Anyone who studies the activities of organised cybercrime groups cannot fail to be impressed by their creativity, innovation and adaptability. Cyber criminals are applying to online fraud the kind of resources and effort once associated with the narcotics trade, which is yielding hundreds of millions in revenue every year.
This has inevitably led to a growing criminal interest in family offices and high net worth individuals. Family offices are a perfect target: they control significant wealth but have few of the cyber security defences associated with large companies. They present rich pickings for fraud, theft, and for capitalising on privacy concerns and reputational damage. Criminals are good at monetising data in a wide variety of forms. They take their research seriously and can discover a huge amount of detail freely available on the internet about the wealthy, their families and their connections. Armed with this they can begin to work out easier ways to penetrate a victim’s network.
While family offices may control large amounts of money associated with major enterprises, they themselves are more likely to resemble small businesses. They may have relatively few staff and no in-house IT or security function; they will not be spending millions on the cyber defences of a major bank. They are less likely to rigorously update their systems and will often give all employees access to all aspects of the network, another open goal in cyber security terms.
The intimacy and informality of a family office make it hard to instil good security discipline. Even if cyber security awareness is high, family offices are particularly vulnerable to attacks delivered through unwitting third party vendors. Law firms and small investment houses, property companies or the myriad of suppliers used every day may be the weak link through which access can be gained. And like all organisations, families and high net worth individuals will be concerned about insiders, perhaps not in their own offices but among their suppliers. We regularly see disgruntled staff or, more often, those bribed by criminal groups, facilitating attacks by others or stealing data themselves.
Quantifying the losses from this new trend is difficult: few families or individuals will discuss publicly their financial or data loss and may not want to involve law enforcement in order to preserve their privacy. But in the security industry we have seen a significant rise in successful attacks on family offices and high net worth individuals.
In one case, a criminal group guessed the email password of a senior family member and spent some weeks reading the email traffic. Having seen that the victim was overseeing the renovation of a family property in the US, they waited until he was travelling and took advantage of the time difference to send convincing emails to his personal assistant asking her to pay a succession of contractor bills urgently. By deleting the emails and the replies they ensured that he knew nothing about the money being spent – in this case over $1m in a single week – until he returned from his travels. Since the transactions were all sanctioned by his assistant and legitimate, albeit to a fraudster’s account, he had no grounds on which to expect his bank to cover them.
In another case, an investigation into the compromise of a large US company led us back to the origins of the attack, which was the senior family member. He in turn had been inadvertently ‘infected’ by his son, who had been persuaded to access a website through his Facebook account. When he visited it he unknowingly downloaded some malware which allowed the attackers to control his laptop and from there make the jump to his father, and through his father to the company network.
Once successfully inside a network, criminals may take some time - often weeks or months - to look around and assess what data is valuable. For families this is a particular problem. In looking through the material available to them, criminal data miners may find non-financial personal material which can be deeply embarrassing and compromising. This has been very publicly illustrated in major thefts from law firms, and last year I saw a case where a public figure was blackmailed with data stolen in an entirely unrelated attack on a European public relations company: the criminals involved had got lucky and stumbled across personal information on a well-known name.
Faced with the scale and complexity of these attacks, there is tendency to despair. But the reality is that privacy, money and data can be protected. For most family offices, the cost-effective solution will be to buy a managed security service which will take care of monitoring and fixing problems, much as they would in hiring physical security or guarding services.
Underpinning all of this will be a change in awareness and attitude. The unseen threat of data compromise and theft is pervasive. It will continue to be with us as our lives, family and business, become ever more dependent on data and the technology which carries it. The answer is to spend proportionate effort protecting the things we care most about, and making sensible contingency plans for when attacks succeed. The objective is not to be perfect but to harden defences, reduce risk, and contain damage.
Robert Hannigan is European Executive Chairman of BlueVoyant, a global cyber security services company, and a former Director of GCHQ, the UK’s largest intelligence and cyber security agency.
