Family business tips for improved cyber-security

Family business tips for improved cyber-security

This article was initially published in "The future for family offices."

Paul Reilly

Manager, Cyber Security practice

KPMG in the UK

Mobile in hand

Protection from cyber-attacks is crucial and yet, insists Paul Reilly, not always as complex or expensive as you might think.

Barely a day goes by without a cyber-attack or other incident hitting the mainstream press. Recently we have seen a number of high-profile cases with large companies such as TalkTalk and Sony Pictures. What is not reported with the same gusto is the impact of cyber-attacks, breaches or incidents on individuals or family offices but that doesn’t mean they aren’t happening.

Most attacks stem from organised criminals simply looking to make money, whether by siphoning through payment systems or by targeting decision-makers through ever more sophisticated spear-phishing emails. Many assume that they will know if they have been hacked – not so. A successful hack may sit undetected, with unrestricted access to systems and data, for months and in some cases years.

When considering cyber-security in the family office context, the focus is often on expensive and sophisticated technology solutions, but the margin of vulnerability is often greater when it comes to people and process. What are they releasing online, particularly on social media, and could the aggregation of that data create a fuller picture which may be used to target family members or their interests?

This came to light recently when a well-known businessman spent millions of dollars on physical security only to have his daughter post photos on social media which held metadata, including time and location details, providing a possible target pack to any nefarious individuals.

Cyber-security can be seen as too expensive and complicated, but this need not be the case: improving your security does not need to be focused on advanced, hi-tech solutions. It incorporates how you communicate with your advisers, employees and family members and it is how you make payments or confirm your travel plans.

  • Identify what is most valuable to you and the power that any personal or sensitive information could have if it fell into the wrong hands.
  • Assess your degree of exposure. Do not forget to include to include social media and the ‘internet of things’. Once you have highlighted your risks, the next stage is to look at ways to mediate these.
  • Ensure the fundamental security controls such as firewalls, anti-virus software, secure configurations, security logging and monitoring are all in place and updated.
  • Consider the email system you are using. Many family office employees simply use their personal email accounts for correspondence. Not only does this make it harder for you to manage security but also, as families have found out to their cost, should that employee leave they own and take away all the personal data, often including bank details and passport copies, which has been emailed to them over the years.
  • Make sure two-factor authentication is switched on where available. Combining a password with a verification code, this simple step could have helped to prevent the many naked celebrity photos hitting the internet in 2014.
  • Review your processes and who actually needs access to what information. If your bank always telephones to voice authorise payments, consider replicating this within the family office.
  • Do not forget that people are key players in the effectiveness of cyber-security. Agree social media ground-rules with staff and family members. It is impossible to be completely secure and safe from trying, however, and could be a good way to involve the next generation and make the most of their skills and knowledge.

By taking a positive and proactive approach to managing cyber-risk, you can get ahead of the risks and put yourself on a stronger footing to proceed with confidence.

© 2022 Copyright owned by one or more of the KPMG International entities. KPMG International entities provide no services to clients. All rights reserved.

KPMG refers to the global organization or to one or more of the member firms of KPMG International Limited (“KPMG International”), each of which is a separate legal entity. KPMG International Limited is a private English company limited by guarantee and does not provide services to clients. For more detail about our structure please visit

Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.

Connect with us

Stay up to date with what matters to you

Gain access to personalized content based on your interests by signing up today