Be Intentional to Reduce Cyber Risk
Even though October is Cybersecurity Awareness Month, cyber risks have no calendar. Every day of every month calls for greater awareness – and action – to mitigate cyber threats. Cybersecurity Awareness Month, an initiative led jointly by the Cybersecurity & Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA), has been held for the past 18 years. In that time, cyberattacks have more than just increased in frequency and severity — in numerous studies, cyber risk has become one of the biggest concerns for businesses and individuals.
CISA and NCSA have chosen a theme for 2021 Cybersecurity Awareness Month: Do Your Part. #BeCyberSmart. The goal of this campaign is to promote personal accountability and positive behavior changes when it comes to cybersecurity.1 That is indeed a goal worth pursuing, because cyber risk at its core originates with human behavior – malfeasance on the part of cybercriminals, and often unwitting cooperation by victims. While cybercrimes and our exposure to attacks have increased, there's good news. Human behavior can also be part of the solution.
Staying Cyber Smart
How can affluent families and family offices do their part and be cyber smart? A good first step is to pivot from a passive role to an active one in understanding how behaviors influence risk. That means individuals, families, and family office teams should become intentional about cybersecurity. It doesn't require perfection, but it does call for making steady progress. Don't wait for a cyber event to occur before focusing on the risk and taking action to improve cybersecurity. Develop a mitigation plan and line up resources before a breach or attack happens. Preparedness will make recovery after a cyber incident much smoother.
For all of us, our digital footprints are complex, and our digital lives are more interwoven than ever before. As affluent families grow, each member's online behaviors can increase the family's exposure to cybercrime. Single and multifamily offices both have greater challenges today in protecting sensitive data while ensuring secure, remote access to the information they require to serve families' needs.
Common Paths for Cyberattacks
Three categories account for the most pervasive methods of perpetrating cyberattacks:
- Phishing. One of the most common methods of initiating an attack is through phishing, using a link that deploys malware or captures data that cybercriminals can use to commit future attacks or steal identities. Other emerging risks are variants of phishing, including vishing — using voicemail to obtain sensitive information — and smishing — using SMS text messages to achieve the same ends.
- Ransomware. Ransomware attacks deploy malware to encrypt and hold data hostage, and sometimes threaten to make sensitive data public if the ransom is not paid. The number of these attacks over the past few years has exploded, with ransom demands rising astronomically. According to FBI data, from 2019 to 2020, the number of reported attacks increased approximately 20% while related losses increased more than 200% totaling $29 million.
Attackers have begun to vary their approach, as there are differing opinions on whether victims should pay ransoms to retrieve their data. To discourage attacks, The Federal Bureau of Investigation, for example, advises victims not to pay ransoms. But attackers frequently target victims for whom a temporary loss of access to data would be costly, or its release could cause public humiliation and reputational harm. In those scenarios, victims may be eager to pay the ransom to end the attack.
- Internet of Things (IoT). The number of networked devices that exchange data in the IoT is growing by the day. By 2025, more than 30 billion IoT connections are forecast, equating to four IoT devices for every human on the planet, according to IoT Analytics. These devices, which include smartphones, laptops, and "smart" appliances, make our lives more convenient and comfortable on one hand, but on the other, they also increase our exposure to cyber threats.
With threats on the rise, it's no wonder that in our Family Office Benchmarking Study 2021, 87% of clients cited cyber risks as an area of concern, and 84% were worried about financial fraud and identity theft. Respondents also noted cyber is the area in which they feel least prepared.
How To Be Intentional
The good news is all of us can take action to reduce cyber risks by becoming more intentional.
Combat phishing. A good approach when confronting an offer to click an email or text link is: stop, think and then act. Don't just reflexively click a link, particularly if it comes from someone you don't know, or it seems out of character coming from someone you do know. Here are some tips from the FTC on what to do about phishing and spam texts.
Consider cookies. Another opportunity to be more intentional about cybersecurity arises when a website asks you to accept cookies. Data privacy laws such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) require most website owners to let users opt out of certain data-gathering activities. Cookies are files placed on a user's device that may enable essential functions of the website or track users' behaviors. The risk of first-party cookies, such as those that enable full functionality of the site features, is likely minimal. Still, third-party cookies used for tracking and marketing purposes could be riskier because those files are not under the direct control of the site owner. Website visitors need not enable non-essential cookies, but they have to make that selection. Otherwise, clicking "accept all cookies" means essential and non-essential cookies will be enabled.
Upgrade network routers. Older-generation WiFi and Ethernet routers may have weaker security features than new ones, so updating routers can provide an easy enhancement to cybersecurity.
Rename networks and disable network name broadcasting. Many families and businesses use their names to identify their WiFi networks, which can invite attention from cybercriminals. It's a good idea to rename your network and turn off name broadcasting, so it doesn't appear in a list of networks whenever someone nearby is seeking to connect to WiFi.
Strengthen passwords. Short and easy-to-guess passwords, or the same password for a multitude of accounts, offer poor security. To reduce risks of unauthorized access, strengthen passwords so they are difficult to guess, and vary passwords for each account. Using a password manager can also help you generate strong, varied passwords and store them in one place.
Enable multi-factor authentication. Extra steps in logging in to accounts can seem inconvenient, but multi-factor authentication such as an access code via text or email can greatly minimize data risks.
Install anti-malware programs. A variety of technology options exist for detecting and removing malware. Similarly, regularly updating software versions can improve cybersecurity.
Use virtual private networks. VPNs encrypt data and hide location info, making them far more secure than public and unsecured networks, such as tapping into WiFi at a coffee shop.
Cybersecurity experts note that avoiding every kind of cyber incident is not possible. But strong cyber risk management and risk mitigation steps are within reach of everyone. Marsh McLennan Agency Private Client Services can provide cyber insurance solutions along with access to select experts who can offer support and cyber risk mitigation and recovery services. For more information, please consult your personal risk advisor.