In this data-rich environment of smartphones and USB memory sticks, protecting your Family Office data is critical to minimise financial and reputational damage. Heyrick Bond Gunning explains the threats and what you can do.
Cyber security is a legal and reputational issue for every Single Family and Multi-Family Office. Protecting data does not just avoid liabilities and prevent fraud – it is also a vital part of reputation management. The results of a loss are both financial and reputational.
Where is the threat coming from? 2012 saw a 42% increase in targeted attacks, of which just over a third of attacks were aimed at businesses with fewer than 250 employees. Small businesses tend to think they are beneath the radar of the hacker and therefore have few protective measures in place, making them much easier to target. 60% of businesses with fewer than 250 employees will fold within six months of an attack.
Around 50% of the loss of data is avoidable, as it is through loss of handsets, memory drives and other handheld devices. 40% of loss requires a combination of technical and procedural support as it is information that is hacked. 10% is stolen by employees and around 30% of that happens within 30 days of them being handed their notice. Interestingly, of our clients surveyed, around
50% of employers trusted their employees not to steal confidential data and therefore had minimal preventative measures in place.
Other than the reputational damage caused through social media, the developing threat is likely to come through from four main areas over the next 12-24 months:
Handheld devices: The nexus is the intersection of smartphones and social media where the combination of an operating system, communications platform and payment mechanisms results in the perfect hunting ground. Over the past 12 months technology experts have reported a 58% increase in malware specifically written to target handheld devices.
Mass data storage: Mass data storage refers to technology such as server farms servicing The Cloud. We have all heard of the apocryphal story of the bank robber being asked, “Why rob a bank?” answering “because that’s where all the money is.” The same goes for mass data storage.
Removable storage: Another serious threat is in removable storage devices such as USB sticks, external hard drives and CDs; these will bypass security infrastructure such as firewalls, granting direct access to a network. This is why procedural measures are equally as important as the technical safeguards.
Old Data: What happens to your old mobile phone or computer? Is it given to a charity and does it end up in the hands of fraudsters? This data is very difficult to remove completely and even fax machines and printers have hard-drives that store information.
There are a variety of services that companies can provide to help businesses protect themselves, including outsourced firewalls, managed services, and compliance. There is also much that clients can do themselves on the technical and procedural side.
Putting in place the technical procedures is often the easiest step to mitigating risks, however overcoming the behavioural issues and educating employees is often the most important. What benefit is there in spending capital on securing networks when staff can freely release information on social media sites or executives can be overheard discussing confidential information on a train journey? Companies and employees need to change their mind-sets and understand the importance of securing information; these guidelines need to be embedded and adhered to in Crisis Management and Business Continuity Plans.
Step one: start with a Security Audit. What is the most valuable data that you hold? Is it the data you paid most to acquire? Is it the information you would be most embarrassed about? The two are not mutually exclusive… Assess the risks, segregate information and use the standards as a measuring point, namely, ISO 27001:2005 Information Security, BSI 10012:2009 Data Protection, FSA SYSC and PCI DSS.
Heyrick Bond Gunning is Managing Director of Salamanca Group whose services include a Cyber Security, Team Managing and and Professional Information Security services. He is a former Managing Director of Security Consulting at Kroll, where he was also Head of Kidnap for Ransom.
Step two: analyse your vulnerabilities and prepare a response plan in case of a breach. The greatest perceived threats are those that seem uncontrollable namely the actions of third parties. Therefore concentrate on what you can control – your family, employees, professional advisors. When it goes wrong, undertake a quick evaluation, impose immediate remedies, assess further risk, simultaneously begin containment and recovery, then notify the stakeholders.
Brief Guide to Protecting Yourself
Technical Counter Measure Sweeps: Conduct these on a regular basis in order to confirm that that bugs
or eavesdropping devices are not being used against you or your business.
Cyber Security: Ensure firewalls are actively monitored and managed.
Social Networking: Keep all social profiles locked down to their tightest privacy setting.
Personal Information: If you receive a telephone
call from a credit card company, bank or other retail company asking to confirm certain details about yourself decline them and ask to call them back, preferably through a central switchboard. Never give out personal details or passwords.
Shred: When destroying personal correspondence such as bank and credit card statements consider a shredder or even burning them with garden refuse. Unsolicited Emails: Beware of unsolicited emails. Do not respond to emails that have apparently originated from your bank or other authority/company. Passwords: Use long passwords, using a combination of letters and numbers. Don’t use obvious ones like the names of your children or pets.
Speech: Don’t talk about sensitive information outside the office on a mobile phone or in a taxi.
Mobile Phone Vulnerabilities: As the recent News of the World phone hacking scandal shows, phones are not secure. Following these steps will help ensure that no sensitive information can be obtained:
- Avoid leaving lengthy voice mail messages – simply ask for them to call you back, and ensure that no sensitive information is divulged.
- Bear in mind that any texts, pictures or contacts in your phone can be obtained by others if you lose or misplace it.
- Ensure that PIN codes are placed on the handset as the bare minimum level of protection.
- Change your voicemail password from the factory setting.
- Ensure location plug-in/geo-tagging is disabled.