One of the most critical aspects of a family office’s role is to manage risk on behalf of the family. Cyber threats pose some of the most significant risks that families face today. With the increasing use of technology in business operations, it has become crucial for family offices to ensure that their systems and networks are secure. This not only includes the physical security of the office but also the security of the data stored and transmitted through these systems.
The Family Office is Not an Island
It’s not too difficult to enhance the security posture of a family office, if we treat it like an island. We can perform threat assessments on the family office which will often lead us to harden the technical infrastructure and workstations, employ a mobile device management solution, implement training programs and ensure all devices are properly patched. By doing so, we can reduce the risk of cyber attacks and protect the family’s assets.
However, treating the family office as an island can only protect it to a certain extent. The family office must interact with vendors, service providers, and family members, and these interactions can pose a significant risk to the security of the family office.
Minimizing Vendor Threats
Threats from the vendor side can be minimized but not fully erased by developing a Vendor Risk Management program and doing proper due diligence before working with a new vendor with whom you intend to share sensitive data. This will help to ensure that the vendors you work with have proper security measures in place, and that they will not be a weak point in your security posture.
Securing Information Flow to Family Members
It is the information sharing between the family office and family members that requires our attention. When sensitive data intended for a family member leaves the island, where does it go? The answer to this question for many family offices is: “to the personal email account of a family member,” typically a Gmail or Hotmail account. These accounts are not commonly under the jurisdiction of the family office and thus are not subject to the risk management program for the office. Personal email accounts may have poor passwords or may not employ multi-factor authentication, and yet, are often treasure-troves of sensitive data. This makes them a prime target for cyber criminals.
Worse yet, what if the family office needs to initiate a litigation hold on communication between itself and family members? How is that possible when the family office uses official company email addresses and the family uses personal Gmail accounts? This can create a legal headache and cause problems in the event of a lawsuit.
At the core of this issue is the willingness of family members to adhere to seemingly inconvenient protocols put in place by the family office which is acting in the best interest of the family. Family members may not fully understand the importance of security measures, or may not be willing to follow protocols that they perceive as inconvenient.
Centrally Manage Communication Where Possible
The easiest solution is to work with the family to ensure that all communication between family members and the family office is conducted using centrally managed software, such as Microsoft365. By using a centralized system, the family office can ensure that all communication is secure and that there is a clear chain of custody for all data.
Using organizational email via Outlook solves the email part of this problem, Microsoft Teams takes it a bit further and solves the real-time chat (instead of SMS) and calling (via Teams Telephony) part of this problem. This way, family office can manage and secure all communication between family members and the office.
In a single solution, we can secure communication between the family and the family office, and ensure that if a litigation hold must be implemented, that it does not interrupt the day to day activities of anyone involved.
In conclusion, securing external communication is a crucial aspect of a family office’s role in managing risks on behalf of the family. While it is relatively easy to enhance the security posture of the family office by treating it as an island and implementing various technical measures, it is important to also consider the interactions and information sharing with vendors, service providers, and family members.
The use of personal email accounts by family members can be a weak point in the security posture, and it is important for the family office to work with the family to ensure that all communication is conducted through centrally managed software, such as Microsoft365.
By taking these steps, the family office can secure communication and protect the family’s assets from cyber attacks.