Security

COVID-19 raises cybersecurity issues for family offices

The move to working from home revealed vulnerability to phishing among family offices that had not set up proper controls for remote access.

As family offices scrambled to respond quickly to the health and safety issues and the economic turmoil caused by the COVID-19 pandemic, they also had to contend with another threat to their organizations.

Since late January, cybercriminals have been disguising themselves as trusted banks, merchants, co-workers, IT administrators and the like to trick people into divulging sensitive data, according to PwC US.

Proofpoint Inc., a cybersecurity company, reports that “coronavirus-related email lures now represent the greatest collection of attack types united by a single theme” that the firm’s research and detection team has seen in years, “if not ever.”

“These phishing emails may use scare tactics to trick users into interacting with malicious links or attachments, or direct them to websites designed to steal their credentials. Any individual within an organization can be targeted,” Proofpoint says.

Working in this treacherous landscape could be particularly dangerous for those family offices whose staff are making their first foray into working remotely.

Danielle Valkner, U.S. family office leader at PwC, spoke with Family Business Magazine about the challenges facing family offices.

FB: Have cybersecurity issues been a concern among single-family offices as COVID-19 has forced staff to work remotely?

DV: Many family offices have been very deliberate in the past in prohibiting or limiting remote access due to confidentiality concerns. Now they may find themselves in a situation where they are scrambling to set up the proper remote access in a well-controlled way at a time when fraud campaigns are spreading quickly. Business email compromise (BEC) scams that are designed to trick victims into transferring sensitive data or funds have skyrocketed in recent months. These scams also look to steal login credentials so [cybercriminals] can infiltrate your organization and compromise your systems and operations.

FB: Could there be an impact on the family’s privacy or safety?

DV: Wealthy families are always a high-profile target for cybercrime. Now that most of the country is working remotely and many are transacting more via email, it is more important than ever to be on high alert for fraud and safety issues. Your employees are your first line of defense, and it is critical to provide education and alerts to employees to [urge them to] be skeptical of email communications and requests from unfamiliar sources or even those that may look familiar on the surface. Common recent attempts include phishing and BEC emails disguised as government announcements with official-looking logos as well as emails with subject lines of interest to your business in light of impacts of COVID-19. [The emails] may attach official-looking documentation such as invoices, shipping receipts and job applications with harmful malware or ransomware embedded in them or links to fraudulent educational, healthcare or charity-related sites that can open the door for malicious activities and threats.

FB: Are family offices simply trying to find their way through this without a map, like every other business and family?

DV: Most likely. Transitioning to remote work at home can be done without compromising security. At a time like this it is important to consult with the experts and ensure you have the tools and risk management processes in place to enhance your monitoring and detection of threats, educate your employees and protect your assets, data and devices.

FB: Will the pandemic fundamentally change the way family offices operate going forward?

DV: Yes, I believe so. The current environment is certainly testing operational, financial and risk management capabilities. It is essential to identify your critical data, processes and reporting needs to drive decisions and enable proper risk management and controls. Family offices should be evaluating their processes and tools to ensure they have the capability to gather, aggregate, report and distribute critical information as well as execute and manage required activities in a well-controlled and timely manner. The current environment may expose some gaps that will need to be remediated. Also, the entire business community is learning the power of digital collaboration tools, which will undoubtedly have an impact on how we conduct business and operations going ­forward.

Copyright 2020 by Family Business Magazine. This article may not be posted online or reproduced in any form, including photocopy, without permission from the publisher. For reprint information, contact bwenger@familybusinessmagazine.com.    


 

How to avoid the 'cyberazzi'

The paparazzi, with their clicking cameras, are notorious for stalking celebrities to feed the public’s curiosity about Hollywood stars. The reality of modern society is that you, too, have stalkers following your every move, even if you’re not a celebrity. They’re known as the “cyberazzi.”

As a generation addicted to the Internet, little do we realize the quantity of information we reveal to a faceless audience online. Each interaction with a website requires an e-mail address, a username and a password. Sometimes you must also disclose your geographic location, professional interests and salary range. Once you receive access to the site, you may be revealing information on your reading preferences, your favorite brand of toothpaste, your recent travel destination and your trading strategies.

You are not living one consolidated online life but re-creating your profile each time you log on to a different website. Your Google identity differs from your LinkedIn identity, which differs from your Facebook profile. Managing your online life requires enormous quantities of data. And at the moment, you have no assurance that this data will be treated with care.

For people who come from wealthy backgrounds, creating an online life presents a higher level of risk. Having said that, the sad truth is that a lot of high-net-worth individuals with fortunes and family businesses at stake seem to be missing out on the wonderfully connected world of social media. This is partly because using social media requires you to drop your barriers, reveal information and create an online identity that could possibly attract the wrong sort of attention.

What do you need to be worried about?

Business models: It may not seem relevant, but understanding a business model is crucial to protecting your identity. When you set up an account online, the way the website makes its money—whether through a fee you pay or purely through advertising revenue—has ramifications that affect your security. For those that don’t depend on a subscription fee, their raison d’être is to attempt to understand you as a person. Why? To build a profile of your preferences, your buying patterns—your every move—so products can be tailored to fit your Internet patterns. Suddenly before you know it, you start seeing adverts and search results only for baby clothing and car accessories!

Talking websites: You may not realize it, but websites talk to each other, without your permission. For example, say you type in a search for “Adventure Holidays” on Google. The search engine throws up a list of search results, and you choose Link No. 3 because it looks interesting. What do you know, Google is talking to Link No. 3 about your choice. Google and Link No. 3 are incentivized to have a close relationship because Google makes money from Link No. 3, and Link No. 3’s client acquisition is dependent on its relationship with Google. You are being followed online.

Phishing: This term refers to attempts to acquire personal information by posing as a trusted source. Hackers target unsuspecting users by tempting them to click on links, open e-mails and access websites that in turn ask them to enter a password, credit card number or Social Security number.

A quick glance at the risks highlighted above reveals that these are rather generic risks presented by the Internet itself. All users, irrespective of their status or background, should take care while browsing.

It is fair to say that social media present a higher level of risk because the networking philosophy thrives on high levels of personal information. In order to build a social network and expand your universe of contacts, you must disclose your preferences, marital status, location, job designation and other details. For affluent people, this is hardly the route of choice, given how carefully one must guard information on the family or the family business.

So the online world appears to be a scary place full of monsters ready to gobble up personal data, digest the information and re-create your personality to be sold to marketers online. How do you arm yourself with the right protection? How can you safely enter into the world of social media?

Trends and patterns in data protection

The world is starting to become aware of Big Brothers like Google and the 1984-style level of observation. There is a rising trend toward offering consumers a greater degree of control over the use of data. Consumers will be able to choose how much data they wish to share and will have the choice to receive solicitations only from offer providers they approve and only those they want to hear from. Marketeers will have to reach consumers on their terms.

A second trend is that data are starting to acquire the status of currency. Therefore, the treatment of data is starting to take forms that we recognize in the offline world—data vaults, data banks, personal data lockers that act as information repositories—all designed with bank-level infrastructure and security.

As in the offline world, there is an increasing trend to use an agent to represent personalities online. For example, affluent purchasers use agents at art auctions who come equipped with a strict list of requirements and behave in a way that will not reveal the identity of the person backing the agent.

At TrustedFamily, we recognize this last trend and are taking concrete steps in this direction. “We are privileged to have some of the world’s largest, most respectable families as clients who use our communications platform specifically because it offers the required level of security. However, at the moment, they are limited to intrafamily interaction online,” says our CEO, Joachim Vandaele. “In the future, we intend to act as their online agents, acting through a secure portal while offering them a window to the online world—a gateway that does not compromise your privacy but at the same time allows you to access a range of offers and networking opportunities.” This will offer partners the opportunity to advertise services while giving the consumer full control over how much personal data is revealed. The age of inverse marketing has arrived.

Enjoy social networking, with caution

If this piece hasn’t terrified you of the Internet and you are keen on exploring a rather fascinating world online, then it is important to recognize the lurking dangers of sharing your personal information. Yet there are ways to prevent security breaches by being sensible.

And finally, here is my last word on the subject—don’t for a moment believe that you can ignore social networking. It is becoming an ever-present reality, and a valuable strategy, in the world of business.

With the next generation hooked onto its benefits, it is important to navigate your way in and find your space in the world of social media.

Edouard Thijssen is the co-founder of TrustedFamily, a highly secure social collaboration platform, used primarily by large business families across the world to aid effective communication among family members. He is also a fifth-generation member of the Aliaxis family (edouard.thijssen@trustedfamily.net).

 

 

 


 

 

 

Copyright 2012 by Family Business Magazine. This article may not be posted online or reproduced in any form, including photocopy, without permssion from the publisher. For reprint information, contact bwenger@familybusinessmagazine.com.

Print / Download

Safety precautions for home and business

As a child in Guatemala, Rodolfo Paiz got a ride to and from school each day—from a bodyguard. His family, owners of a prosperous grocery chain, instituted the security measure around 1978, after a 12-year-old cousin was kidnapped. The cousin returned home unharmed, “but nobody forgot about that,” says Paiz, who now is 38 and has a family business consultancy, Guayacan Group, based in Miami.

 

Paiz believes his family was targeted because their name was on the grocery stores. “We ended up having equal or greater visibility than many wealthier businesses have,” he explains. His family, however, tended to avoid a flashy lifestyle.

 

After the kidnapping, the family “got serious” about protecting themselves, Paiz says. “We had at least one bodyguard per person,” he recalls, “and at first one or two armored cars that got rotated around when necessary.”

 

Bodyguards and armored cars can be tough to live with, Paiz acknowledges. “You see how some people live [under heavy security] and wonder, how can they possibly stand it? Then someone you’ve known for years gets kidnapped—maybe they come back, maybe they don’t. As you notice these events, you start increasing your security slowly,” he says. “Your perception of the increasing threat is gradual.… You may add a driver. Later, you notice a relative is tooling around in an armored car, and you think they’re just paranoid. But a few years later, everyone has a driver and an armored car. So it doesn’t feel like a big deal.”

 

If you think kidnappings are a threat only to business owners outside the U.S., consider what befell Gert Boyle, the chairwoman of Portland, Ore.’s Columbia Sportswear and star of the company’s ads, last November. The 86-year-old business owner was confronted by an armed robber in the driveway of her home. Police arrested three men in what they called a conspiracy. One suspect told police the home-invasion assault was part of a plot to kidnap Boyle.

 

Threats are everywhere

 

Even if your family’s wealth is modest and your name is not widely recognized, it’s wise to be cautious. Although the FBI’s annual Uniform Crime Reports found that violent offenses nationwide decreased by 5.5% in 2009 compared with 2008, crimes that target businesses and the wealthy are rising, probably because of the economic downturn, security professionals say.

 

• Internet crime complaints rose 22.3% (to 336,335) in 2009 compared with 275,284 in 2008 (which was up some 33% from 2007), according to the Internet Crime Complaint Center, a partnership between the FBI and the National White Collar Crime Center. Reported losses in 2009 almost doubled (to $560 million) from the 2008 figure.

 

No wonder. A 2009 National Cyber Security Alliance study found that of 1,500 firms polled, only 28% have formal Internet security policies, 25% do not ensure password protection for their wireless networks and only 35% provide training to employees about Internet safety and security, while 66% of employees at these companies take computers or PDAs containing sensitive information off-site.

 

• Workplace violence may be perpetrated by employees, former employees, relatives of employees, customers or even strangers. The Bureau of Labor Statistics lists homicides in private industry as the third most frequent cause of occupational fatalities, with 453 deaths in 2008, the most recent year for which data are available. Paul Michael Viollis Sr., CEO of New York City-based Risk Control Strategies—a consulting, investigation and crisis management firm—says business owners should develop a comprehensive written policy and train employees to recognize warning signs, report incidents and implement mitigation strategies. This not only will help save lives but also can prevent lawsuits if violence does erupt on the premises.

 

“Workplace violence in business is the most under-examined and -managed issue I’ve ever seen,” says Viollis. “If you took a survey of all small businesses and asked how many have a policy on sexual harassment, I bet you’d have nearly 100%. Yet if you ask how many have a policy about workplace violence, maybe 10% do.”

 

• Extortion is on the rise, according to Viollis. In 2008, he handled 11 extortion cases, a number he considered at the time to be high. The next year, his extortion caseload spiked to 48. In the first four months of 2010, Viollis reports, 52 clients asked for his help with such threats.

 

• Craigslist scams target families who place ads for domestic workers on job-search websites such as Craigslist. An invitation to a prospective employer’s home for an interview gives the miscreant an opportunity to stake out the premises. “They don’t even need to get the job, they just get the personal interview,” says Teresa Leigh, founder and CEO of Teresa Leigh Household Risk Management, a household and domestic staff management and risk advisory firm in Raleigh, N.C., and New York City. Her firm conducts background investigations and personal interviews before introducing a client to candidates—away from the client’s home. During initial meetings with candidates, the client uses a pseudonym, Leigh adds.

 

• Embezzlement occurs all too often in family firms. Consider Sujata Sachdeva, who in December 2009 was charged with wire fraud in federal court for a two-year scheme in which she embezzled more than $4.5 million from Koss Corp., a family-controlled public company. Sachdeva, who pleaded guilty to the charges and was sentenced to 11 years in federal prison, had been vice president of finance at Koss since 1992.

 

• Medical, natural and environmental catastrophes require advance planning, notes Daniel Carlin, M.D., the CEO of WorldClinic, a medical practice based in New London, N.H., that provides care to corporate executives and other high-net-worth individuals and families. Generally, more fatalities occur in the aftermath of a catastrophic event than during the event itself, Carlin says. Unprepared or uninformed survivors of a storm, explosion or earthquake may be felled by inadequate or contaminated air, water or food, he explains. WorldClinic develops disaster medical plans for clients and provides personalized medical provisions for travel and home. It also arranges care for clients who become ill while traveling and develops disaster contingency plans and response systems.

 

Family businesses’ vulnerability

 

Family business owners may be at greater risk than other executives because family companies tend to foster a culture of trust, security professionals say.

 

Natasha Pearl, founder and CEO of New York City-based Aston Pearl, which provides a range of services to family offices and private clients, including household staffing and security, agrees that business families can be too trusting, especially when it comes to people who are “part of the circle,” a group that often includes employees.

 

Business families also have a sense of invulnerability, Pearl says. “Particularly if it’s a private company, they think [the family is] under the radar,” she explains.

 

“Entrepreneurs believe in themselves and their ability to read other people,” says Teresa Leigh. “Ninety percent of the time they think they’re bulletproof because they’ve run this company and have been successful. They feel invincible because their daily life is validating that. When choosing household staff, their internal radar is not at full capacity. They will hire people they like.”

 

In addition to screening job applicants, family business owners should check up on prospective contractors in advance of an engagement, Viollis says. Many companies use outside contractors to perform crucial information technology functions. Outsourcing maintenance of a server or data center is tantamount to giving a stranger “the keys to the kingdom,” Viollis says.

 

Parents should teach their children about the importance of discretion, starting when the kids are young, Pearl advises. Young people should be told, for example, why a Facebook post about a flight on the family’s private jet is unwise, she says.

 

When her clients’ kids go off to college, Pearl says, she advises them not to set themselves up in lavish off-campus apartments and suggests that they avoid pricey designer handbags and other trappings of wealth. “College is not the time to be setting yourself apart” from peers, Pearl warns.

 

Costs and complications

 

Cost plays a role in family firms’ security decisions, security professionals acknowledge. “Family businesses need a highly customized, efficient means to address security issues,” says Christopher Falkenberg, president of New York City-based Insite Security Inc. “They don’t realize the impact a real emergency can have on a business, and they haven’t thought about business continuity.”

 

There may be ways for a family to trim the cost of their security systems, Pearl notes. She cites the case of a client who had an expensive security contract for a home that the family used for only three weeks a year. “We worked with them to figure out if they could rebid that contract,” she recalls.

 

Many families have difficulty determining what costs are appropriate for security technology, Pearl says. “They often spend a lot of money on high-tech solutions that may or may not be important.” Technology is often a poor substitute for human vigilance, she notes.

 

However, Pearl warns, a family must find the proper balance between cost-cutting and ensuring their system’s effectiveness. “You’re not getting your money’s worth if the system doesn’t work,” she says. Security cameras should be tested periodically to ensure they’re in working order and are properly aimed. “Security is like aviation,” Pearl says. “You don’t want the cheapest solution; you want the right solution.”

 

“Wealthy families have complicated lives, with lots of travel, staff and homes. All these moving parts can allow outsiders to gather information for targeting purposes,” says Falkenberg, who is an attorney and was a U.S. Secret Service special agent from 1991 to 1995. He advocates a “belt and suspenders” approach: First, identify and prevent the broad range of potential threats; second, “assume that plan is ineffective and have another plan to reduce the impact. You need to be proactive and reactive.”

 

The signs that a family is being targeted may be very subtle, Pearl cautions. Strangers may ask seemingly innocuous questions of a nanny in the park one day and a housekeeper at the grocery store the next day. “You very often can’t tell if there’s a pattern, or how many sources of data there are,” she says. Family members and household staff should be instructed to report all unusual encounters, “even if it seems like a waste of time,” she sys.

 

It’s important for companies of any size and families with even modest wealth to be aware of their security risks. There are some precautions you can take that won’t break the bank (see sidebar below).

 

Adjusting to protection

 

Falkenberg recommends combining passive with active security components, such as countersurveillance for those who will not tolerate a bodyguard. “Security cameras can help you track license plates, to see if the same car keeps passing by the house or office, or if someone seems to be scoping the building, testing doors or looking at air access points, which regular commuters or businesspeople don’t do,” Falkenberg says.

 

Once you hire a bodyguard, Miami consultant Rodolfo Paiz points out, you have an extra mouth to feed, and when you travel, you need to provide a hotel room for the guard. Because the risk of crime is generally greater at night, you may need two bodyguards who rotate shifts. A weekend detail is also needed, Paiz notes. “Protection on weekdays but not weekends is as good as not doing anything,” he cautions.

 

Being diligent about safety can be frustrating, Paiz acknowledges. “Of course it cramps your style,” he says. “Try having an argument with your boyfriend or girlfriend with a bodyguard in the back [of your car].”

 

Such frustrations may cause clients to ease up on precautionary measures, Falkenberg observes. “Security procedures that are complex and strict aren’t going to help,” he warns, “if people don’t follow them.”

 

 

Jayne A. Pearl, a member of Family Business Magazine’s founding staff, is now a freelance writer, editor and speaker. She is co-author, with Richard A. Morris, of Kids, Wealth and Consequences: Ensuring a Responsible Financial Future for the Next Generation (Bloomberg, a Wiley imprint, 2010; www.kidswealthandconsequences.com). Family Business editor Barbara Spector contributed to this report.

 

 

 

 


 

 


RESEARCH ALERT

 

Study: Families should have a systematic process to evaluate risk

 

A survey of more than 100 family offices conducted by national insurance brokerage Frank Crystal & Company and the Family Office Exchange has found that an inadequate process for assessing risks on a timely basis often results in poor insurance program design.

 

The study—“Insurance Matters: The Case for Strategic Insurance Planning”—found that several of the risks to client assets that family office executives report being most concerned about “are not risks that would fundamentally threaten the net worth of the family,” according to Jonathan Crystal, executive vice president at Frank Crystal & Company, which is itself a third-generation family firm.

 

For example, the survey found that 49% of family office executives rated identity theft as a top perceived risk to client assets, although identity theft “is unlikely to have a significant negative impact on client assets according to most insurance experts,” the survey report noted. On the other hand, according to the survey report, a lawsuit by a third party and a lawsuit related to a family member’s outside board position (for example, service on a non-profit board that carries insufficient limits of liability coverage) can have a significant adverse impact on a family’s net worth, though only 39% of family office executives rated the former as a top risk, and just 22% said the latter was a key concern.

 

The report identified a number of errors commonly found in insurance programs. Some are related to poor planning and program design (for example, deductibles that don’t match risk tolerance and failure to consult an insurance specialist before committing to significant purchases, travel plans or board directorships). Others are related to insufficient coverage and unidentified risks (e.g., lack of workers’ compensation and employment practices liability for domestic employees; erroneous assumption that liability coverage is extended to a family member serving on an outside board); or poor coordination of coverage (such as for homes in multiple geographic locations and the failure to coordinate aircraft and yacht insurance with other policies). Another category of errors concerns program changes that lag family changes (for example, coverage that isn’t relevant to the family’s current lifestyle).

 

The study also found that while family offices commonly provide insurance services to senior-generation members, 20% to 30% fewer offices regularly provide insurance services to younger generations. This is a critical coverage gap, according to the authors. According to the report, accident-related deaths are the No. 1 cause of deaths for all age groups up to age 35 and account for 49% of all deaths of 15- to 19-year-olds.

 

Conversations about insurance with family members and family office staff should address “the fundamental risk to the family’s assets and well-being, as opposed to just the [insurance] products,” Jonathan Crystal says. “We need to think concretely about the family as a whole.”

 

For a copy of the study, visit http://frankcrystal.com/InsuranceMatters. —Barbara Spector

 

 

 

 


 

 

 

Playing It Safe

 

Here are some affordable safety and security precautions. Some are from StaySafeOnline.org; others are suggested by Daniel Carlin, M.D., of WorldClinic, Christopher Falkenberg of Insite Security Inc., Teresa Leigh of Teresa Leigh Household Risk Management, Rodolfo Paiz of Guayacan Group and Paul Michael Viollis Sr. of Risk Control Strategies.

 

At your company

 

• Back up data to several secure servers outside your building.

 

• Develop and distribute written employee policies covering all potential security threats, including computer theft, workplace violence, medical emergencies, terrorist attacks and natural catastrophes.

 

• Carry a small, portable scanner to scan sensitive documents clients give you, and shred the original. Keeping data on a properly secured laptop is much safer than having it on paper.

 

• Provide your employees with professional training in crisis management.

 

• Create a business continuity plan that details how your company would operate in the event of a disaster.

 

At home

 

• Provide job descriptions and employee manuals for domestic staff.

 

• Get emergency contact information for each domestic employee.

 

• Take digital photos of workers inside and outside of your house, and photograph their picture IDs. This may have a deterrent effect.

 

• Avoid divulging personal information to people on your payroll.

 

• Donate anonymously. Thieves mine charitable organizations’ lists of donors for potential victims.

 

• Assemble a collection of emergency supplies that includes a high-quality particulate filter mask (such as an N95 gas mask, available at many hardware stores), one gallon of water per person per day for at least three days, some energy or granola bars, a flashlight, a battery-operated radio and a first-aid kit. Keep another set of these supplies in your office, too.

 

 

On the go

 

• Secure laptop computers with biometric fingerprint scanners and encryption software.

 

• When visiting a building you’re not familiar with, find two exits and make a note of where they are.

 

Online

 

• Read social networking sites’ terms of service.

 

• Assign a password of at least eight characters for booting up or waking up your computer.

 

• Avoid sending or receiving confidential data via e-mail. If you must do so, save it as password-protected pdf file, compress it and assign a password to it before attaching it to the e-mail.

 

• Set the highest level of privacy on social websites. If you allow your children to join these sites, consider purchasing monitoring software to check for potentially risky behavior.

 

• Keep your web browsers and operating system up to date to help avoid phishing scams and unsecured websites. This will also ensure that you have the newest protections.

 

• Conduct an online search for your name and family members’ names to see what is being posted about you.

 

• If you find your personal data online, consider services such as ReputationDefender.com.

 

Traveling overseas

 

• Stick to internationally known hotels.

 

• Vet your driver from home. A hotel worker may sell you out to an unscrupulous -driver.

 

• Put plastic ties around luggage before you leave your hotel room so if someone goes through your belongings, you’ll know.

 

• Research religious, social and geopolitical issues in the countries you plan to visit.

 

 

 

 


 

 

 

Resources

 

 

• The Department of Homeland Security’s Computer Emergency Readiness Team offers personal and business cyber safety tips at http://www.us-cert.gov/cas/tips/.

 

• Internet safety tips for business are available at http://www.staysafeonline.org/for-business.

 

• For a list of free computer security checks, see http://www.staysafeonline.org/tools-resources/free-security-check-ups.

 

• HUB International Personal Insurance’s “The Domestic Staffing Cycle: From Hiring to Firing” presents practical hiring guidelines at http://riskfirewall.com/download/The_Domestic_Staffing_Cycle.pdf.

 

• The Department of Homeland Security details “30 Tips for Emergency Preparedness” at http://www.dhs.gov/xcitizens/editorial_0711.shtm.

 

 

Print / Download
$10.00