Family offices, private equity firms and small to midsize financial services organizations hold special appeal for cyber attackers. They give criminals potential access to large sums like at big banks and institutions, but often lack the same well fortified defenses. In 2017, almost two thirds of all cyber breaches targeted small businesses, up from 53 percent in 2016, according to the Verizon Data Breach Investigations Report.
One reason for the spike is that the cyber attacks have become more organized and sophisticated, levering dark web chat forums and government grade software tools. Even institutions with strong security protocols can be tripped up by attacks on individual employees’ home WiFi, for example. Digital transactions have also increased in number and can be vulnerable to attackers.
The good news is even smaller financial firms can sharply reduce their exposure by taking the right proactive measures.
• Combine several layers of monitoring and response protection: Single solutions like a strong firewall or antivirus measures can’t protect against every cyber threat. Smaller companies need comprehensive cyber security support that delivers round the clock protection, including advanced endpoint detection, ransomware and malware blocking, network defense, threat intelligence and realtime, remote response. That kind of coverage can cost the typical small company about $10,000 a month—far less than the cost of one experienced full time hire and a fraction of what it would cost to acquire the relevant technology and skillsets outright.
• Establish the right process controls: It’s important to develop a written cyber protection policy with clear protocols for devices, passwords, social media, payment authorization and other process controls. Examples: mandating that any transaction over an agreed upon amount receive at least two written approvals, instructing banks not to accept email orders without first validating the request with a phone call to the firm or office, and requiring home WiFi routers to be protected. Requiring strong password protections is also crucial.
• Implement data backups: Backups are one of those dull essentials that too many organizations neglect. But the damage that can occur when records are destroyed or altered, be it from a ransomware attack or other breach, can be catastrophic. Such events can result in the permanent loss of important personal and business data. With ransomware attacks occurring at a rate of one every 40 seconds, institutions must get into the practice of backing up regularly and verifying the integrity of those backups to ensure all necessary information is captured.
• Get an annual cyber checkup: While it is certainly important to conduct regular cyber risk assessments in partnership with the head of IT, the chief information security officer and other members of management, it’s also important to get an outside perspective to validate internal protocols and objectively assess the company’s preparedness.
• Consider cyber insurance: Firms should ensure that their policy is priced attractively for their risks, and they must be careful to consider the coverage, since some policies are written to cover financial losses while many others are narrowly written to cover just the aftermath of the immediate attack.
• Protect your portfolio companies: Family offices and private equity firms not only need to keep their own house in order, they need to look out for the needs and vulnerabilities of their portfolio companies. Firms should ask portfolio companies to prepare quarterly cyber hygiene reports and require that at least one board meeting a year include a discussion of cyber health. On the portfolio company level, insist that each entity conduct an annual cyber health review and encourage them to engage a managed security service provider to improve their cyber security defenses. These measures help embed and sustain better cyber discipline.
Consider bringing in outside advisors to conduct a cyber risk assessment across your portfolio, since the board needs to understand those risk factors to make truly informed investment decisions and encourage sound practices across the portfolio.
Finally, don’t let cost be a barrier. Family offices and private equity firms have considerable collective buying power. Purchasing needed security and legal services for both the core and portfolio companies can allow firms to obtain substantial discounts.
The onset of a breach is the very worst time for a business to be scrambling for help. Firms need to line up the right relationships now to ensure they have someone to call and a plan in place when an event does happen. To protect their reputations and assets, family offices and private equity firms need to manage their cyber security as thoughtfully as they’re managing their business interests.
Jim Rosenthal is CEO of BlueVoyant and Austin Berglas is global head of cyber forensics and incident response for BlueVoyant.