Weak links in Family Office cybersecurity

One of the most important roles a family office plays for the family it serves is that of risk manager. It is no secret that cybersecurity plays a large part of any risk management program.

Most family offices make the false assumption that their IT provider is handling cybersecurity efforts, but this is often not the case. While some managed service providers handle cybersecurity to some degree, the majority of technology companies need to be coached and directed to handle the unique needs of a family office. Many times, their actions will need to be supplemented by other types of technology providers that focus specifically on different areas of cybersecurity.

At Annapurna Cybersecurity, we believe that cybersecurity efforts should begin with a comprehensive threat assessment that extends beyond the family office to include other locations the family seeks to protect. If the IT function is outsourced, then the audit should extend to the IT provider’s practices and processes.

Your Cybersecurity Program is Only as Strong as its Weakest Link

One of our core tenets at Annapurna Cybersecurity Advisors is that your cybersecurity program is only as strong as its weakest link. While technology can solve for some cyber risk, we’ve seen patterns in our work where threats arise from weak links that aren’t in scope for traditional threat assessment providers or IT firms. A comprehensive view of cybersecurity for a family office must take these things into account — so, in no particular order, here are the most common weak links we see when working with family offices.

Excluding Family Members from Cybersecurity Training

One of the greatest cybersecurity challenges that any organization faces is that their humans are the weakest link. Thus, training is an essential part of any security program. A solid training program can turn humans from a weak link, to your greatest line of defense. However, too many times, we see cybersecurity training being prescribed to family office employees, while family members are excluded. Training should extend to all family members that utilize services from the family office, after all, the family members are the highest profile targets of bad actors. If family members are unwilling to partake, then 1:1 coaching should be employed.

Insecure Family Communication Methods

Many family offices that use a secure email solution such as Microsoft365, often find employees sending sensitive data to the personal email accounts of family members. This is perhaps the weakest link in cybersecurity we routinely see when working with family offices. Personal email accounts may have poor passwords or may not employ multi-factor authentication, and yet, are often treasure-troves of sensitive data. Worse yet, what if the family office needs to initiate a litigation hold on communication between itself and family members? How is that possible when the family office uses official company email addresses and the family uses personal email accounts? The easiest solution is to work with the family to ensure that all communication between family members and the family office is conducted using centrally managed software, such as Microsoft365 or Google Workspace. Until this weak link is mitigated, refrain from sending confidential information to external email accounts, rather, send links to assets and resources that require secure authentication, such as multi-factor authentication.

Lack of Network Oversight Outside of the Family Office

It isn’t too difficult to bolster the cybersecurity posture of the family office network, but if the goal of the family office is to protect the family–shouldn’t the IT organization have oversight over infrastructure at all properties that the family owns? At a minimum, we believe that IT should manage the network infrastructure at each property and provide proper network segmentation. In addition, any AV companies that attach devices to networks outside of the family office should be contractually obligated to keep these devices up to date and protected. Another benefit of employing some oversight to these networks, is that by monitoring the devices being used on the network, an IT provider can easily warn the family of any vulnerable Internet of Things devices being used.

Lack of Cybersecurity Program Governance

Having a cybersecurity program is great, but if it is not properly governed, confusion may arise in the event a cybersecurity incident occurs. At a minimum, your organization should define a clear owner of the cybersecurity program, and it should be widely understood that this individual is your “go-to” person should an incident occur. The program owner should also have clear steps for that individual to take in the form of an incident response plan. If you haven’t yet developed a comprehensive cybersecurity program for your family office, don’t hesitate to reach out, this is what we do best.

Mitigating the Weakest Links in Your Cybersecurity Posture

In conclusion, family offices must take a comprehensive approach to cybersecurity in order to protect themselves and the families they serve. This includes conducting thorough threat assessments, including all employees and family members in education efforts, securing communication with the family, managing infrastructure and networks outside of the family office, and establishing governance over the family office’s cybersecurity program. By taking these steps, family offices can reduce the risk of cyber attacks and protect the assets of the family. Working with a specialized cybersecurity advisor who has experience in the space can help to ensure that all areas of risk are identified and addressed.