How hackers are getting into family businesses

Organised cybercrime gangs have Australian family businesses firmly in their sights. Putting proper security measures in place is a must.

Australian Federal Police foiled an elaborate plan by an organised Russian crime gang earlier this year that, if successful, would have resulted in close to $600 million being stolen from the bank accounts of scores of businesses.

The cyber hackers had infected the computer networks of these businesses with malicious software that could monitor their banking activities, and came very close to bagging a fortune in cash. But luckily for the many family businesses involved, the AFP was able to head off the would-be bandits at the pass. The hard-earned funds of these unnamed businesses that had been electronically infiltrated were safe, at least for now.

Financial, identity and data thefts, and extortion attempts where cyber thieves demand high ransom payments for the return of sensitive stolen data or to unlock hijacked computer systems, are becoming increasingly commonplace.

Investment bank JPMorgan Chase early last month disclosed that cyber thieves had pilfered the bank account data it holds on 76 million households and seven million small businesses over the US summer, one of the biggest breaches ever. Other bank systems were also attacked at the same time.

In a recent major report on cybercrime, professional services firm PwC said the number of cyber incidents detected had increased at a compound annual rate of 66 per cent since 2009, and totalled 42.8 million in 2013, the equivalent of 117,339 attacks per day.

Worryingly, while Australian businesses do allocate security spending to their most profitable lines of business, 21 per cent of respondents to the PwC survey said they still do not allocate appropriately. Only 53 per cent of Australian respondents said they perform risk assessments on third party vendors, and 56 per cent said they have conducted an inventory of all third parties that handle personal data of employees and customers.

PwC Australia’s national cyber leader, Steve Ingram, says family businesses are just as exposed as larger companies to cybercrime, and often it’s the smaller to medium-sized businesses that are the primary targets so they can be used to infiltrate the systems of the larger companies they transact with.

That’s what happened with the US department store chain Target this year when hackers were able to break into the company’s computer network using third party “trojans”, and then steal the credit card details of millions of customers. And it didn’t stop there, because once inside Target’s system they were able to break into the systems of other large companies connected to the retailer.

Mr Ingram says that cybercrime is usually more of a people issue than a technology issue, because it’s often the behaviours of individuals, such as failing to take adequate precautions with company data, which can let attackers through the front or the back door.

The cost of cybercrime globally, this year alone, is well into the billions, and Mr Ingram says that, in some cases, the lack of investment in managing cyber threats and involvement at the board level is a concern.

“Despite greater awareness of cyber security incidents, we’re still observing a bit of an ‘it won’t happen to me’ mentality -- for instance, global information security budgets actually decreased 4 per cent [this year] compared with 2013,” Mr Ingram says. “We know that it can cost much more to remediate cyber incidents than prevent them, so it seems counterintuitive that organisations would choose to invest less overall.

“Mid-tier companies are now the ‘weak-link’ and are coming in for increased attention from cyber criminals because larger organisations have implemented more effective security measures,” Mr Ingram says. “Cyber criminals are finding small and mid-tier organisations softer targets either because they have less sophisticated controls in place, or because they make less effort than larger companies to monitor the security of their partners, suppliers and supply chains.”

A recent joint report published by software company Archway Technology Partners and family office intranet provider Trusted Family, Internet security for family offices: 10 steps to protect online information, found that most family offices have inadequate IT security systems to prevent cyber attacks.

Edouard Thijssen, co-founder of Belgium-based Trusted Family, says most family offices are unaware of online dangers and a high percentage still send confidential information via email instead of using more secure communications tools. By the time most businesses find out they’ve been attacked, and that their data has been stolen, it’s usually too late.

“Family offices are, like any other type of organisation, subject to mass attacks that run automatically on the internet. They are not targeted because they are a family office, but because they are connected to the internet.

"Today’s biggest threats occur unknowingly as we can easily pick up stealthy viruses and malware while using the internet; they function like sleeper agents, scanning networks for prey once they are activated.”

10 steps to minimising the threat of cyber attacks

1. Hire a trustworthy IT administrator

A family office’s best defence is to hire well, establish processes for IT staff to follow and conduct regular technology and process audits.

2. Map out data traffic and identify elements to secure

IT administrators need to understand where data is stored, where data moves to and from, and when data moves across the network. This information helps define the number of elements to secure and the strategy to implement.

3. Set up a secure wireless network and limit access

Block peer-to-peer networking and create two degrees of network protection.

4. Encrypt devices

Small devices can contribute significantly to security breaches. IT administrators can employ two security strategies: disk and/or file encryption.

5. Secure data in transit with Virtual Private Networks (VPN) and Secure Sockets Layer (SSL)

VPNs help secure data in transit, essentially extending a private network into the public Internet space. SSL is a protocol for web browsing that secures online communication between two machines or from Web browser to server.

6. Make it easy for employees to participate

To make security efforts pay off, employees need to adopt protective behaviours. Offer company mobile devices to reduce risk, and store all data on the company network rather than external devices.

7. Establish best practices

Develop company protocols to minimise data breaches, including website and social media access and usage guidelines, password protection standards, and for the turning off devices when they are not in use.

8. Plan for accidents or breaches

Develop an issues and crisis management plan that covers potential data breaches and leaks, and create a disaster recovery program that enables the business’s computer systems to keep running seamlessly in the event of a breach.

9. Create a clear process for granting and removing access to company information

Reduce third party access to family information, and establish a process and designate a gatekeeper so that someone on the team is accountable for granting and removing access.

10. Develop an employee handbook

Provide policies for employees to follow, which describe how devices and employees should interact with proprietary and confidential information. Undertake a regular audit of processes and devices and conduct bi-annual briefings to make sure policies are enforced and embraced.

Mr Ingram says it’s almost impossible for family businesses to protect everything, but it’s important to identify “the crown jewels” and put efforts in place to protect those.

“Make sure you have highly effective disaster recovery systems in place. You need to be aware. You can be compromised in the digital world for some time before you even know you have been.”