“Cybersecurity is much more than a matter of IT.” ― Stephane Nappo, Global Chief Information Security Officer at OVHcloud
Individuals and small organizations tend to be complacent about cybersecurity. Especially since cybercrime is not physical. Like any rare event, it feels impossible it can happen to you—until it does.
The biggest cause of this complacency is assuming the criminals target only very high-value individuals and large organizations. But the cyberspace has its own share of petty offenders, who prey on any identified vulnerability.
Opportunity makes the cybercriminal. Whether a piece of information is considered ‘sensitive’ or not, any compromised data can provide leverage to miscreants in their schemes. Every click and movement is tracked and collected.
Smartphone software particularly adds to the vulnerability. It collects information from every installed app, including mobile banking and investment solutions. The apps themselves, too, gather data, sometimes even when they are not being used.
With the increasing sophistication and expertise of cybercriminals, it is difficult to implement a fool proof security system. Still, family offices can do much to minimize the threat.
This section enumerates best practices in information technology (IT), privacy and access control that every good enterprise-level system should deploy. The practices should be developed with expert advice, and should be well-documented and clearly communicated with all staff members and users.
“Passwords are like underwear: don’t let people see it, change it very often, and you shouldn’t share it with strangers.” – Chris Pirillo, founder and CEO of LockerGnome
Enforcing passwords is the most basic protection measure. It is also the most vulnerable one if password hygiene is treated casually. Staff members and users need to be sensitized to its importance.
Establish a password policy in the organization that mandates the following:
- No employees are to share passwords with one another
- Passwords should be difficult to guess. They should not be set as “password” or “12345”, for instance
- Passwords should not be left in the open, either in plain-text on their computer or written down somewhere near the desk
- Passwords to documents should not be shared on email
- Passwords should be reset every time one employee leaves and another joins in his/her place
- Passwords should be changed every 90 days, and such change should be prompted and mandated by the system software
- Use two-factor authentication (entering a custom-generated code delivered to the phone or email in addition to the correct password) for all online system logins, such as banks, online tracking, accounting and record-keeping systems
- All bank passwords should be registered and reviewed quarterly.
Encryption is converting information or data into a code, so that it is unreadable to users who do not possess the decryption key. Strong encryption is the best technical defense against most cyberattacks.
End-to-end encryption protects data while it is in transit. If established in its most secure form, the individuals at each end of the message themselves hold the keys for decoding and recoding the message, and not any third party.
Encryption should be installed throughout the network for all devices, data and communication channels:
- Local computers
- Computers on the cloud
- Data in transit
- Data in storage
- Device interpolation
Without encryption, criminals can easily intercept plain-text that is stored and transmitted on networked computers.
Establish a firm organization policy of not emailing unencrypted or non-password protected documents, spreadsheets and PDFs, especially not if they contain sensitive and personal information.
With internet computing, different software functions or components, such as web, application or database servers, are often not on the same physical computer. But they still need to interoperate to produce the desired outcome.
Inter-process authentication uses a specific type of encryption — using keys that are certified by an authority — to ensure each computer and program can mathematically “prove” their identity. Which means only authenticated programs on the network can exchange information with each other.
This measure protects the data transmitted between different computer programs.
It is essential to regularly update the software applications in use. These updates rectify vulnerabilities which criminals could exploit.
Regular audits should flag software that is not up-to-date on any system on the network.
User Access and Management
“We discovered in our research that insider threats are not viewed as seriously as external threats, like a cyberattack. But when companies had an insider threat, in general, they were much more costly than external incidents. This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever.”— Dr Larry Ponemon, chairman and founder of Ponemon Institute
Preventive measures to protect the family office from potential human threats within the organization are:
- Define role permissions and limit user access to only that data which is necessary for the staff member to discharge his/her duty
- De-activate the employee account once he/she leaves
- Limit access provided to contractors and external consultants. They should not be given the same access as employees
- Install timed workstation locks and password lockouts to prevent unauthorized access in the event of a computer being left unattended
- Do not use admin accounts for daily system use. Activities should be traceable to individual users
- Develop a system that auto-generates unalterable user logs that can trace a user’s activities. User activity and audit trail features are an additional layer of monitoring.
Digital as well as physical documents need to be handled and stored securely.
- Use an online Software-as-a-Service document management system for all temporary and final documents, instead of emailing documents. Even with encryption, a highly sophisticated hacker can acquire data in transit for misuse
- Ensure quarterly audits of each desktop/laptop to ensure temporarily downloaded files are not stored locally. Documents should be located on a central and remote location, so that they are accessible
- Documents should have version control measures, to keep a track on changes made to them by various personnel
- Bank statements should be delivered only to the official email ids of specified users
- Do not print data unless absolutely required. Ensure they are shredded and not left around unattended after use.
Regular backups are a hedge against data loss. They prevent disruption to operations.
- Schedule periodic and automatic backups of all critical data in an offline remote and secure location. The location should be physically separate from the primary office
- No copies of the data must be created without authorization.
Your network must be accessible only to authorized personnel.
Restrict access to Software-as-a-Service application to local network firewalls and Virtual Private Networks (VPNs). Even if you use a third-party server, it should be accessed only through your private network.
Do not use systems that do not have audit trail generation and reporting capabilities. Your wealth’s security is tied to having a firm control over IT and data security.
- You can ill-afford to be complacent about cyber and data security
- Enforcing password hygiene is the primary protection measure
- Encrypt data so that personal and sensitive information is not compromised
- Implement user access and management protocols to prevent potential human threats. Your network must be accessible only to authorized personnel
- Regular backups are a hedge against data loss. They prevent disruption to operations.