8 minute read 6 May 2020
Businesswoman examining documents at desk at night

What cybersecurity risks family enterprises and offices face during COVID-19

By Helena Robertsson

EY Global and EMEIA Family Enterprise Leader

Leader in helping family-owned businesses realize their ambitions. Trusted tax advisor. Excited and proud to collaborate with professionals around the globe.

8 minute read 6 May 2020

Cybercrime is accelerating rapidly during the COVID-19 outbreak. Family enterprises and offices need to tighten their cybersecurity.

Cyber attacks are accelerating as criminals and other threat actors seek to exploit the disruption caused by the COVID-19 pandemic. Businesses scramble to implement sweeping remote work practices and online-only interactions with employees, customers and vendors, and these changes have come with heightened cybersecurity risks. Some Family Enterprises (FEs) and Family Offices (FOs) are recognizing the danger, and taking steps to increase cybersecurity capabilities, but others need to catch up quickly.

Even before the pandemic, some FEs and FOs were lagging behind in cybersecurity practices. Historically, cybersecurity in FOs and smaller FEs has focused on finances (e.g., making sure money is not transferred mistakenly or fraudulently). But as information has moved to the cloud and social media, the walls of these businesses have expanded — opening many more opportunities for attack.

Threats from all directions: phishing, data theft, remote work

According to a recent article by Kris Lovejoy, EY Global Consulting Cybersecurity Leader, the rush to remote work and the general sense of panic set off by COVID-19 has opened the door to a wide range of additional cybersecurity risks that FEs must attend to urgently:

  • Increased remote work: Threat actors are taking advantage of cybersecurity holes caused by widespread telecommuting, such as increased pressure on IT teams, users bypassing cybersecurity leading practices and remote administration of critical information.
  • Increased phishing and malicious content: Threat actors have significantly increased their use of phishing, malicious sites and business email compromise attempts linked to the pandemic. 
  • Increased data theft: Threat actors conducting data theft for extortion, disruptive or destructive ransomware attacks, and/or seeking to damage an enterprises’ brand have targeted organizations perceived as under pandemic-related strain.
COVID-19 has made it more pressing than ever that family firms develop control structures that create a protective stance and readiness to respond.
Paul McKibbin
EY Americas Family Office Advisory Managing Director

The principal risk

FOs and FEs add yet another risk to this list: the families themselves. In FOs and smaller FEs, the person in charge of IT may not have control over the actions of principals and their family members. There is no chief information security officer with tight rein over devices, access and usage, as there is in large enterprises. Instead, there is a small staff that must try to manage IT controls with governance, frequent education and personal influence.

Family members range from tech-savvy teenagers to tech-averse octogenarians and everyone in between. They may use personal emails or follow substandard mobile security practices, leaving them — and their family firms — open to malware, phishing attacks and wire fraud, all on the rise during the pandemic.

For example, if a principal is dedicated to using a non-supported android phone and routinely downloads non-supported apps from unapproved app stores, they are very likely to accidentally install malware, handing full access over to an attacker.

That attacker may spend months monitoring the victim’s correspondence, their movements and their communication style to mimic them effectively. They can then use this knowledge and access to give disastrous directions to employees, like ordering an employee to make a seven-figure wire transfer, using the principal’s own mobile device and email account.

In the COVID-19 environment, loose cybersecurity practices mark FOs, smaller FEs and principals as easy targets for attack.

Much of the reputational risk is in their broader footprint, out in the world, not within a server. That information footprint is less in their control.
Haris Shawl
Cybersecurity Senior Manager, Ernst & Young LLP

Reputation and privacy must be protected

At their most severe, cyber attacks can be devastating to a family firm’s legacy. An attack could threaten reputation by associating the family’s name and brand with a scam or unreliable product, or it could bring down systems, leading to a serious disruption in customer service or employees’ ability to work. In research completed for the latest Global Capital Confidence Barometer, 24% of 394 FE leaders in middle-market companies named reputational damage as their greatest fear related to cybersecurity.

Cyber threats are increasingly placing family firms’ reputations at risk in a way that many are not yet sufficiently protected against.
Adam Wright
Cybersecurity Managing Director, Ernst & Young LLP

For many FEs, the brand is synonymous with the family name, and that name carries tremendous social capital. When the family name is tarnished, so is the brand. One very well-known family name has been used without the family’s consent to sell dubious financial products via social media. The family has spent years carefully curating their name and their brand, ensuring that it is associated only with the products, services and causes they believe in. Now the brand is at risk through no fault of their own.

Reputational risk

24%

of family enterprise leaders in middle-market companies named reputational damage as their greatest fear related to cybersecurity.

FOs also carry data privacy risks, and when private family information and correspondence are stolen or leaked, it can create serious reputational damage and risk of litigation. With only a handful of employees, FOs have limited tools and talent to monitor and ensure the data privacy of the principals. Even when they invest in leading-class cybersecurity technology, too often they take a “set it and forget it” posture. The systems are doing what they are supposed to do, but FOs lack the in-house expertise to monitor and act on what the systems are telling them.

An FO sometimes sits within the FE so it can leverage the resources of the larger organization. However, that model puts private family information in the same systems as FE business information, where it is subject to additional threats from inside and outside the FE.

Cybersecurity steps for FEs and FOs in the short and long term

The good news is that there are steps FEs and FOs can take to protect their firms and families in order to lower these risks. “Those organizations that really push for that proactive involvement of cybersecurity are going to see very significant business benefits in both the near term and the long term,” says Dave Burg, EY Americas Cybersecurity Leader. This will require both immediate steps and a long-term change of approach.

In the short term, to fend off the increase of cyber attacks due to the pandemic, FEs and FOs should:

  • Make and keep an inventory of all routers and devices, and sensitive data on them, including those used in family members’ homes
  • Maintain these devices with updated antivirus and firewall software; keep all software current and assess for vulnerability at least annually
  • Use email encryption tools for any confidential messages and ask clients to validate any new account openings, credit requests and similar activity
  • Monitor (or use an external firm to monitor) all networks 24 hours a day looking for signs of an intrusion and shut them down if there is an attack
  • Store backups offsite or in a secure cloud repository
  • Conduct financial and criminal background checks on new staff and vendors and annually thereafter
  • Create a cybersecurity policy that includes connected devices, passwords, multifactor authentication, social media and payment authorization steps

In the longer term, FEs and FOs need to change the way they look at cybersecurity. Recognize that breaches and social media threats will happen, and the job of the FE and FO is to respond effectively and minimize the damage.

Work closely with principals, their families and employees to:

  1. Identify the scenarios that would impact them most, their risk tolerances and their pain points
  2. Analyze the most likely scenarios and rate the risk level for each
  3. Customize a good controls framework, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework to the organization to measure and mitigate risk to an acceptable level
  4. Explore, create and — most importantly — test business continuity and incident response plans regularly
  5. Continually educate all principals, family members and their households on the importance of adhering to these controls and the risks they face if they don’t

Protecting the legacy

Family firms need to protect their names, their brands and the organizations they have built over generations. Failure to do so can be catastrophic, but with the right approach, security technologies and control structures can help them protect their legacies for years to come.

Summary

Cyber attacks and cyber fraud are rising rapidly during the COVID-19 pandemic. These can be devastating to a family enterprise’s reputation and legacy. Some family firms are taking steps to increase cybersecurity capabilities, but others are lagging behind. Family enterprises can protect their legacy if they act quickly and decisively.

About this article

By Helena Robertsson

EY Global and EMEIA Family Enterprise Leader

Leader in helping family-owned businesses realize their ambitions. Trusted tax advisor. Excited and proud to collaborate with professionals around the globe.