In May, Target chief executive Gregg Steinhafel stepped down after 35 years at the chain, following revelations a data breach had affected 70 million customers – one of the largest consumer data breaches ever. It came just one year after the National Security Agency (NSA), one of the most secretive government bodies in the US, was embarrassed by third-party contractor Edward Snowden, who released information to the media about their surveillance of non-consenting individuals. Data security breaches, big and small, are on the increase, and are making headlines.
So if the likes of the NSA and Target struggle to keep their data secure, how do family offices fare? Jane Flanagan, senior consultant at Family Office Exchange describes data security as a “perennial concern” for their clients. A survey carried out by the family office networking organisation revealed data security was the top technology concern for respondents, along with systems integration.
It is difficult to find figures about exactly how prevalent data security breaches are among family offices, but head of cyber security at Salamanca Group Rory Innes, says the merchant banking and operational risk management company sees “quite a lot” in this space. In financial institutions, the number of detected incidents in 2013 increased 169% on the previous year, according to PwC research, with the average organisation experiencing 4,628 incidents a year. Its research also found that regulatory compliance was a major driver of spending on data security in the financial sector, but that threats to business were advancing at a faster rate than security measures.
Good security is about people, process and technology, Innes says. “Too many organisations, including family offices, buy some security technology and assume they’re secure. So they’ve got an antivirus, they’ve bought a firewall, they think they’re done.”An attack, Innes explains, can mean systems are disabled for anywhere up to a week. “That can lead to the loss of productivity and the loss of time managing the family office’s investments. In addition, there could be costs from paying an expert to help re-establish the system or even replacing a piece of technology.”
A cyber attack might not just threaten your computer and your data; it could affect your home and your family, exposing sensitive information about your location and movements. “What you might see is that a member of the staff, a maid for example, posts on Facebook something like ‘the family are away this week, should be an easy week’,” says Innes. “And then the family get burgled because no one is home. There is a blurred line between physical and cyber security.”
Waking family offices up
With 79% of single family offices having a staff of just seven employees or less, according to Family Office Exchange research, Flanagan says most do not have a dedicated IT resource. Around two-thirds of their clients use an external resource to manage IT systems. The responsibility for keeping data secure then falls on family or staff members who may not feel comfortable around technology.
“That is quite often the challenge,” Innes says. “Either the members of the family or the staff in the family office aren’t IT people. Therefore, security conversations and technology conversations can be confusing and can be a bit uninspiring.” When this is the case, Innes introduces family members to security processes that are personal to them, such as securing their computer or ensuring their social media privacy settings are correct, and then moves the data security conversation from there.
Edouard Thijssen, co-founder of family office and family business intranet provider Trusted Family Network, says “half the battle” with cyber security in family offices is raising awareness. “People generally only focus on this once they have already been affected,” he says.
No appetite for risk
Once the family is engaged, the next step is determining where vulnerabilities lie. Thijssen explains that an initial examination of the family office’s security should include what device everyone in the family and the family office is using, what data is on each computer, whether that data is sensitive and which family members and employees can see it. “Then you need to look at the related risks – do systems need privacy settings upgraded? Providing a basic risk analysis then informs what follows,” Thijssen says.
Linked into that is regularly updating or changing passwords and other security processes, and having a good general awareness of current risks. For example, in April Microsoft announced its operating system Windows XP would end its customer support, potentially leaving users open to cyber attacks – exactly the type of information family offices need to be aware of. The system is well over a decade old, but with its replacements including, first, the bug-filled Windows Vista and, second, Windows 7, released in the midst of the global financial crisis, Windows XP is still in use by a number of companies and organisations.
In addition to knowing where the vulnerabilities lie in a family office, it is important to understand the motivations of those who might be a threat to data security. Innes says attacks by individuals external to the family office generally have three possible motives: direct access to money; the chance to make a political statement; or to access commercially or personally sensitive information.
“Criminals that are seeking financial gain could attack a family office to either steal identities and use that for financial gain; to access financial information directly to steal money; or they can hold a family office to ransom and demand money in exchange for giving access to their IT back,” Innes explains.
He also points out there has been a big rise in hactivism, which some wealthy individuals could be vulnerable to if they are strongly politically aligned, or there has been negative press around the ethics or corporate responsibility of organisations from which the family made its money. “That was a lot of the momentum behind the hactivism with Anonymous and LulzSec,” Innes says. “If they disagreed with your views as an organisation, as an individual, you were on their list.”
Take for instance the staunchly Republican billionaire brothers David and Charlie Koch – who were targeted by Anonymous in 2011. In a ‘denial of service’ attack the website for their family business, Koch Industries, was taken down for 15 minutes due to their support for legislation curbing public sector unions’ power. The direct loss from the event was less than $5,000, but the company spent $183,000 on IT security consultants in anticipation of the event. In a press release issued at the time, Anonymous said the Koch brothers undermined the political process through their lobbying, and the attack was a chance to “fight back”.
While data security breaches may conjure images of software vulnerabilities, often it is people rather than technology that are responsible for data leaks – whether unintended or maliciously motivated. Innes explains: “It may be an ex-employee who has a lot of access to information, and they’ve left [the family office] or have been let go, and have a bit of an axe to grind and releases that information.” More commonly, a family office staff member over shares on social media, publishes information by mistake, or leaves a laptop or device on a train or some other public space.
Consider, for instance, the viral public service advertisement released by Belgian financial sector organisation Febelfin in 2012. The YouTube video, which today has more than 11 million views, shows real members of the public believing they are about to have their mind read. The accuracy of the “psychic” becomes extremely disconcerting, however, when he starts telling them their bank balance and their spending habits. By the end of the video, it has been revealed that a team of researchers, hidden out of sight from the participants, has been gleaning the information from their social network profiles and other online data.
In addition to sharing too much information online, family offices need to remain vigilant about hackers or fraudsters who are trying to dupe them. Social engineering, in the IT world, refers to the manipulation of people so they might inadvertently disclose information. Thijssen comments: “Most leaks are people issues where weak passwords have been chosen or social engineering or phishing has taken place. Ultimately if you are a fraudster with bad intentions then social engineering is pretty easy.”
Alan Brill, senior managing director at US risk mitigation company Kroll, says it’s not feasible for smaller organisations like family offices to constantly monitor activity, “but they do need to always be thinking about whether the person they are talking to is fake, if an email looks suspect and whether they are being asked to give up inappropriate information.”
The big technology trend for family offices this year is mobile applications, according to Deloitte’s 2014 private wealth outlook report, Championing growth: redefining the roles and responsibilities of the evolving family office. In particular, Deloitte says tablets will be used for monitoring investments and performance reporting to facilitate virtual client meetings and enhancing in-person meetings. “Presenting a family member’s quarterly review on an interactive screen, rather than presenting a review on paper, can be a much more engaging way to interact,” the report says.
But Flanagan warns: “The same security that is applied to the physical family office – firewall, virus protection and secure VPN (virtual private network) – also needs to have a remote application.” She adds that separate mobile devices should be used for work and home and these should be accessed using dual authentication (a two-step identification process, rather than a single password).
In response to growing privacy concerns in the mobile space, the Blackphone was released for sale in the US in June, with features including preloaded security apps, disabling of Wifi except in trusted hotspots, and anti-theft features. Kroll adds: “Anti-malware software is often run at home and in the office but rarely on mobile devices. One of the hottest areas for malware design is in mobiles because they are frequently left unprotected.”
The danger of transferring confidential information has caused many family offices to adopt client portals – secure website that provides clients and staff with access to files, services and confidential information. According to Flanagan, client portals are typically used for the secure exchange of financial information but customers also use it to check the most up-to-the-minute information on their accounts.
Client portals share many similarities with cloud computing. In client portals, computing is delivered as an online service rather than a product, but can have significant advantages when transferring confidential files, consolidating account data, and security thanks to their advanced algorithms. Flanagan says client portals use the same security system used in Internet banking services, which far outperforms equivalent services on PCs or networks.
“The portal is a secure website, password protected and the data held within it is encrypted – this includes data that would come into the family office from third parties,” Flanagan says. “A key element of a platform is secure messaging, making it hard to break into the family office via email and send false instructions or attempt to fraudulently gain access to information.”
According to Christina Conners, an executive at Greenway family office: “Many firms have begun to appoint the family members as the “administrator” for their secure networks, meaning the family helps decide which outside advisers and which family members are granted permissions, and the level of permissions granted.” The platform provided by Trusted Family Network, for example, comes with an annual security check and is hosted remotely. Thijssen believes that remote hosting makes for better security when it comes to live data and also acts as a secure information repository.
According to Deloitte, cloud-based systems allow family office employees to work from almost anywhere – allowing business continuity in all scenarios, including natural disaster, a widespread blackout, or even a terrorist attack. Flanagan says 46% of Family Office Exchange clients are using cloud software. The cloud doesn’t just offer the family office automatic security and application upgrades, but also means physical data isn’t held on site.
When a family office doesn’t have huge resources, the cloud, an alternative to internal IT systems and infrastructure, can provide stronger security than they might otherwise have access to, says Innes. “If you’re Amazon or Microsoft or Dell, who are providing cloud services, you spend a lot of money on security in that environment. Any kind of breach has a big impact on your business. Whereas in a small organisation you likely can’t afford the same type of security that a big cloud service provider can. Every organisation should make their own risk-based decision about whether they’re happy to use cloud services. There’s also a cost benefit there as well and for many organisations the cloud can provide more security if they do it the right way.”
But Bunmi Sawande, technical specialist at F-Secure points out that a hosted service is essentially a third-party provider: “In terms of data security the cloud is a good solution but the service provider needs to be robust and be very security aware. The family office should always ask about encryption, data transfer, how data and passwords are stored and protected and who has the encryption keys.”
A post-Snowden world
The Edward Snowden affair has shown that even tightly controlled organisations can experience vulnerabilities through third parties such as contractors. The very task of protecting family data is often outsourced because many family offices lack an IT professional. As Paul McKibbin, managing partner at Family Office Metrics, points out: “Security effectively becomes beyond family offices’ control and they also cannot assume that data stays within a trusted environment. One of the biggest questions being asked of institutions is ‘who has privileged access to FO information?’ – often the big institutions cannot answer this question.”
Innes says a family office can buy technology that will help it monitor its network, but the important piece of the puzzle is ensuring the people and process around the technology make it work. “What they don’t think about is how often are we going to check that technology, how often are we going to check the log information to see what the firewall and the antiviruses are actually telling us. And if we do see something what do we actually do to verify if it’s a real threat or if it’s a false positive or whether it needs further investigation.”
And if a breach is detected the chance of catching and prosecuting offenders can be slim. “The problem comes down to jurisdiction,” Innes explains. “If your hacker is based in Russia or China it takes international co-operation to prosecute and trace that individual. Often for smaller breaches that isn’t done.”
Innes underlines that data security has to be an enabler, not a barrier that stops family offices taking advantage of new technology. “Security should be like brakes on a car, you can only go fast because you have brakes to keep you safe. And I think security should be the same, and your security person or your IT person should never really be saying no, they should be saying ‘yes, we can do this, but we need to think about this, this, and this’.”