We tend to think of cyberattacks as targeting large, data-rich institutions such as banks, financial firms, or healthcare systems. However, because many of these businesses have enhanced their cybersecurity posture, making themselves harder targets for hacking, social engineering, malware (malicious software), and more, cybercriminals have been moving to so-called “softer targets” – valuable entities whose defenses may not be as strong.

Family offices represent one such “soft” but lucrative target. As a quickly growing sector of the wealth management industry, family offices have become much more attractive to cybercriminals for several reasons: In addition to typically featuring lean internal teams managing large sums of money, family offices generally have less formal infrastructure and fewer processes in place to monitor and test for cyber risk and potentially contend with cyber incidents. 

To defend against increasingly sophisticated threats, family offices must prioritize having a strong, proactive cybersecurity stance. This involves developing a better awareness of likely threats, regularly performing tests and assessing risk, and practicing for worst-case scenarios to be able to respond quickly.

1. Stay informed about – and prepared against – top threats

Whereas larger organizations – the “harder targets” – are typically better equipped to constantly monitor for threats, research the latest and greatest attack methods, and receive regular cyber intelligence updates and briefings, family offices usually do not have the in-house security team required to do so. Instead, their small staff might still rely on word of mouth to find out about the latest cyber threats. 

It’s critical that all staff members of a family office stay up to date on key risks, and know how to protect against, spot, and respond to a threat. This includes:

• Cybersecurity awareness training: What to click and not to click
• Social engineering training: What kind of questions to answer and not to answer 
• Social media management: What to post and not to post

For small and medium-size businesses, phishing is often the attack vector used to perpetrate other bad acts, such as ransomware, a type of malware that holds data and devices hostage until a ransom is paid, or a business email compromise (BEC), in which an attacker gains access to a business email account, then impersonates the owner to defraud the company or their contacts. 

Because family offices conduct a great deal of business over email, BEC poses particular risk. For example, a bad actor pretending to be the family member might email the office manager, requesting a wire transfer of $150,000, and the manager, who is used to quickly responding to numerous emailed requests per day, might wire the funds without a second thought. Ideally, offices should have regular training, processes, and reminders in place so that the office manager – and all other employees – know to verify such requests and avoid falling victim to this type of attack.

Beyond phishing scams, family office employees can inadvertently compromise sensitive information by logging in to unsecured W-Fi networks while traveling, or powering their devices on free charging ports. (Bad actors may be able to introduce malware via public USB charging stations.) Meanwhile, AI-powered attacks pose new challenges, such as deepfakes: artificial images or videos that can mimic a person’s voice, face, or gestures. Heightened vigilance is needed.

2. Conduct regular cybersecurity risk assessments

To further deepen awareness and preparedness, family offices should conduct regular cybersecurity risk assessments. These assessments should review current cybersecurity processes, compare them to best practices, and identify any gaps for remediation. 

This may require hiring an external advisor who is able to focus on the cybersecurity side of IT, not just the operational side. A family office might already work with a managed service provider (MSP) to keep computers and systems up and running, but for most effective security, a separate, independent counterpart is needed to focus on security. It’s a bit like an accountant and an auditor: An accountant takes care of the books, and an auditor comes in periodically to review their work and check that everything is compliant.

If they have not yet done so, family offices that are running Microsoft 365 must take the critical step of going through a security assessment and hardening exercise specifically for that platform. Why? Because although it offers users more than 100 great security controls and restrictions, most of them are disabled by default. When setting up email for the family office, the manager should consult with their cybersecurity advisors on which Microsoft 365 controls to enable.

3. Practice for cyberattacks

Nobody wants to have a cyberattack, but in our digital age, they are a case not of if, but when. If family offices wait until they experience one to decide how to respond, the financial and reputational repercussions could be far more catastrophic. The key to being well prepared is to practice, practice, practice. 

Tabletop exercises are a valuable tool in testing incident response plans. They simulate a real-world cyberattack and allow participants to work through their response together. This role-playing approach allows the organization to test their readiness for a cyber attack without having to actually experience one, and could end up saving a family office money should a cyberattack occur. Research has shown significant savings for organizations that have developed and tested incident response plans vs. those that have not.

In conclusion

No organization is impervious to cyber risk; today, a cyberattack is not a matter of if, but when. Ultra-high-net-worth individuals have a range of bank and brokerage accounts, credit cards, and personal spending accounts, which translates to high exposure. Because family offices are recognized as fairly soft targets, they must have a strong cybersecurity plan in place, and everyone with an office email account must be aware of how to respond to an attack. After all, it only takes one person to unintentionally cause, spread, or allow a breach to occur. Cybersecurity is an investment too important to skip.