Johannes Stillig, Head of Cyber at the reputation and privacy crisis consultancy, Schillings, sets out the steps that family businesses and their executives need to take to mitigate the risk of a cyber-attack and the loss of private and confidential information.
In your experience, how are family businesses performing when it comes to cyber security?
Johannes Stillig: Progress is certainly being made. Prominent cyber-attacks in recent years have brought cyber security to the fore, and in instances where we’ve assisted clients with their cyber security arrangements, we’ve seen a significant increase in their understanding of the threats they face. That said, there is a risk that complacency is creeping in due to the sheer magnitude of cyber-attacks being reported in the media. People are simply becoming desensitised to the issue.
Furthermore, just installing a high-end security solution doesn’t mean that you can sit back and relax; because building higher technical defences will only result in cyber-criminals building taller ladders.
What are the weak spots that make a family business prone to a cyber-attack?
A family business is no more or less a target than any other business. The same can be said of a family office. All organisations hold private or confidential information, from business plans, investment strategies and personal information. This information is what is often stolen or held to ransom by a cyber-criminal. The basic principle of any successful cyber security strategy is to identify the threat you’re faced with and then develop a plan to counter it that focuses on the weakest link in any cyber security chain, people.
This is where the Human Firewall comes in. No amount of technology can put a stop to the evolving tactics being deployed by today’s cyber-criminal. A coherent and continuous cyber security strategy requires all employees and family members to play their part in the defence strategy of a business.
Unless everyone in the organisation understands the risk and what they need to do to mitigate the risk, such as not opening emails that may contain malware or falling victim to giving up their password, then they could unknowingly expose the business to a cyber-attack. Everyone in the organisation needs to be trained and educated.
Why do personal devices pose such a significant threat?
Because almost everyone owns at least one personal device. Also, the definition of a ‘personal device’ is no longer limited to a smart phone or tablet. Smart TVs, smart metres, smart fridges, CCTV—anything that has its own Wi-Fi and can connect to the internet can be deemed a ‘personal device’. And yet, there is little understanding or appreciation for the fact that a cyber-criminal is just as likely to target a smart fridge to gain access to your Wi-Fi system as they will your laptop. As an example, I heard last week that it was possible to access the entire network on a yacht just by hacking into the fax machine, a device many people wouldn’t necessarily consider to be a threat.
With so many more devices it isn’t only your laptop and smart phone that you need to think about when it comes to keeping your private and confidential information secure.
If a family business finds itself in the midst of a cyber-attack, what should it do?
Don’t panic. Alert superiors or relevant colleagues immediately.
Focus all efforts on shutting the attack down. Stop access to any further information and then begin to work out what has been affected and preserve any evidence. Being prepared so that you can act swiftly can make all the difference. You need to know who’s in charge and who can make decisions, because you don’t have time to wait around and discuss what to do. You need to have a plan in place that is rehearsed so that everyone knows their role.
Understandably, a cyber-attack feels personal; and in most instances it is. As a result, the initial urge of those affected is to focus on trying to uncover who’s behind it. Don’t. Only once the attack has been halted and the theft of private and confidential information contained can you turn your attention to trying to uncover those behind the attack.
Is it possible to uncover who is behind a cyber-attack?
It’s our speed of response at Schillings that enables us to get from problem to solution in the shortest possible time. How you respond in the first 24 hours
to a cyber-attack can make all the difference to the scale of the theft.
As a result of being able to combine our forensic investigations and intelligence teams at Schillings, we have had success in uncovering the perpetrators behind a cyber-attack. Our legal specialists are also able to deploy measures aimed at containing the proliferation of the stolen data by utilising privacy, confidentiality and copyright laws, and in other instances, by working with local law enforcement. Furthermore, we also have expert negotiators who are experienced with cyber extortion and when demands are made, are able to advise on effective negotiating tactics in order to securely recover the data.
Schillings Top Tips—Protecting your private and confidential information
• Screen protectors A simple solution to stop people snooping over your shoulder in public spaces.
•Camera stickers Most laptops have in-built and front facing cameras. A cyber-criminal will look to exploit this as a means to snoop on your private affairs. Don’t let them, courtesy of a small and removable sticker.
• Stronger passwords A password doesn’t need to be hard to remember, but try to use a combination of at least three dictionary words, separated by special characters and/or numbers. Refrain from using the same password across accounts.
• Updates Outdated software is often one of the principle causes for data breaches. Ensure you always install updates so that the software you use is up to date. This is crucial to preventing a cyber-criminal from accessing your private data.
• Be email vigilant Before opening an email, double-check who it is from, are you expecting it and does the context make sense? Be particularly wary of clicking on links or opening attachments, especially if it’s asking for private information such as a password.
• Virtual Private Network (VPN) Public Wi-Fi networks in coffee shops and hotels present a serious security risk as you can never be sure who might be listening in and monitoring your emails and web browsing. A VPN allows you to setup an encrypted tunnel between yourself and another server to mitigate the risk by preventing anyone from eavesdropping on your communications.
• Two-Factor Authentication All that stands between a cyber-criminal and your data is a combination of a username and password. Two-Factor Authentication adds an extra layer of defence by requiring a separate method of confirming
a user’s identity. It can make all the difference in protecting yourself from a phishing attack, one of the most common ways to extract passwords from people.
Law Advisory Cyber Intelligence
T. +44 (0)20 7034 9000