Let’s face it. Most of the cyber advice out there is designed to sell a product or a service. Most of the cyber advice does not leave the reader with any actionable insights other than to reach back to the author. Let’s try to change that bad behavior specifically for High-Net-Worth Individuals and Family Offices.
The threat is real and only becoming more visible by the day. According to a 2021 survey run by the Family Office Exchange (FOX), cybersecurity is the primary concern for Family Offices and High-Net-Worth individuals. In practice, neither Family Offices nor High High-Net-Worth individuals have the resources or in-house expertise to deal with the threat. Like other SMBs, they are highly focused on their craft and organizational objectives. Not so much so on the other aspects common in larger, usually publicly traded, organizations.
Well-publicized attacks like Target, Capital One, and Colonial Pipeline have raised awareness. Did you know that Ransomware attacks against Family Offices and High-Net-Worth have ramped up significantly? The reason is simple: they have the money and are not prepared.
Since the world has increased sanctions on Russia Oligarchs, are you aware that we have seen increased activity on Family Offices and High-Net-Worth individuals? In fact, the Russian Foreign Ministry sanctioned Government Leaders and Private Citizens, going on to say:
“More announcements will be made soon concerning the expansion of the sanctions list to include other top U.S. officials, military leaders, lawmakers, business executives, experts, and media personalities who promote Russophobia or contribute to inciting hatred of Russia or imposing restrictive measures.”
The Russian Foreign Ministry subsequently made good on its promise by sanctioning additional private U.S. citizens and business objectives while also banning all 398 members of Congress.
While I doubt most people believe being sanctioned by Russia will have much impact, it is a nod to the hackers; they will curry favor with the Russian government and be allowed to operate with impunity.
Choose Your I.T. Provider/ Staff Wisely.
All the advice about Multi-Factor Authentication (MFA), Backups, Passwords, training, and awareness is fantastic and spot-on, BUT that is not what you do for a living. It is like having a mechanic tell you the car needs a new alternator and then walking away. We want them to fix it.
There are somewhere around 3,000 to 5,000 high-net-worth individuals and Family Offices in the U.S. In my experience, almost all of them outsource their I.T. Function. The number one thing you can do to raise your cyber hygiene is to do your Due Diligence on your provider.
All of them will say cyber security is essential. Check to see if they have what is known as a Third-Party Attestation. I recommend you ask if they are ISO 27001 certified and if they have a SOC 2, Type 2 report. Also, ask what particular industry-specific items like FedRAMP and PCI-DSS. Doing so provides you tangible evidence of how cyber-aware they are and whether or not it has been operationalized (or not).
Personally, I would not put my assets or my family’s livelihood in the hands of anyone who cannot show they have proven to an unbiased third party they have good cyber hygiene. Would you hire an accountant who does not have a CPA? Would you put an attorney on retainer who does not have a license to practice?
Test Your Backups. Ransomware works because it holds your data hostage – that is where the name comes from. The folks who pay the most ransom are the ones who cannot recover their data. Do not make yourself a victim. Be sure your provider backs up your data daily and test those backups at least once a quarter.
Training & Awareness. Above all else, this is the highest return on investment (ROI) you will see in the cyber security space. Almost all cyber-attacks require a human to do something silly. A good program will dramatically reduce the likelihood of you being a victim. If your provider does not provide this, there are plenty who do. By the way, if you have a program, you will know very quickly if your program is having an effect. The calls to help desks and hotlines will grow because the staff is getting paranoid.
Patching and Vulnerability Scanning. Most attacks exploit a known weakness that has a known patch. Be sure your provider is patching their systems and yours as well. Run vulnerability scans at least quarterly to verify. One of the most useful metrics in this space is commonly referred to as “Twitter to Attack .”From the time a new vulnerability (called a Zero Day) is pushed out on Twitter to the time attacks are reported is between two and four hours.
Insurance. Insurance may well be the most misunderstood part of any cyber strategy. Insurance does not prevent anything. Instead, it is designed to reduce the impact when something happens. Most insured do not realize the policy includes reporting requirements and maintenance requirements. Policies often limit what service providers you can use. Review your policy and address how it fits with the rest of your strategy. This is a much larger topic. Possibly the subject of a future newsletter.
Outside Counsel. Another misunderstood topic that needs to be discussed long before an incident. Outside counsel will probably advise you to have everything run through them to preserve privilege. Does your insurance coverage allow that? How does that work with the reporting requirements? How does that work with Law Enforcement? How to engage outside counsel is also a much larger topic, probably best dealt with in a future newsletter.
By Alex Sharpe
Talon Cyber Tec LLC
Ron Williams, CFS
United States Secret Service-Retired