How High Net Worth Families Are Protecting Themselves Against Cyber Attacks
This week’s announcement that Saudi Arabian crown prince Mohammed bin Salman allegedly hacked into Jeff Bezos’ cellphone should serve as a reminder to high net worth families that their private information is only one bad actor away from becoming public.
“The smartest of families understand that they probably will suffer a cyber attack,” says Samantha Ravich (pictured right), chairman of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, a nonpartisan research institute in Washington, D.C.
Indeed, cyber attacks are inevitable, experts say. The only variables are how much damage they will cause and which measures families take to mitigate the harm. The average American is subjected to hundreds of hacking attempts a day, most of which are unsuccessful, Mark Rasch, an attorney specializing in cyber issues, says. The number—and the risks those attempts pose—increases exponentially for high net worth families.
Unfortunately, data security isn’t limited to what Ravich calls the “low hanging fruit” of insecure software and obvious passwords. As the internet of things becomes increasingly embedded in our daily lives, with everything from thermostats to cars transmitting information about our travels and our homes, savvy families need to expand their vigilance.
Fortunately, cyber firms that once worked exclusively with government and corporate clients are now tailoring their services to families, offering bespoke products that pair specific types of adversarial tactics, techniques and procedures with the security software most able to defend against them.
The best prepared families hire a third party to penetration-test their systems. They should also have a backup and recovery strategy, and a team comprised of a cybersecurity monitoring firm, lawyers, an insurance agent and possibly law enforcement, in the case of ransomware, fraud or extortion, Ravich says.
Rasch, who works with executives, sports figures and major banks, runs drills with his clients, staging mock attacks and analyzing participants’ reactions. It may be frustrating, Rasch acknowledges, but he does not offer prescribed behaviors, only guidelines. Expecting clients to adhere to specific rules about which internet devices to eschew or which online habits to break is often unrealistic.
“There’s no right way to respond to an incident, so the goal here is to pick the least wrong way, and to be aware of increasing privacy and security,” Rasch says.
That’s harder than it sounds.
Recently, in an exercise for a large New York bank, Rasch told all participants that control of information was critical, and that they shouldn’t tell anyone about an incident unless they first cleared it with their public relations office. Everyone agreed, and then Rasch created a problem with their IBM system. Rasch’s clients sprang to action, calling IBM, calling an outside tech vendor and various other resources and, ultimately, making 60 external phone calls, none of which they cleared with their public relations office.
“They were disseminating information about the incident without realizing that they were doing that,” Rasch says. “The next phone call was a reporter who said, ‘Hey, I’ve heard from a source that you’re having an incident.’ Who was the source? It could be any one of those 60 people they called.”
Families can reduce the risk of that kind of panicked reaction, Rasch says, by taking a few simple measures.
First, Rasch advises buying cyber insurance, which is increasingly available by large carriers like AIG and Chubb. As with any insurance, it’s important to define your specific needs, to verify exactly what the policy covers and to differentiate among the myriad nightmare scenarios cybersecurity experts outline.
“All of the very expensive stuff that can happen to you can be mitigated by appropriate insurance, but the trick here is to make sure that the insurance you are buying will mitigate the actual risks,” Rasch notes. “A data breach insurance policy will not help you if you’re the victim of identity fraud. If you’re a victim of revenge porn, you’re going to want to sue and to investigate. A law firm can help, and you want to have some insurance that will cover you for that as well. It’s really a question of teasing out what the policies mean.”
Other relatively easy measures Rasch recommends are using pseudonyms for social media accounts, and moving email servers to distant locations, like the Isle of Man.
Rasch also frequently engineers a “honeypot” for his clients, essentially creating an online decoy that will attract potential hackers, keeping them from a client’s actual cyber presence.
“It’s designed to attract the attacker, so that you can monitor what they’re doing. If you’re under attack, you can direct the traffic over to a honeypot, but you have to have designed it and built it in advance,” he says.
Ravich also notes that the people most entrusted by high net worth families may in fact be the least equipped to provide cybersecurity.
“Law firms are notoriously bad at cybersecurity, and yet they hold critical information for high net worth families—not just financial information, but personal details that a family would not wish to see exposed,” she says. Ravich urges families to be adamant that any firm they retain—whether legal, accounting, public relations or wealth management—has the highest cybersecurity standards. Otherwise, she says “take [your] business elsewhere.”
Travel, especially in the most rarefied realm, also poses significant security issues.
“Private jets and super yachts are particular targets for compromise, not just because of their passengers but because they rely on a host of connected devices. Transmitting geolocation—detailed travel itineraries, schedules regarding the transportation and guarding of minor children—needs to be especially guarded,” Ravich says.
Her tips: obfuscating or using burner identities, changing routes and choosing minimal disclosure conditions to third parties when using big platforms like Android. An obvious but often overlooked danger: seemingly innocuous posts about things like travel plans and birthdays on social media, which can give potential hackers and other criminals critical information, both about a family’s whereabouts and, equally important, their absences.
When planning travel, families should be mindful that some destinations will magnify their exposure to cyber menaces.
“In countries like China, perhaps the largest cyber adversary the U.S. currently faces, visitors oftentimes cannot use cash and must open Alipay accounts, thereby providing the Chinese Communist Party with direct information about all purchases and movements,” she notes.
Even quotidian home internet use can be perilous, both Rasch and Ravich say, leaving children particularly vulnerable.
“High net worth individuals must remember that their children may be particular targets for espionage to gain information about the family, ransomware attacks and even physical attacks,” she says.
Rasch addresses this with special workshops for kids, covering topics including cyber bullying. For adolescents resistant to security measures, Ravich recommends “taking the ‘human factor’ out of the equation and only providing teenagers with devices that are more secure by default, sending only encrypted data and requiring strong passwords.”
To guard against potential malfeasance by household staff, Ravich recommends monitoring their credit card and banking information “in real time—with proper notification—to ensure no sudden affluence out of proportion with their means.”
Looking ahead, Ravich says, vigilance remains key, as the innovations promised by artificial intelligence—increased productivity, better preservation of precious resources and autonomous planes, trains and automobiles—will also lead to further risks.
“Things such as deep fakes and spear phishing, impersonating a trusted sender of emails, for instance, can become much more believable,” Ravich warns. “Even things like using personally identifiable information, perhaps from DNA kits, coupled with cybersecurity vulnerabilities to write individualized and targeted malware could become more common.”
And a final word of warning in this highly politically charged time: “High net worth families that are politically active may be at particular risk in this election year, given the past attempts at election interference by nation-state actors,” Ravich says.