Data breaches and information security are critical concerns for organisations and individuals as attack methods become more diverse and widespread. While media reports typically only illustrate the dangers at large companies, small breaches are more frequent and cause the most damage. In fact, family offices are at an acute risk; with information from high-net-worth individuals extremely valuable to criminals, security measures may require a closer look.
While data breaches should have been a key consideration of your security plan for many years, the threat is growing. Several trends are leading to the expansion of breach threats, including the rising value of personal data on the black market, the emergence of cyber conflicts between nations which leaves consumer information at risk, the comeback of hacktivism, and the 2016 presidential campaign which presents new opportunities for hacking campaigns.
Just a single data breach can cause significant damage to your organisation. Family offices are often unable to know they have been breached, and in many cases, the speed of the attackers is more advanced than the speed of the defence. Breaches often run for extended periods of time, and organisations typically find out they have been breached from someone else, making response planning a challenge.
Data breaches can occur in a number of ways, but the overwhelming method is hacking. However, breaches can also occur through:
- Social engineering: A criminal has direct contact with a representative or employee, manipulating him or her into surrendering credentials or sensitive information
- Physical means: Information is physically accessed or stolen by a criminal
- Misuse: An employee accesses or shares information in an unauthorised manner
- Errors: An employee makes a simple mistake that leaves systems and data vulnerable
A particularly vulnerable function for family offices is bill pay operations. Risks can include check fraud, unauthorised payments or signature stamps, and poor management of multiple check books. However, your family office can implement stronger controls through positive pay, electronic approval processes, multi-layer authentication for payments and leveraging Magnetic Ink Character Recognition technology to verify the legitimacy of paper checks.
Your family office must have a comprehensive incident response plan to protect against common and emerging risks. It should plan for failure; the goal should be to fail gracefully and minimise damage. Unfortunately, preventative controls will likely fail at some point, and the plan should help ensure that your business can survive a failure or breach.
Incident response plans are often built on the assumption that organisations will detect issues quickly, have significant knowledge of the issue and respond immediately. Unfortunately, this approach typically results in higher response, forensic and legal costs due to extended duration and highly involved examinations and defence.
Your family office operations should undergo an annual risk assessment, considering both internal and external drivers. Internal drivers include business processes, policies and procedures, metrics, and resources, while external drivers consist of industry concerns, regulatory issues and specific threats. These issues feed into a continual risk management strategy, from analysis and design, to implementation, deployment and education, and oversight.
Family offices have a host of risk considerations that they must account for when developing a data security strategy. These include:
- Access control
- Change and incident management
- Disaster recovery and business continuity
- Data governance
- Training and development
- Vendor management
- Mobile security
To help manage these and other risks, you should implement preventative, detective and corrective controls to better secure critical data and systems. Preventative controls include vulnerability management, patch management, access and authentication, intrusion prevention systems, and configuration management. Detective controls encompass intrusion defence systems, database activity monitoring, compliance monitoring and operational monitoring, as well as network alerts. Corrective controls consist of incident response, forensics, quarantine, isolation, and administrative and legal actions.
Securing communications is the most critical objective for more effective data security. A key first step to enhance communication security is encryption. The entirety of your information should be encrypted at the file and folder level, while also implementing database and application encryption. Integrate secure file transfer processes over the network, digital authentication certificates and Wi-Fi protected access (WPA) encryption from computers to access points.
Email is often the most vulnerable communication tool for family offices, and therefore requires the most attention to fully secure. Organisations should procure and deploy a solution to encrypt messages and consider a data loss prevention (DLP) tool to prevent leakage of sensitive data. Additional guidelines for implementing effective email security include obtaining comprehensive security software, sharing your email address only with trusted sources, exercising caution when opening attachments and downloading files, and increasing awareness of phishing scams.
Digital signatures and e-signatures are also powerful tools to help recipients confirm that messages were created by a known sender. The electronic signature can be used with different programs, with the flexibility to sign documents anywhere from any device. The solution enables you to send documents electronically with additional audit trail evidence.
Your organisation should also consider implementing stronger document sharing strategies to deter data theft. Instead of recreating network drive folders and potentially exposing that data, utilise metatags and data columns to organise content. Establish alerts if information is deleted or altered, and password protect key documents. Only utilise version control if necessary, as it often leads to accidental deletion of data.
This article was written by Mike Smith, RSM US, and first published here.