A heated frenzy erupted in the snow-capped mountains of Pyeongchang on 9 February when organisers realised that a piece of malware known as ‘Olympic Destroyer’ was attempting to sabotage the Winter Olympics opening ceremony.
Just one week later, FireEye researchers found evidence of hackers targeting firms from the US to India and Australia, exploiting a vulnerability in the Oracle software that allows them to remotely mine cryptocurrencies.
Cryptojacking is just one of the many cryptocurrency-related crimes out there and family offices in Asia are particularly vulnerable because of the low priority given to cybersecurity.
Family offices in Asia manage millions, sometimes billions, in assets and there has been a growing trend towards investing in cryptocurrencies.
This leaves the principal, held in online wallets, exposed to the many scams and vulnerabilities of initial coin offerings and cryptocurrency exchanges.
These cryptocurrency exchanges often net huge amounts of personal data when you begin to trade with them, explained Bryce Boland, FireEye’s chief technology officer for Asia-Pacific. It could even be enough information to open a bank account.
‘The exchanges are being hacked into to steal the currency of the people doing business with them and to steal the identity of the people who have set up accounts with them. All that information can then be used to create accounts with legitimate financial services that you can then try to use for money laundering,’ Boland warned.
‘What I tend to tell people is to use well-known and well-regarded exchanges and don’t use the computers that you use for dealing with cryptocurrencies to do anything else,’ he added.
Tick the cybersecurity box
Asia’s family offices are only just starting to professionalise, gradually moving away from their informal governance structures and the heavy reliance on small teams with outsized access to information. As such, cybersecurity is rarely high on their to-do list.
Despite having assets commensurate with small or medium-sized enterprises, most of these firms use fairly basic cybersecurity tools such as firewalls and anti-virus software.
Research by Campden Wealth has found that only 26% of Asia-Pacific families have a cybersecurity plan in place, compared with 66% in Europe, the best-prepared region. Family offices in Asia-Pacific were also the least likely to provide their staff with cybersecurity and data protection-related training.
In fact, Asia-Pacific family offices were the least likely to know whether or not an attack had even occurred, according to Rebecca Gooch, director of research at Campden Wealth.
Gooch noted that phishing is a very common form of cyberattack faced by these institutions, involving email scams that pose as legitimate, reputable companies to get the victims to reveal private information, such as credit card numbers or passwords.
A white paper by Citi Private Bank found that Asian family offices also face ransomware attacks, attempts to compromise business emails and hacks on social media sites. These initial onslaughts can also lead to full-scale distributed denial of service attacks (DDoS), attacks made through the SWIFT interbank messaging service and further phishing attempts.
Ransomware attacks are very common and most ransoms are now paid in cryptocurrencies, making it impossible for law enforcement to investigate, according to Edward Marshall, Citi Private Bank’s director for the global family office group.
Attackers previously asked for 1 bitcoin, equating to $500, Boland said, but ransomware operators are now asking for sums more in line with the family office’s total wealth.
What’s at stake when you are held ransom? Personal emails, compromising photos from exploited webcams, stolen credentials, payroll account details and highly confidential financial data about your clients are all vulnerable.
‘All that information is stored in your email service. A lot has moved to the cloud and all you need to do is steal credentials,’ Boland said, adding that such attacks have increased significantly over the past two years. In fact, he has seen ransom payment demands hit seven figures.
Boland recommended using two-factor authentication to verify suspected phishing attempts. ‘There’s an emerging market now called managed defence, which is essentially about actively monitoring organisations, actively responding to breaches and actively taking steps to reduce the likelihood of significant impact,’ he said.
Advanced cybersecurity measures could cost family offices anything between $50 and $100 per seat per month, he added.
Citi Private Bank recommended backing up data off-site, automating software updates on devices, using virtual private network services and using only encrypted emails for sending personal information such as credit card numbers, addresses, dates of birth and social security numbers.
‘What we’ll see is more organisations being compromised and more losses, and I think that’s probably going to result in organisations being more aware of the threat and then starting to make investments,’ Boland said.
This article was first published in the March issue of the Citywire Private Wealth magazine.