1 Summer 2014

Special Report

Helping global families flourish for generations.

A Special Report for Clients of PANGEA Private Family Offices with Anwar Visram, CEO of Visram Security.

How cyber-secure is your family enterprise?

For private client use only

“

information being leaked from an unknown source. After many weeks of investigation, it was determined that the source of the

leak was none other than Steve’s own laptop.”

Who are the Targets?

Private wealth management, Family Offices, accounting and many other firms that have access to private and confidential information of the high net worth clients are increasingly being targeted. These businesses may be small in terms of the number of employees they have, but their clients have billions of dollars in assets, making them a large target.

Small businesses and high net worth families are particularly prone to these types of attacks. In case you are wondering, I group high net worth families with small businesses because many of these families operate like a small business as they have many people directly involved in their lives, from lawyers and image consultants to assistants and cleaning staff. Your family may not be a business per se, but you are still vulnerable.

Why are small businesses and high net worth families particularly prone to cyber-attacks? Because very few businesses and families have worked with a Reputation and Security Strategist that would assist them in understanding all the risks they may be exposed to. Not knowing the risks, most small businesses and families use the very basic cyber- security protection, e.g., anti-virus or firewalls. They rarely have awareness training on the do’s and don’ts of cyber-safety. They employ weak password protection mechanisms and expose sensitive data without even knowing it. These are just a few examples of common cyber-protection behaviours that people think are sufficient to prevent cyber-attacks. In truth, small businesses are often unprepared for cyber-attacks because they don’t put the resources into protecting themselves.

Who are the Perpetrators?

As the types of cyber-threats evolve and become more sophisticated, so do the types of cyber-criminals or “actors”.

Among many actors in the cyber-crime space, the main four are:

1. Petty Criminal – Generally not well-funded or organized. They just want to get in and out so they can sell what they stole for money.

2. Hackavist/Cyber-Terrorist – Not well-funded but well- organized. They set up political campaigns and target specific companies, organizations, or governments. A well-known e xample of such an actor is the hacker group Anonymous, who targeted financial companies because the group believed the companies were responsible for the 2008 financial crisis.

3. Organized Crime – Well-organized and well-funded. They use a variety of malware such as viruses, Trojans, ransomware and botnets. These programs can infiltrate your computer, corrupt it, and leave it vulnerable to future attacks. Financial gain is the purpose of such attacks.

4. State-Sponsored Attackers – Elite hackers and hacker groups hired by governments to steal state secrets and other sensitive information or inflict damage on the internal systems. They may also perform corporate espionage, or steal confidential information and intellectual property to assist “friendly” companies. You may remember the highly publicized “Stuxnet” attack against Iran’s nuclear facility an example.

ANWAR VISRAMA Leading Canadian Reputation & Security Strategist, Anwar is CEO of Visram Security.

He specializes in assisting high net worth families & private wealth management firms to protect themselves from the rapidly growing cyber threat.

Questions for Anwar can be e-mailed to: thought.leadership@pangeafamilyoffices.com

How cyber-secure is your family enterprise?Even wealth services providers are concerned about cyber-attacks to access private client information.

You may think to yourself that this was just an isolated incident and that this would never happen to you. Unfortunately, that is precisely what Steve believed before this happened to Steve and his law firm.

If this little anecdote didn’t raise an internal alarm in you, consider the following statistics.

Cyber-attacks in Numbers

Last year was an epic year for global data breaches as cyber- criminals were busy stealing private and confidential client information. It broke 2011’s record for the number of pieces of information exposed by 200%.

In Canada, it is estimated that there were seven million cyber -victims last year. If you exclude children under the age of fourteen that means one in four Canadians was a victim of a cyber-crime! Bear in mind, these numbers only represent cyber-attacks that have been reported. There are many more thousands of cyber- attacks that go unreported each year, very much like the one that involved Steve’s firm.

Unlike in the years gone by when cyber-criminals looked to make headlines, modern cyber-criminals prefer to work in “stealth” mode. In fact, most cyber-breaches go unidentified for weeks, months, or even years. Undetected, cyber-thieves can cause great damage to their high net worth targets because they can exploit the same security weaknesses and continue stealing valuable information over and over again.

| PANGEA Private Family Offices

In 2013 alone, 822 million records were exposed in

2,154 separate incidents and the top three countries targeted

by cyber-criminals were the US, United Kingdom, and Canada.1

www.pangeagamilyoffices.com Page 2 of 5

TM

When the Marvels of Tecnology Backfire

Not only do we now have a variety of cyber-perpetrators, but we also have a greater number of ways in which security can be breached and your information can be stolen.

Do you, or someone you know, use a security company to monitor the security of your home? You would probably never think that such a service may present a cyber-security risk for you, but you might change your mind after reading the following story.

I was speaking with an owner of a company that specializes in environmental controls, home entertainment, and physical security systems for the homes of high net worth clients. The system that he was installing into these homes controls all the features of the home: inside temperature, lighting, audio/video media units, cameras, and electronic doors- luxury to be sure, but one that could prove fatal.

The homeowners could access the system in three different ways: from a single control panel within the home, over the Internet using an Internet browser, or through a smartphone app. Although the ease of access and the variety of options to control the system delighted the customers of this home security company, they had no idea what a terrible cyber-risk they were exposed to!

Because the monitoring station is connected to all the clients of this company, a breach at the monitoring station would result in direct access to all of those clients. Criminals could monitor their intended victim via the cameras for weeks, or even months, undetected. At the opportune moment, they could disable the alarm and open the doors for a perfect break-in, all via the Internet.

I asked the owner of the company some basic questions, such as what was in place to protect the customers from a cyber-at-tack against the control system or if there was a way the system would be able to monitor and alert the company if the security system was breached? Unfortunately, he did not have a definite response to these questions and many more. In fact, I don’t believe he had even considered some of the risks we discussed.

The challenge of the modern day is that we have fantastic technology that allows us to do amazing things, but it also leaves us vulnerable, particularly in areas we least expect it. Many companies are embracing newer and newer technology to innovate their products, yet they aren’t aware of the potential negative consequences of doing so. In order to weigh the consequences of remaining in the dark, I ask you to consider the real cost of security breaches.

The Real Costs of Security Breaches

One common misconception is that the security breach in and of itself is the main problem. However, though the breach itself is terrible, the real devastation occurs during the fallout, the time after the breach has been discovered and when steps are being taken to recover. This recovery process is often a long road to walk and not all come out on top.

One of the primary impacts will be to the victim’s reputation. As Warren Buffet correctly suggests, “It takes 20 years to build a reputation and only five minutes to ruin it. If you think about that, you’ll do things differently.” In addition, cyber-crime goes beyond the irreparable damage to your family or a business reputation. It often includes exposure of sensitive information, intellectual property loss, cyber-espionage, identity theft, as well as losses that impact third parties like friends, family, clients and customers. You aren’t only putting yourself at risk-you endanger those close to you, too.

Imagine for a moment your family was a victim of identity theft. It would take criminals minutes to obtain your credit card information and begin misusing your identity for their profit. Before you finish drinking a cup of your morning coffee, they could destroy your credit rating that took you decades to establish.

How do you think clients of Steve’s firm reacted when they were informed of the breach to his law firm? If you were a client, would you continue to work with his firm or would you be more likely to find someone else? How many people would you tell about your experience, further damaging the law firm’s reputation?

As a client, you would not want to receive the following letter, which was sent out by one Wealth Management company after a breach in their security, “We are writing to inform you about a recent incident that may have involved personal information about you. We recently discovered that, between February 21 and March, 6, 2013 , a server containing information about you was accessed by an unauthorized third party. We deeply regret that this incident occurred and take very seriously the security of personal information.”2

Not convinced of the potential damaged to be done? Statistics show that “nearly 60 percent of small businesses will close within six months of a cyber-attack”. 3 The reason for the shutdowns is more than the cleanup costs, which can vary between hundreds of thousands to millions of dollars. It’s the fact that many current clients will walk away and potential clients will find someone else more “trustworthy” to deal with.

The Silver Lining

Now that you know just how vulnerable you might be to a security attack, you might be wondering how you can possibly prevent those attacks. If anti-virus and firewall software is not enough, what can protect you?

“ It takes 20 years to build a reputation and only

If you think about that, you’ll

do things differently.”

www.pangeafamilyoffices.com Page 3 of 5

29

Although there is no foolproof process or technology that will prevent a determined cyber-criminal from breaking in, most cyber-breaches are actually preventable. They are the result of someone on the inside – yourself, a staff member, or someone working for a company you hired – clicking a link, opening an attachment, installing some software, or otherwise doing some-thing that rolls out the red carpet to invite the cyber-criminal in, completely bypassing any security you may have in place to protect your information. However, with some awareness training, changes in behavior, and implementation of secure technology, you can reduce the risk of a cyber-attack and, therefore, protect your reputation, privacy, family, business, and finances.

The ABTs of Cyber Safety for High Net Worth Families

Imagine that you are driving on a particularly cold day, and all the roads are icy. Would it be safe to take corners at 100 km/hr? No, because you are aware that you will likely end up in the ditch or perhaps worse. Therefore, you adjust your behavior to drive much slower. Certainly, you can equip your car with better tires and brakes, but it is unlikely that the technology will prevent you from crashing your car if you also don’t adjust your behaviour to match the conditions.

The same goes for cyber-security. If you understand your environment, including what technology can and can’t do for you and how your behaviour impacts your environment, you will adjust your behaviour and your technology choices accordingly.

As such, it is my conviction that both the strongest and the weakest link in any type of security is us, humans. We can often make mistakes, but given enough information, we will make the “right” decision the majority of the time. For that reason, educating you as my client is a core component of how I take care of you. I do it through what I call the “ABTs of Cyber Safety”.

Awareness

The first step to cyber-safety is awareness training that covers all the relevant areas for your family. Here, it is important to review the possible consequences of typical risky behaviours such as using easy-to-guess password, ignoring PC and smartphone software updates, or not encrypting sensitive information in to raise the likelihood of you adopting new, safer ones.

Once you understand why it is important to use different pass-words for different accounts and devices, be it smartphones or other systems, you are more likely to do it. The same goes for understanding why it is important to be cautious when clicking on links, opening attachments, and installing apps on your smartphones or computers. Once you know that the link advertising a new weight-loss technique could be the potential downfall of all that you worked to achieve in your business and family, you will think twice before clicking.

Social media is becoming an important way in which many families communicate and express themselves. However, posting

pictures of your children, sharing when you are away from home for holidays or business trips, or listing personal information like birthdates can all be used against you by cyber-criminals. Understanding these risks and being more cautious about what information you share about yourself and your family can reduce your exposure to a cyber-attack.

Behavior

Once everyone is on the same page as far as understanding the cyber-risks to your family, I help you begin to implement what was learnt in the awareness section.

The new behaviours may include:

• using unique passwords for websites and systems

• adding passwords where there were none, e.g, on smartphones

• deleting emails and links that come from unknown sources

• appropriately researching apps before installing them

• removing and not posting any personal or private information about you and your family on social media

As this relates to the previous metaphor, this is where we begin to slow down and drive much more safely. If you anticipate the curves in the road ahead, you would avoid being thrown off when one comes.

Technology

Buying and implementing technology has often been the gut reaction for most people to solve a problem. The challenge is that we become reliant on the technology to keep us safe. We then engage in risky online behavior and falsely believe our security software will keep us safe.

Unfortunately, this is far from the truth as the number of cyber breaches and their victims continues to grow at an astronomical level. Just like having better tires and brakes would not save you from a sure accident on an icy road if you are making a sharp turn travelling at 100 km/hr, having tech gadgets will not save you from a cyber-attack if you are engaging in online risky behaviour.

Instead, security technology should be just another layer in the “onion” of cyber-protection. However, before going out and purchasing the latest security software that is touted to be the ultimate protection against cyber-security, I recommend reviewing your existing systems. It goes for both security (e.g., anti-virus, firewalls, etc.) and non-security (e.g., desktops, smartphones, etc.) systems. When it comes to social media, adjusting your privacy settings to limit who can access the information that you do post and ensuring that you use some of the enhanced security fea-tures will help prevent hackers from easily taking over your social media accounts.

By taking these simple steps to improve the security of those simple systems, you can reduce the cyber-security risk in some cases by as much as 80% within days, if not hours.

www.pangeafamilyoffices.com Page 4 of 5

www.pangeafamilyoffices.com Page 5 of 5 30

6 Practical Steps to Protect your Business from Cyber-criminals

I strongly believe that implementing simple and easy cyber- security protection mechanisms are the best way in which small businesses can protect themselves. It ensures a greater level of success over solutions that are too complex or difficult to implement. For this reason, I advocate easy-to-learn and simple-to-implement solutions that allow my clients to gradually ease into taking cyber-security measures, one step at a time.

1. Strategy

Step one is always building a strategy. It involves having an understanding of what major cyber-risks face your business and planning simple and easy strategies to remediate those issues.

2. Awareness Training

This is the most critical step businesses can take in protecting themselves from the cyber-security threat. This training would include assisting you in learning techniques that will help you protect yourself from the common attacks that cyber-criminals are using via smartphones, email, internet, social media, etc.

This includes the creation of a simple cyber acceptable use and awareness policy that every member of the business reads, gets training on, and signs to ensure understanding and compliance.

3. Critical Asset Classification and Protection

This phase concentrates on developing an understanding of what your critical assets are (e.g., client databases, confidential documents, financial information, intellectual property, emails, passwords, etc.), where they are located, and what the conse-quences would be if they were to fall into the hands of criminals or otherwise unauthorized individuals. Because not all assets have equal value, we develop a strategy on how to protect the various types of assets. This may include stronger passwords, encryption, relocating the assets to a more secure location, etc., depending on the asset.

However, non-technical controls are often overlooked and need to be reviewed as well. It is important to know who has physical and virtual (network) access to critical assets. For example, your IT team may need to have access to your confidential documents to back up your critical data, but the members of the IT team should not be able to read those confidential documents.

4. Review of the Existing Security Software and Network Appliances

Unfortunately, there are many assumptions when it comes to security software, e.g., anti-virus, firewalls, etc. and network appliances such as wireless routers, switches, printers, etc. Below are examples of such assumptions:

• The security software is enabled on all systems

• The default configurations will protect you

• The security software and network appliances are up-to-date

I am often surprised to see how many businesses hold the above assumptions and leave glaring holes in their security that would take a few minutes to review and a few clicks to rectify.

5. User-Level Access

By default, almost all systems grant administrative access to users. That means that anyone can install software, including a virus, or remove security protections such as an anti-virus program. This poses a serious risk to businesses.

By simply having separate log-ins for everyday use and for administrative purposes, you can protect yourself from as much as 95% of most viruses, Trojans, and other malware.

6. Removing High Risk Software

There are many examples of high risk software that often come installed by default or end up being installed on our systems. Many of these types of software riddled with holes. As I write this article, software vulnerabilities in Java, Flash, and Adobe Reader are the top three targets that cyber-criminals use to attack their victims. They represent 66% of all Microsoft windows and many Mac OS X software vulnerabilities.4 By simply removing these programs from the systems that do not require them, you remove a massive cyber-risk to your business.

The Verdict

The cyber-threat is continuously evolving. Cyber-criminals are using smartphones, social media, and the Internet to monitor, stock, and perform recon before launching an attack on their victims with precision. Attacks include identify theft, financial fraud, ransom, information theft for profit, and preparation for physical attacks like burglary. Partnering with a Reputation and Security Strategist will allow you to implement proactive solutions to assist you in protecting yourself, your family, and your business from a constantly changing cyber-threat landscape. 1 2013 Norton Report (http://www.symantec.com/content/en/us/about/presskits/b-norton-report-2013.en_ca.pdf)

2 State of California Department of Justice – Office of the Attorney General (http://oag.ca.gov/ecrime/databreach/reports/sb24-41702)

3 House Committee on Small Business (http://smallbusiness.house.gov/news/documentsingle.aspx?DocumentID=325034)

4 http://www.tripwire.com/state-of-security/top-security-stories/ surprised-majority-systems-infected-via-adobe-java-exploits/

About the AuthorAnwar’s experience spans over 20 years in Information Technology with over 9 years in cyber security management and protection. He has led security teams responsible for protecting multi-billion dollar global financial companies from cyber attacks. Anwar has been a keynote speaker at numerous events including the recent Rogers Group Financial wealth management event in Vancouver. He has also been featured in Business In Vancouver and News Radio 1130AM.

Anwar tailors simple-to-understand and easy-to-implement strategies that allow his clients to protect themselves from the latest cyber threats.

Software vulnerabilities in Java, Flash, and Adobe Reader are the top three targets that cyber-criminals use to attack their victims

31Spring 2014 31Spring 2014

Contents Copyright © 2015 by PANGEA Private Family Offices Inc.; may not be reprinted without written permission. PANGEA Private Family Offices Inc.

is a part of the PANGEA Global Wealth Group corporation. PANGEA Global Wealth Group is a Canadian controlled private corporation.

The information in this PANGEA Private Family Offices Special Report is for informational purposes only and is not intended to provide specific financial,

investment, tax, legal, accounting or other advice to you, and should not be acted or relied upon in that regard without seeking the advice of a professional.

Your advisor can help to ensure that your own circumstances have been properly considered and any action is taken on the latest available information.

PANGEA Private Family Offices does not make any express or implied warranties, representations, or endorsements with respect to the information, processes,

products or advertisements included in this publication. PANGEA Private Family Offices is foremost a private, family wealth strategy firm serving first and second

generation creators of significant wealth, and their children, with independent thinking that redefines their family wealth experience. We specialize in resolving

complex family wealth issues for global families with thoughtful guidance and insider perspective. Our purpose is to help global families flourish for generations.

Website: www.pangeafamilyoffices.com LinkedIn: PANGEA Private Family Offices Twitter: @PANGEAPrivateFO

Helping global families flourish for generations.