If the noughties were characterised by an explosion of data sharing, the next decade will be known for trying to keep data secure.
That is the message from experts, who say that although businesses and institutions have traditionally dominated the cyber security industry, now increasingly it is ultra high net worth (UHNW) individuals – often the CEOs and shareholders of companies – who are seeking the same levels of security for their personal accounts.
Small wonder security fears are growing. Headlines have been dominated by stories of hackers, scammers, and phishers tapping phones or hacking high-profile victims including the White House Military Office, The New York Times, The Wall Street Journal and the South Korean banking industry.
“UHNW individuals (those with assets of US$30 million and above) are waking up to the need for holistic security measures due to some well-publicised information security breaches,” said Niall Archibald, a project manager for Kroll in Hong Kong.
A chain of events – including the phone hacking scandals in the UK focussed on wealthy celebrities and politicians, the rise of “hacktivism”, with international groups like “Anonymous” targeting and exposing of wealthy people for political ends, and the Edward Snowden affair – has made people realise the full extent of phone and email monitoring in the US and other countries.
As e-commerce and electronic banking grows, cyber crime targeting bank and retail customers and online payment services grows ever more sophisticated. According to a study published last month by non-profit The Online Trust Alliance, 2013 was the worst year for data breaches on record, with over 730 million online records exposed last year.
In one of the highest profile cases to date, last month luxury retailer Neiman Marcus announced that hackers had stolen consumer data in a breach that involved 1.1 million credit and debit cards after malware was installed on Neiman Marcus systems. It was the same malware that compromised retailer Target’s tills and reportedly revealed information of over 110 million customers. Last month, Korea was hit by one of the world’s worst-ever personal data thefts. As much as 40% of the country had information like addresses, credit card details and personal identification numbers stolen by a single worker. And in December the statements of 647 private banking clients were stolen from Standard Chartered Bank in Singapore, from a server at a third party printer.
Even more concerning for ultra wealthy individuals is the rise of targeted crime – “spear phishing” or “whaling”, where criminals directly target the big rich fish: the company executives or politicians. German Chancellor Angela Merkel had her phone tapped last October, allegedly by American spies.
The problem lies in the growing reliance on the internet, which means that criminals can attack from anywhere at any time, said Sean Sullivan, a security advisor at F-Secure, a Helsinki-headquartered anti-malware company. “Before the internet, as a wealthy individual you could move jurisdictions to be somewhere safer like Switzerland or Singapore. But cyber crime doesn’t have geographical boundaries,” he said.
So what can be done? Counter-intuitively, to protect themselves from virtual crime, Archibald says the ultra wealthy should first consider their physical security.
“We recommend that security should be multi-disciplinary; information security is always part-physical control methods, part-electronic solutions,” said Archibald. “If you want to protect your virtual security you need to assess your accessibility to physical locations, your private and business associates, who you’re related to and also take a cyber security assessment. Physical security on mobile devices, credit cards and laptops plays an important factor so having multiple devices and multiple passwords is key, as well as locking your valuables away in hotels and public places.”
Sean Sullivan, a security advisor at solution provider F-Secure, agreed that cyber security frequently comes down to the devices themselves.
“Keep business and pleasure separate. The devices themselves are not expensive, so buy several and keep your subscriptions separate from your bank passwords,” he advised. He added that certain devices are easier to compromise than others. Apple is one of the safest while Android is frequently compromised. A report from F-Secure stated that 259 new pieces of malware for mobile devices were discovered in Q3 of 2013. Of these, 252 were designed to target Android devices and none were for Apple.
But even the most security-conscious individual cannot account for his wealth manager or lawyer. The industries managing wealth are even more vulnerable and must also be held accountable, as seen in the case of Standard Chartered Private Bank, said Sharat Sinha, vice president Asia-Pacific, Palo Alto Networks. “Wealth management firms and advisers have a responsibility to ensure that security standards are being fulfilled and they are doing what they can to protect customer data.”
He added that this can be done by taking a preemptive approach to securing networks with enterprise standard solutions that can offer comprehensive protection from all forms of cyberattacks – from malware, to Distributed Denial of Service (DDoS) attacks or even Advanced Persistent Threats (APTs). To increase the level of security they adopt to protect their data, it is also important to constantly analyze all traffic, to ensure that no threat goes unnoticed. “Finally, these technological solutions need to be complemented by an organizational structure, and rapid response strategy with a dedicated team responsible for responding to incoming threats,” said Sinha.
According to Hazel McNaught, a solicitor at Stevens & Bolton LLP, her clients have already started showing sensitivities around cyber security. “We have found that some UHNW clients are increasingly reluctant to send financial documentation by email, fearing that they may be surrendering this information to the faceless web at large and therefore possible cyber intrusions.” She said that more clients prefer to disclose online passwords in order that we as their advisors access their documentation on their behalf, rather than submit it electronically. “The trust placed in us as individuals is vast, but compared to the foreseen damage to be caused in a post-Snowden era, these are steps clients are increasingly prepared to take.”
Meanwhile, some UHNW individuals are actively looking to hire someone to test their online presence and make sure there are no “chinks in the armour”. As of yet, said Victor Keong, Security, Privacy and Resilience Leader at Deloitte Asia Pacific, there isn’t a headhunter or search firm who specialises in this field. A job like this tends to work on trusted relationships.
“They typically hire someone they have worked with or trust that is skilled in IT, to set up and secure their IT environment at home. These tend to be the heads of IT departments in companies which the UHNW individual is the owner of,” he explained.