Anyone who studies the activities of organised cyber crime groups cannot fail to be impressed by their creativity, innovation and adaptability. Cyber criminals are applying to online fraud the kind of resources and effort once associated with the narcotics trade. They have created a low-cost business model targeting an endless sea of possible victims across the internet, which is yielding hundreds of millions in revenue every year.
For obvious reasons, financial services have been the primary focus for this new world of crime. Major banks have been under sustained attack for many years and, as a result, have improved their defenses, spending significant proportions of their IT budgets on security. The response of criminal groups to this has been predictable. At the high end, they have developed ever more sophisticated techniques to attack well-defended companies, but they have also looked for softer targets and easier ways in.
This has inevitably led to a growing criminal interest in family offices and high net worth individuals. Family offices are a perfect target: they control significant wealth but have few of the cyber security defenses associated with large companies. They present rich pickings for fraud, theft, and for capitalizing on privacy concerns and reputational damage. Criminals are good at monetizing data in a wide variety of forms. They take their research seriously and can discover a huge amount of detail freely available on the internet about the wealthy, their families and their connections. Armed with this they can begin to work out easier ways to penetrate a victim’s network.
Seen from the perspective of cyber security professionals, family offices tend to break all the most important rules for staying safe. In the security world, a disciplined separation of the personal from the corporate and financial is a key principle. By definition this is difficult for family offices, where the two cross over continually.
And while family offices may control large amounts of money associated with major enterprises, they themselves are more likely to resemble small businesses. They may have relatively few staff and no in-house IT or security function; they will not be spending millions on the cyber defenses of a major bank. They are less likely to rigorously update their systems and will often give all employees access to all aspects of the network, another open goal in cyber security terms.
The intimacy and informality of a family office make it hard to instill good security discipline. Large banks will severely restrict what senior executives can access from company devices and will build in layers of authentication. What they have permission to do, and what transactions they carry out, will be actively monitored and logged. This can be inconvenient and tiresome but they accept the necessary trade-off between ease-of-use and good security. This may be much harder to achieve among senior family members.
Even if cyber security awareness is high, family offices are particularly vulnerable to attacks delivered through unwitting third party vendors. Law firms and small investment houses, property companies or the myriad of suppliers used every day may be the weak link through which access can be gained. And like all organisations, families and high net worth individuals will be concerned about insiders, perhaps not in their own offices but among their suppliers. We regularly see disgruntled staff or, more often, those bribed by criminal groups, facilitating attacks by others or stealing data themselves.
Quantifying the losses from this new trend is difficult: few families or individuals will discuss publicly their financial or data loss and may not want to involve law enforcement in order to preserve their privacy. But in the security industry we have seen a significant rise in successful attacks on family offices and high net worth individuals.
In one case, a criminal group guessed the email password of a senior family member and spent some weeks reading the email traffic. Having seen that the victim was overseeing the renovation of a family property in the US, they waited until he was traveling and took advantage of the time difference to send convincing emails to his personal assistant asking her to pay a succession of contractor bills urgently. By deleting the emails and the replies they ensured that he knew nothing about the money being spent – in this case over $1m in a single week – until he returned from his travels. Since the transactions were all sanctioned by his assistant and legitimate, albeit to a fraudster’s account, he had no grounds on which to expect his bank to cover them.
In another case, an investigation into the compromise of a large US company led us back to the origins of the attack, which was the senior family member. He in turn had been inadvertently ‘infected’ by his son, who had been persuaded to access a website through his Facebook account. When he visited it he unknowingly downloaded some malware which allowed the attackers to control his laptop and from there make the jump to his father, and through his father to the company network.
These cases, and many more which we have seen, illustrate the care criminals will take in crafting attacks to appeal to high net worth victims. ‘Spear-phishing’ emails will typically be based on careful research, in one case made to look like an email from the school of one of the victim’s children.
Once successfully inside a network, criminals may take some time - often weeks or months - to look around and assess what data is valuable. For families this is a particular problem. In looking through the material available to them, criminal data miners may find non-financial personal material which can be deeply embarrassing and compromising. This has been very publicly illustrated in major thefts from law firms, and last year I saw a case where a public figure was blackmailed with data stolen in an entirely unrelated attack on a European public relations company: the criminals involved had got lucky and stumbled across personal information on a well-known name.
Faced with the scale and complexity of these attacks, there is tendency to despair. But the reality is that privacy, money and data can be protected. For most offices that will mean assessing the current state of defenses and taking remedial action, much of which will be about awareness, behavior and good practice, rather than expensive technology. For most family offices, the cost-effective solution will be to buy a managed security service which will take care of monitoring and fixing problems, much as they would in hiring physical security or guarding services.
Underpinning all of this will be a change in awareness and attitude. The unseen threat of data compromise and theft is pervasive. It will continue to be with us as our lives, family and business, become ever more dependent on data and the technology which carries it. The answer is to spend proportionate effort protecting the things we care most about, and making sensible contingency plans for when attacks succeed. The objective is not to be perfect but to harden defenses, reduce risk, and contain damage.
Robert Hannigan is European Executive Chairman of BlueVoyant and former Director of GCHQ, the UK’s largest intelligence and cyber security agency.