Securing the family office: Implementing a thorough data security plan
Data breaches and information security are critical concerns for organizations and individuals as attack methods become more diverse and widespread. While media reports typically only illustrate the dangers at large companies, small breaches are more frequent and cause the most damage. In fact, family offices are at an acute risk; with information from high-net-worth individuals extremely valuable to criminals, security measures may require a closer look.
While data breaches should have been a key consideration of your security plan for many years, the threat is growing. Several trends are leading to the expansion of breach threats, including the rising value of personal data on the black market, the emergence of cyber conflicts between nations which leaves consumer information at risk, the comeback of hacktivism, and the 2016 presidential campaign which presents new opportunities for hacking campaigns.
Just a single data breach can cause significant damage to your organization. Family offices are often unable to know they have been breached, and in many cases, the speed of the attackers is more advanced than the speed of the defense. Breaches often run for extended periods of time, and organizations typically find out they have been breached from someone else, making response planning a challenge.
Data breaches can occur in a number of ways, but the overwhelming method is hacking. However, breaches can also occur through:
- Social engineering: A criminal has direct contact with a representative or employee, manipulating him or her into surrendering credentials or sensitive information
- Physical means: Information is physically accessed or stolen by a criminal
- Misuse: An employee accesses or shares information in an unauthorized manner
- Errors: An employee makes a simple mistake that leaves systems and data vulnerable
A particularly vulnerable function for family offices is bill pay operations. Risks can include check fraud, unauthorized payments or signature stamps, and poor management of multiple check books. However, your family office can implement stronger controls through positive pay, electronic approval processes, multi-layer authentication for payments and leveraging Magnetic Ink Character Recognition technology to verify the legitimacy of paper checks.
Your family office must have a comprehensive incident response plan to protect against common and emerging risks. It should plan for failure; the goal should be to fail gracefully and minimize damage. Unfortunately, preventative controls will likely fail at some point, and the plan should help ensure that your business can survive a failure or breach.
Incident response plans are often built on the assumption that organizations will detect issues quickly, have significant knowledge of the issue and respond immediately. Unfortunately, this approach typically results in higher response, forensic and legal costs due to extended duration and highly involved examinations and defense.
Your family office operations should undergo an annual risk assessment, considering both internal and external drivers. Internal drivers include business processes, policies and procedures, metrics, and resources, while external drivers consist of industry concerns, regulatory issues and specific threats. These issues feed into a continual risk management strategy, from analysis and design, to implementation, deployment and education, and oversight.
Family offices have a host of risk considerations that they must account for when developing a data security strategy. These include:
- Access control
- Change and incident management
- Disaster recovery and business continuity
- Data governance
- Training and development
- Vendor management
- Mobile security
To help manage these and other risks, you should implement preventative, detective and corrective controls to better secure critical data and systems. Preventative controls include vulnerability management, patch management, access and authentication, intrusion prevention systems, and configuration management. Detective controls encompass intrusion defense systems, database activity monitoring, compliance monitoring and operational monitoring, as well as network alerts. Corrective controls consist of incident response, forensics, quarantine, isolation, and administrative and legal actions.
Securing communications is the most critical objective for more effective data security. A key first step to enhance communication security is encryption. The entirety of your information should be encrypted at the file and folder level, while also implementing database and application encryption. Integrate secure file transfer processes over the network, digital authentication certificates and Wi-Fi protected access (WPA) encryption from computers to access points.
Email is often the most vulnerable communication tool for family offices, and therefore requires the most attention to fully secure. Organizations should procure and deploy a solution to encrypt messages and consider a data loss prevention (DLP) tool to prevent leakage of sensitive data. Additional guidelines for implementing effective email security include obtaining comprehensive security software, sharing your email address only with trusted sources, exercising caution when opening attachments and downloading files, and increasing awareness of phishing scams.
Digital signatures and e-signatures are also powerful tools to help recipients confirm that messages were created by a known sender. The electronic signature can be used with different programs, with the flexibility to sign documents anywhere from any device. The solution enables you to send documents electronically with additional audit trail evidence.
Your organization should also consider implementing stronger document sharing strategies to deter data theft. Instead of recreating network drive folders and potentially exposing that data, utilize metatags and data columns to organize content. Establish alerts if information is deleted or altered, and password protect key documents. Only utilize version control if necessary, as it often leads to accidental deletion of data.
Another popular measure to increase document security is leveraging a Web-based cloud portal. These document storage solutions typically employ enhanced security measures, including encryption and routine, independent security testing. Information is secured at secure data centers with physical access usually limited to authorized personnel with several levels of authentication.
While security controls typically focus on digital information, your family office must also consider several physical security controls to limit the potential of breaches. For example, fax machines should use encryption, and laptops should utilize cable locks to deter theft. Cameras can be used as a detective control and alarms can be tied to authorities to dispatch police in the event of an incident. You should eliminate physical keys if possible to avoid duplication, but if keys are necessary, do not provide them to outsiders, even contractors and vendors.
In the event of a data breach, cyber insurance can help protect your organization in multiple ways. Organizations can choose first-party or third-party coverage, or both options. First-party insurance accounts for costs related to responding to a data breach, while third-party coverage helps defend you if legal claims arise against you or regulators seek information.
Regardless of your family office’s size, it is a data breach target, especially as the value of your information increases and threats evolve. Evaluating your data environment identifies outdated or insufficient security controls, and a review by a third party can discover vulnerabilities you may not recognize internally. By understanding potential threats and strengthening data security, you significantly increase your ability to protect sensitive information and avoid financial and reputational damages.