Google, Apple, Morgan Stanley, the NSA, Verizon, SWIFT and other large organizations have all been hacked. Sometimes for months without even noticing it, losing trade secrets, money and intellectual property in the process.
As a family office, how can you contain your risks and identify attacks as soon as they occur, to limit the amount of data and information that can be stolen from you? We discuss those risks with René Raabe.
Can you give us examples of attacks targeting family offices?
Only a few cases are reported. In general hackers are after e-banking passwords and electronic documents with sensitive content.
In one instance, a hacker monitored unsecured email exchanges between a family member and the Family Office staff. He then hacked the email account and asked for a wire transfer via email, using a similar writing style as the family member.
The transfer was executed and the money was lost. Other examples involve employees who steal data for their financial benefit or to handle the information to tax authorities or tarnish the family’s reputation.
What are the best practices and the best security programs you have identified among family offices?
A large number of Family Offices have no or reduced online presence to limit their online visibility and footprint. But many have an IT security policy in place. They often use private cloud setups with Virtual Private Network (VPN) access and can limit their online activity to pulling data from the internet (e.g. positions/transactions/price updates for consolidation), instead of pushing data (e.g. placing payments or orders via the Internet). Some, block access to social media platforms and the print screen functionality.
An IT security policy usually starts with an inventory to identify where the weakest points of access are. A family office would list its hardware, email accounts and identify who has access to what. They would also conduct regular background checks on their staff. Standard security policies involve the definition of system users’ rights, social media access and processes for bank transfers. They also involve the definition of access processes (e.g. regular password change, encrypted emails, multiple factor authentications).
How are attacks carried out? What are the typical entry points?
Typical entry points for hackers are public WiFi networks, unsecured email accounts, social media accounts and company homepages.
A popular method with hackers is called “phishing”. With this method, hackers aim to obtain information (e.g. passwords) from the target by masquerading as a reputable entity in an email. The victim receives a message that appears to have been sent by a known contact or organization. An attachment or link in the message installs malware on the user’s device, or direct them to a malicious website set up to trick them into divulging personal and financial information, such as passwords, account IDs or credit card details.
A pervasive type of phishing are spear phishing attacks which are directed at specific individuals or companies. The hacker researches the victim in detail in order to create a genuine message, which increases the chance of the attack being successful. In many cases social networks are sources used by hackers to gather background information about the victim’s personal history, their interests and activities. Vacations, names, job titles and email addresses of colleagues and key company employees are searched for. This information is then used to craft a believable email.
How do you detect an intrusion?
The most common and well known solutions to avoid and detect intrusions are anti-virus softwares, junk-email blockers and firewalls.
But a more powerful and less known way to identify potential or existing security gaps are penetration tests.
The main objective of penetration testing (or pen testing) is to identify security weaknesses. Pen testing evaluates computer systems, networks or Web applications to identify vulnerabilities that an attacker could exploit. Pen testing can be automated or performed manually. The process includes several steps such as gathering information about the target before the test (reconnaissance), identifying possible entry points, attempting to break in (either virtually or physically) and reporting back the findings.
Without compromising your security, what can you tell us about the steps you take to limit your clients’ risk of intrusion when using your software and IT solutions?
Our IT infrastructure and security measures are regularly audited by KPMG and complemented with regular penetration tests from the company Compass-Security. Expersoft maintains, updates and replaces its hardware regularly to match the latest security requirements.
For each new installation, the question of where to host our application needs to be answered. Expersoft advises Family Offices on necessary IT infrastructure for an in-sourcing setup as well as advantages of a hosted solution. The chosen solution depends on the client’s attitude and preferences and it is important to say that Expersoft supports both options.
Compared to a standard in-sourcing solution where a Family Office normally uses a single server protected with a firewall, Expersoft uses a data centre with multi-zone architecture and dedicated, hardened servers (web tier, business tier and data tier) for its hosted solution.
Expersoft’s hosted solution is a so called private cloud, which can only be accessed via Virtual Private Network (VPN).
A public cloud is one in which the services and infrastructure are provided off-site over the Internet. These clouds offer the greatest level of efficiency in shared resources; however, they are also more vulnerable than private clouds. A public cloud is the obvious choice when a standardized workload for applications is used by lots of people, such as email or if there is a need for incremental capacity (the ability to add computer capacity for peak times).
A private cloud is one in which the services and infrastructure are maintained on a private network. These clouds offer the greatest level of security and control, but they require the company to still purchase and maintain all the software and infrastructure, which reduces the cost savings. Control and security are paramount as our business is part of an industry that must conform to strict security and data privacy issues.
Our software features strong user management measures, such as a combination of username and password (see password setting rules recommendation) linked with a one-time token (2 factor authentication). Expersoft offers an encryption proxy for sensitive data (e.g. CRM related information).
Does the zero risk exist?
To be honest, zero risk doesn’t exist. However it should always be one’s goal to reduce vulnerability and avoid fraud as much as possible. Known key risks are employees who have an internal access to the data, as well as weak IT systems. One should be careful with sharing sensible data, social media communications and other publicly accessible information.
What future challenges do you anticipate ?
There is one buzzword – Big data. Already a huge amount of data has been collected and stored for each individual and this will further increase. With global changes such as the upcoming AEI (Automatic Exchange of Information) we get closer and closer to a loss of privacy rights. This data will gain more and more value. Even today it is possible to sell personal data for large amounts of money. The challenge will be to have the right security tools in place to protect these data treasures.