Cybersecurity for family offices begins with awareness
Taking a business-minded approach to cybersecurity
INSIGHT ARTICLE |
Authored by RSM US LLP
Some family offices are attractive targets for cybercriminals because of how basic their resources and protections are relative to the high value of their assets. Financial institutions that manage millions of dollars commonly are fortified by safeguards, such as a virtual private network (VPN) for employees and dual-factor authentication for transactions. But single-family offices often operate with small staffs, elementary cybersecurity protocols and limited technological infrastructure.
“Family offices generally tend to believe they’re too small to be a target,” said Tauseef Ghazi, a principal in RSM’s security and privacy risk practice. “But the ones that believe they’re not at risk generally are really at risk.”
That misjudgment is why Ghazi, a technical lead on RSM’s family office enterprise team, considers awareness to be one of the most important cybersecurity issues facing family offices. And, in fact, the awareness is twofold: understanding how cyber threats have evolved and acknowledging the family office’s comprehensive risk profile.
Those complementary components are central to a proactive approach to cybersecurity, as opposed to a reactive one after a breach or crime has done costly damage.
Over the last five years, cyberattacks have moved away from targeting millions of dollars in a single attack. Hackers have found it increasingly difficult to infiltrate a big corporation and fraudulently transfer such large sums.
“Real hacking these days happens in transactions of $100,000 or less, and family offices are quite capable of approving those,” Ghazi said. “Hackers have tried to make their lives easier by going after smaller institutions with very limited security controls and making a bunch of smaller transactions. They’re focused on the volume of transactions because it’s easier to do.”
The attacks commonly begin with a phishing email and take the form of wire transfer fraud or ransomware. The threats are especially troublesome for single-family offices without a dedicated IT department that prioritizes protecting against them.
Once hackers compromise an email system or file storage system, they will try to access accounting systems and the corresponding security information—such as passwords, screen images or keystroke data—that would enable them to execute a transaction.
“The bank then looks at that transaction, and from their side, everything looks perfectly fine,” Ghazi explained. “It came from the legitimate source. It used correct user credentials. This looks pretty legitimate because it comes from the source of truth.”
Risk and vulnerabilities
Once family offices understand the strategy and methodology driving prevalent cyber threats, they can more clearly identify vulnerabilities in their cybersecurity protocols. Of course, family offices vary in size and scope, so risk profiles differ. But that just underscores the value for every family office to look closely at how thoroughly it has protected its assets.
“It’s not crying wolf; it’s saying that you need to understand the dynamics of your own landscape,” Ghazi said. “What are your risks? What kinds of transactions do you make? What do your employees know? Are you even aware of some of these things?”
Single-family offices might outsource IT support. That, by definition, creates a multi-tenant environment for which controls and protections are necessary. And if a family office doesn’t have an internal IT department, it might lack explicit cybersecurity policies and protocols in case of a cyberattack.
Another focal point is how transactions are authorized. Dual-factor authentication is a more sophisticated protection than simply entering one password, especially if the secondary authentication involves a separate device, such as a mobile phone. That way, if the person authorized to execute transactions has their computer compromised by malware, the second device would serve as an additional safeguard.
Remote work also presents important considerations. Family offices, like many companies, encourage flexibility for employees—and that was before the pandemic triggered a widespread shift to working from home.
For employees working remotely, a VPN provides a secure connection that protects data and information. This is especially important if employees are using their work laptops to access social media sites and have various other household devices connected to their home networks.
A business-minded approach
Taking a proactive approach to cybersecurity not only protects systems and strengthens processes before a cyberattack wreaks havoc, it also enables family offices to make upgrades that benefit all parts of the operation.
As Ghazi explains, the cybersecurity strategy of a family office should encompass more than just cybersecurity. For example, if systems such as email, file storage or payroll show vulnerabilities, enhancing their security and privacy can be part of a greater effort to connect systems, establish controls and create operational efficiencies.
“You’re probably better off moving into a single viewpoint,” Ghazi said. “You still use the Cloud and those technologies to keep it cost effective, but you create a more holistic view of that with more monitoring. That puts you on a transformative journey and helps you change the cyber maturity of your environment.”
A trusted advisor with knowledge and experience in crucial areas—finance operations, managed IT services, accounting systems, cybersecurity—can help establish continuity between them. In that sense, a process that begins with awareness can elevate the entire family office and position it for long-term success.
Call us at +1 213.873.1700, email us at firstname.lastname@example.org or fill out the form below and we'll contact you to discuss your specific situation.
This article was written by Tauseef Ghazi and originally appeared on 2020-10-06.
2020 RSM US LLP. All rights reserved.
The information contained herein is general in nature and based on authorities that are subject to change. RSM US LLP guarantees neither the accuracy nor completeness of any information and is not responsible for any errors or omissions, or for results obtained by others as a result of reliance upon such information. RSM US LLP assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect information contained herein. This publication does not, and is not intended to, provide legal, tax or accounting advice, and readers should consult their tax advisors concerning the application of tax laws to their particular situations. This analysis is not tax advice and is not intended or written to be used, and cannot be used, for purposes of avoiding tax penalties that may be imposed on any taxpayer.
RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each is separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit rsmus.com/about us for more information regarding RSM US LLP and RSM International. The RSM logo is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.
Vasquez & Company LLP is a proud member of RSM US Alliance, a premier affiliation of independent accounting and consulting firms in the United States. RSM US Alliance provides our firm with access to resources of RSM US LLP, the leading provider of audit, tax and consulting services focused on the middle market. RSM US LLP is a licensed CPA firm and the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.
Our membership in RSM US Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise and technical resources.
For more information on how Vasquez & Company LLP can assist you, please call +1 213.873.1700.
Subscribe to receive important updates from our Insights and Resources.