Dot conned: Cyber crime's war on family offices

Robocrooks are massing at the cyber gates but Asia-Pacific family offices are slow to build up their online immune systems.

Complacency could be one of the biggest threats to family offices, as they deal with the ever-present, if largely hidden, danger posed by cyber-crime. Research shows the family office community is especially vulnerable to these attacks.

The Global Family Office Report 2016 tracked breaches for the first time this year. A significant 15% of our community acknowledged being victims of an attack, and those were the ones who either admitted it or were aware of it in the first place. The majority resulted in losses of $50,000 or less, although one case resulted in the loss of $10 million or more.

The scale and speed of cyber-crime at a regional level is chilling. An estimated $81.3 billion was lost to cyber-crime in Asia-Pacific in the 12-months to September 2015. At least 400,000 Chinese hackers are believed to be targeting the mainland while professional criminal gangs, some assumed to be state sponsored, from India, Russia and North Korea, are thought to be active in Asia.

FireEye—a respected security company—said Asian organisations allowed attackers to “dwell in their environments” for an average of 520 days before discovery, more than three times the global average of 146 days.

Hong Kong law enforcement agencies report an increase in 'ransomware' cases by more than 1,072% year on year, with a spate of attacks attributed to the Locky and CryptXXX viruses early in 2016. Hong Kong police report cyber-crime already outweighs all other financial crime in $HKD value.

'Business Email Compromise' scams are also rampant. At a gathering, Campden Wealth heard from a family that had been attacked, where emails masquerading as instructions from the chief executive to transfer funds had been given. Vigilant staff noticed the orders were out of the ordinary. Nevertheless, the company had been penetrated and time and money had to be invested to take remedial action.

What then can family offices do? The best chance is to investigate or address existing weaknesses. Systematic checks are rare, defensive software is not employed, staff remain untrained, and many have unclear guidelines for online threat analysis. Addressing some of these flaws is a good place to start.

But sharpening family office cyber-security can begin immediately with some simple fixes—for instance, ensuring passwords are secure. When reviewing connectivity, a friend of mine who is chief executive of a Hong Kong security company came across a password request. It took him two guesses to discover 'admin admin' was all that was needed to gain access. I must have looked crestfallen at such a 'rookie' oversight. He laughed and told me if he had been asked to do the same test in a 100 households or companies—he would find the same result in 98 of them. And therein lies the problem—complacency is common. Taking some of these simple steps could insure your family does not become another victim.