Managers and Accountants
The personal devices of those who manage and account for a family’s assets can be vulnerable entry points for cyber attacks. Our investigations show that such computers are most often the entry points into a network as these people always open all kinds of attachments. Ensuring these devices are equipped with the latest antivirus software and are regularly updated can thwart a range of malware and cyber threats.
Adopting device management policies that mandate regular software updates and using secure, dedicated devices for sensitive activities like financial transactions is also essential. Such policies help mitigate the risk of device compromise, which could lead to unauthorized access to the family office’s network and assets.
Even though we believe antivirus and antimalware solutions provide less than 2% of what a company needs to protect itself, you still need these 2% as a security control.
All devices used in the company (or companies owned by the Family Office) should implement device management policies, including regular software updates and patches. Regular users should be unable to avoid or postpone updates to their OS or applications. 3rd party applications such as PDF readers should be updated as well, don’t rely only on the Windows/MacOS update mechanisms.
In cases where specific people or activities require secure, dedicated devices for high-risk activities like financial transactions, use such devices. We can help you create and configure them.
Advanced Cybersecurity Measures
Behavioral Analytics and Monitoring
Your IT (or even better, your security team) should use some form of behavioral analytics tools to detect unusual activities that could indicate a breach. There are security vendors you can do this with, but the absolute minimum you should cover are your desktops, laptops, and for the cloud services you use, such as email and collaboration suites. Examples of things you should be able to detect on endpoints, new binaries execution and in your cloud services, and logins from impossible travel locations (login within minutes or hours from locations you cannot reach by plane that fast).
Implement continuous monitoring of network and system activities to identify and respond to threats quickly.
Cybersecurity Training for Family Office Staff
- Customized cybersecurity awareness training for all staff members.
- Regular phishing simulations to test and improve staff vigilance.
Incident Response and Recovery Planning
Your Family Office needs a comprehensive, efficient Incident Response plan. “But we are not having incidents, Alex!” – you think so? If you don’t detect any suspicious activities in your network, that’s just because you lack the detection capabilities. Not because things are not happening. Small or large security incidents occur in every single company out there. And the difference between a minor incident and a devastating one is your Incident Response plan and capabilities. Will you kick the attacker out immediately after they break into one computer, or will you leave them roaming for a year?
Another essential point is having regular backups (that you verify regularity, too) and disaster recovery procedures to minimize data loss.
Legal and Compliance Considerations
Understand the regulatory landscape affecting your family office (e.g., GDPR, CCPA) – it is relatively easy to give an assignment to the law firm you use or your legal team to summarize the cybersecurity regulations you should follow.
Ensure compliance with relevant cybersecurity and data protection laws.
Partner with Cybersecurity Experts
When and why to engage with external cybersecurity consultants or managed security service providers (MSSPs)?
“Better safe than sorry” works pretty well here. Which means you better build your defenses before you need them.
Criteria for selecting the right cybersecurity partners for family offices
- Previous experience defending small organizations following established cybersecurity architecture best practices rather than just selling and reselling security solutions for commission.
- Experience with global firms.
- Solid technical expertise – make sure you’re not just speaking to a security firm where the team consists primarily of a sales team. Insist on speaking with a technical expert.
Today, cybersecurity is necessary for protecting family office assets across generations. Decades and even thousands of years ago, wealth was preserved by keeping small private armies, diversifying assets, and building fortresses. Things haven’t changed – you still need defenses, just a different kind.
We encourage you to adopt a proactive and layered approach to cybersecurity.
Act Now
Get in touch with us today so we can conduct a cybersecurity assessment. If a hacker is in your network today, we will find them and kick them out. If there is none yet, we will help you prevent one from getting in.
We offer tailored cybersecurity strategies for Family Offices and specialize in creating small, fortified IT infrastructures based on solid cybersecurity architecture principles.
