If Jeff Bezos can be hacked, it should be a red flag for us all. The Amazon billionaire had his mobile phone “hacked” in 2018 after receiving a WhatsApp message that had apparently been sent from the personal account of Mohammed bin Salman, the crown prince of Saudi Arabia. A clear case of phishing following a digital forensic analysis of the message, it is believed that the encrypted message from the number used by the Crown Prince was believed to have included a malicious file that infiltrated the Amazon billionaire’s phone, completely unbeknown to both parties.
Unfortunately, high-profile and low-profile cases are too numerous to mention here, but it is clear from a number of research data sets and surveys produced by or for the family office sector that cases of serious cyber incursions of HNW’s are on the increase as hackers become more and more sophisticated.
A frightening corollary of the Covid-19 pandemic has been the extraordinary rise in digital fraud, evidenced by an FBI report on a pandemic rise in cybercrime during 2020. The Bureau estimates losses of US$4.2bn and complaints made by cyber victims increasing by 69 per cent. Another recent study by Campden Research sites that cybercrime is increasingly being directed at HNWs and family offices; with more than a quarter of UHNW families, family offices and family businesses (with an average wealth of US$1.1bn) targeted by cyberattacks.
Arguably more worrying, this research highlighted that over a third of participants to the survey stated they do not currently have a cyber security plan in place, despite 98% of families citing reputation as important to their family’s success.
A Change of Mindset
Johnny Brooke, Head of Legal at S-RM, a global intelligence and cyber security consultancy, says that HNWs and family offices need to re-consider their risk management around all elements of their digital footprint. “Traditionally, family offices haven’t deployed risk management in the same way that corporations have done across their digital access points. It’s about protection of assets, whether that is people or fixed assets, so why not deploy equal care and attention to our digital assets.”
Family offices already have the depth of expertise in risk analysis across their investment process, measurement and management of that process. The deployment of effective cyber security is much the same mindset, and, put simply, starts with ‘People, Process, Technology.’ This system audits the risk points which can be anything from the forensic analysis of employees and partners to the encryption of an organisations digital devices.
Enterprise is increasingly adopting a lifecycle approach to digital risk management. Deploying technology to risk manage your enterprise network, from SaaS to IoT devices; from email, SMS social media points of contact and voice. As IoT devices are increasingly embedded into organisations, the management of threat must also cater for known threats as well as the unknown.
A report by cyber security group, Palo Alto Networks says: “A growing number of virtually invisible IoT devices are becoming invariable constituents in enterprise networks. From building and streetlight sensors, flow monitors, surveillance cameras to IP phones, point-of-sale systems, conference room technology, medical devices, and so much more. These devices significantly expand an organization’s attack surface. Prevailing network perimeter defences are poorly equipped to address the security challenges arising out of this inflow.”
One does not need to take a mental leap to apply this to our personal and family lives. Smart home technology and connected devices have created a previously unfathomable number of entry points to sensitive information.
Many connected devices found in homes – be it smart light bulbs, or the doorbell camera that connects to your phone, or modern refrigerators – tend to have very weak encryption. Hackers can exploit those weaknesses, and if more sensitive items like your laptops or smartphones are on the same network, they can gain access to the mountains of information stored on those devices.
Over a lifetime, we take great care to protect physical assets with alarm systems, personal physical protection, etc., but when it comes to protecting our digital footprint, it is puzzling that key areas are left exposed to all manner of risk of breach.
“Think of every connected device you own as a new doorway into your home,” said Brooke. “You wouldn’t install a new door without a strong locking mechanism or without linking it to your home security system.”
New Threats Emerge
An often less considered but equally dangerous digital entry point to our personal lives is social media.
The pandemic has accelerated not only the use of platforms like Instagram, Twitter, TikTok and Facebook, but also the details shared. Pervasive lockdowns and lack of in-person social contact have pushed more and more people onto the channels, where they are happy to share details publicly that could unknowingly attract harmful attacks to families or individuals.
One high-profile example involved an heiress who had her passwords hacked because they included the name of her dog, which was plastered all over her social media accounts. Fraudsters, tracking her travel through her social media accounts, were then able to spoof travel and accommodation invoices coming from her, which were then paid to the tune of nearly USD$1m before flags were even raised.
Other more dangerous examples include kidnappings and ransoms, as criminals could easily track locations and vulnerabilities from social media posts.
When considering the initial process it’s sensible to look at your overall approach to risk management, where are the doorways to access and how are they protected now against known threats and how might that those threats as technology evolves.
The deployment of AI is a relatively economically efficient starting point to deploy technology against perhaps the most pervasive digital threat – email. Sophisticated cyber security companies such as Darktrace are deploying solutions at the enterprise and family level designed to learn patterns and evolve to detect threats aimed at exploiting those patterns.
With regards to social media, regularly review what you and your family are sharing and understand and discuss your exposure/mitigate those risks.
As part of the process, don’t forget the basics of risk management, remembering that risks are insurable, so assess the merits of K&R and cyber insurance.
The key message is education. Discuss these threats with your advisors, and ensure you involve your family and staff so they are well-prepared for potential attacks. You must assume that those who wish to exploit and defraud you are spending time to learn your potential weaknesses, so the best defence is staying in front of those attacks