The term “cybersecurity” can oftentimes be ambiguous and difficult to define, no different than that of a single or multi-family office. But much like an Investment Policy Statement, identifying and defining risk down to the individual level is paramount in achieving both near-term and strategic objectives. In this blog post, we seek to shed light on the digital gaps that exist in the 21st century on the open web through data broker websites while also providing recommendations at both the individual and family office infrastructure level.
There is a saying in the data economy world: “if the product is free, you are the product being sold.” Most Americans are aware that when they give out their information, it is likely being re-circulated outside of the business entities they originally provided it to. For example, within 5-10 clicks on a smartphone, one can order food or groceries and have it delivered directly to their current location.
But what if the entities purchasing your email address, phone number, and location from that eCommerce site also purchased information about your mortgage, neighbors, relatives, web domains, LLCs, and the first five digits of your SSN? The combination of that information is equivalent to a digital profile, which is sold for as little as $35/month. Welcome to the world of data brokerages. With over 400 companies in the data brokerage industry, combined with the comprehensiveness of those digital profiles, bad actors and social engineers need not rely solely on the dark web to find answers to security questions. As daunting as the problem set may be, we would argue that the solution does not lie simply in abandoning our current pattern of life by deleting social media or removing all ‘smart’ features of our smart devices.
Digital protection providers can serve as a Virtual Chief Information Security Officer by removing digital copies of the family and staff while also conducting scans to ensure that those profiles are deleted upon repopulation. While those services are specific to the open web, it’s important to consider current and past activity on the deep and dark web. Items like email addresses and passwords, credit card information, and account logins are a select sample of valuable data points which need to be monitored and remediated in real time. Digital Executive Protection firms can provide daily monitoring to reduce lag time between an active situation and remediation: thus, creating a more efficient and robust internal infrastructure with measurable statistics like time saved, repopulation attempts prevented, and information removed.
As risk managers, fiduciaries, and stewards of your profession, you have the respect and confidence of those around you (family and work colleagues alike). Education is oftentimes the most pragmatic first step in comprehending complex problem sets. Whether it is a quarterly staff meeting or annual family event, we recommend bringing in a third party who has a deep understanding of the open, deep, and dark web landscapes, as well as U.S. data privacy law.
Understanding and experience come in the form of offensive and defensive targeting backgrounds such as the NSA, Intelligence Community, Special Operations, and Ethical Hackers. Unlike GDPR regulations in Europe, the United States has a fragmented legal framework. Laws such as HIPAA, FCRA, FERPA, GLBA, ECPA, and COPPA are designed to target specific types of data in special circumstances. For example, the Children’s Online Privacy Protection Rule (“COPPA”) imposes certain limits on a company’s data collection for children under the age of thirteen.
Though age and technical gaps between generations can cause families and organizations to modify their existing procedures (everything from communication to financial transactions), those gaps can also provide an opportunity for education. The ability to speak across generations, as well as consult with/confirm/modify digital compliance procedures of a family or office’s IT infrastructure (should one already be in place) is a critical component of a digital privacy partnership. Important items to consider range from cell phone security settings (Significant Location, Location Services, and Siri function) to router configuration and even nuances of the Address Confidentiality Program and Specific Powers of Attorney when purchasing real estate.