Cybersecurity for family offices begins with awareness

Taking a business-minded approach to cybersecurity


Authored by RSM US LLP

Some family offices are attractive targets for cybercriminals because of how basic their resources and protections are relative to the high value of their assets. Financial institutions that manage millions of dollars commonly are fortified by safeguards, such as a virtual private network (VPN) for employees and dual-factor authentication for transactions. But single-family offices often operate with small staffs, elementary cybersecurity protocols and limited technological infrastructure.

“Family offices generally tend to believe they’re too small to be a target,” said Tauseef Ghazi, a principal in RSM’s security and privacy risk practice. “But the ones that believe they’re not at risk generally are really at risk.”

That misjudgment is why Ghazi, a technical lead on RSM’s family office enterprise team, considers awareness to be one of the most important cybersecurity issues facing family offices. And, in fact, the awareness is twofold: understanding how cyber threats have evolved and acknowledging the family office’s comprehensive risk profile.

Those complementary components are central to a proactive approach to cybersecurity, as opposed to a reactive one after a breach or crime has done costly damage.

Evolving threats

Over the last five years, cyberattacks have moved away from targeting millions of dollars in a single attack. Hackers have found it increasingly difficult to infiltrate a big corporation and fraudulently transfer such large sums.

“Real hacking these days happens in transactions of $100,000 or less, and family offices are quite capable of approving those,” Ghazi said. “Hackers have tried to make their lives easier by going after smaller institutions with very limited security controls and making a bunch of smaller transactions. They’re focused on the volume of transactions because it’s easier to do.”

The attacks commonly begin with a phishing email and take the form of wire transfer fraud or ransomware. The threats are especially troublesome for single-family offices without a dedicated IT department that prioritizes protecting against them.

Once hackers compromise an email system or file storage system, they will try to access accounting systems and the corresponding security information—such as passwords, screen images or keystroke data—that would enable them to execute a transaction.

“The bank then looks at that transaction, and from their side, everything looks perfectly fine,” Ghazi explained. “It came from the legitimate source. It used correct user credentials. This looks pretty legitimate because it comes from the source of truth.”

Risk and vulnerabilities

Once family offices understand the strategy and methodology driving prevalent cyber threats, they can more clearly identify vulnerabilities in their cybersecurity protocols. Of course, family offices vary in size and scope, so risk profiles differ. But that just underscores the value for every family office to look closely at how thoroughly it has protected its assets.

“It’s not crying wolf; it’s saying that you need to understand the dynamics of your own landscape,” Ghazi said. “What are your risks? What kinds of transactions do you make? What do your employees know? Are you even aware of some of these things?”

Single-family offices might outsource IT support. That, by definition, creates a multi-tenant environment for which controls and protections are necessary. And if a family office doesn’t have an internal IT department, it might lack explicit cybersecurity policies and protocols in case of a cyberattack.

Another focal point is how transactions are authorized. Dual-factor authentication is a more sophisticated protection than simply entering one password, especially if the secondary authentication involves a separate device, such as a mobile phone. That way, if the person authorized to execute transactions has their computer compromised by malware, the second device would serve as an additional safeguard.

Remote work also presents important considerations. Family offices, like many companies, encourage flexibility for employees—and that was before the pandemic triggered a widespread shift to working from home.

For employees working remotely, a VPN provides a secure connection that protects data and information. This is especially important if employees are using their work laptops to access social media sites and have various other household devices connected to their home networks.

A business-minded approach

Taking a proactive approach to cybersecurity not only protects systems and strengthens processes before a cyberattack wreaks havoc, it also enables family offices to make upgrades that benefit all parts of the operation.

As Ghazi explains, the cybersecurity strategy of a family office should encompass more than just cybersecurity. For example, if systems such as email, file storage or payroll show vulnerabilities, enhancing their security and privacy can be part of a greater effort to connect systems, establish controls and create operational efficiencies.

“You’re probably better off moving into a single viewpoint,” Ghazi said. “You still use the Cloud and those technologies to keep it cost effective, but you create a more holistic view of that with more monitoring. That puts you on a transformative journey and helps you change the cyber maturity of your environment.”

A trusted advisor with knowledge and experience in crucial areas—finance operations, managed IT services, accounting systems, cybersecurity—can help establish continuity between them. In that sense, a process that begins with awareness can elevate the entire family office and position it for long-term success.