As organisations shore up their cyber defences, high-net-worth individuals become an increasingly attractive target for attack. Aon’s Richard Hanlon discusses the value of open, honest dialogue about cyber security – with oneself, family members, and external experts – in order to best measure, manage and minimise one’s exposure. Content produced in partnership with Aon.
Over recent years, cybercrime has risen to unprecedented profile and prevalence.
Attack numbers spiked in the wake of the pandemic, with headlines dominated by the targeting of public and private institutions. In 2020, malware attacks grew year-on-year by 358 per cent and ransomware a staggering 458 per cent, according to research by Deep Instinct. Both continue on an upward trajectory. Businesses have had to get smarter. Ipsos found that nearly half (46 per cent) of UK businesses reported experiencing attack in 2020. That number fell by 7 per cent in 2021 and, as of December 2022, still stands at 39 per cent.
The corporate landscape is by no means now impregnable, but heightened security standards and investment have prompted ambitious criminals to switch focus, both in terms of identifying new entry points and potential targets.
Stood squarely in their crosshairs are high net-worth individuals. Verizon’s 2022 Data Breach Investigations Report found that members of the C-suite are 12 times more likely be the targets of phishing than junior employees. This indicates that criminals are increasingly singling out individuals, a shift that demands new approaches to personal protection, preparation, and coverage.
‘As organisations become more cyber-resilient, the individual who lacks those sophisticated cyber-defences emerges as a more attractive target,’ explains Richard Hanlon, head of cyber solutions at Aon UK. ‘For the high net-worth individual, it’s a simple formula: if your exposure is high, the likelihood of attack is high, and the potential severity of falling victim is high, be certain you’re in the attack path.’
The four T’s of high net worth cyber security
Awareness of these dangers among those standing in that path also seems high, with 92.5 per cent of respondents to a recent Spear’s reader survey, conducted in partnership with Aon, citing cyber exposure as being of concern. However, a significant gap remains between awareness and action. For Hanlon, much of this comes down to a lack of understanding about how such an attack is launched.
‘It all starts with your digital footprint,’ he explains. ‘Do you know how much of your personal information is out there on the internet and social media? Threat actors are becoming increasingly skilled at aggregating that information and impersonating you. As humans, our nature is to overshare, but that creates huge opportunity for those looking for ways in.’
A more individually targeted focus is reflected in what Hanlon says has been the biggest trend in cyber-criminality over the last year: email compromise. ‘Say it’s your family office,’ he begins. ‘An email is sent to somebody in control of funds, demanding immediate action. The email address is legit, it’s from your account, but so too is the content – the sender is discussing family members by name, asking personal, informed questions, mentioning a dinner in Paris last week. They’ve aggregated all this personal information from across the web and been able to convince somebody you’re close to that it’s you they’re speaking to.’
How then should you be protecting yourself? With most risks, Hanlon responds, you choose between ‘the four T’s’: treat, terminate, transfer, and tolerate. Cyber, he continues, poses a somewhat different challenge where termination is not an option: ‘We are talking about a dynamic, morphing, ever-changing risk. As soon as you change defence, they change offence.’
An honest appraisal of HNW cyber security
For high net-worth individuals to protect their cyber security, they must have an understanding of their digital footprint, and always be looking to protect and minimise it. The first essential step, Hanlon says, is an ‘executive vulnerability assessment.’ This involves an in-depth study of what’s out there, including a scan of information lurking in the dark web. Building this awareness requires expert assessment from independent professionals, but many individuals remain hesitant when it comes to opening themselves up to this level of external scrutiny.
Such reticence may help explain why only 21.4 per cent of respondents to the Spear’s/Aon survey had taken out personal cyber insurance, with just 11 per cent conducting a cyber security review/risk management. Hanlon is unsurprised by the discrepancy between awareness and action.
‘I’ve sat down with individuals and told them what needs to be done, only to discover they are worried about what we might uncover,’ he says. ‘I have to explain, that’s the whole point. People are reluctant because it’s so invasive, but far better we identify those vulnerabilities than a malicious actor. Then, if we discover compromising information on the dark web, for example, we have a takedown service. That involves actually finding and negotiating with criminals to remove those materials. But you can only do that if you know what’s out there.’
One example of a potentially embarrassing attack vector is the rise of elite dating sites, an area Hanlon says has been identified as a ‘honey pot’ by malicious actors. ‘It’s somewhere we’ve seen a real uptick in criminal activity,’ he says. ‘In the heat of romance, people often leave themselves exposed.’
But even for those who think they lead a very mundane online existence, one is only ever as secure as one’s weakest link. An individual can take extensive steps to protect their own digital footprint, but is still open to exposure from the activities of their nearest and dearest. At times, this can bleed from the digital into the physical realm. Hanlon mentions one client who had no idea how documents had been stolen from his home, only for the Aon team to discover the alarm code, clearly visible in a selfie posted by his daughter, on a sticky note stuck to the wall. Another case saw a family member ‘like’ a vet service on Facebook, prompting criminals to hack the office and steal the family’s personal details, including credit card numbers.
In fact, one’s animals are a risk category all of their own – Hanlon points to an Aura report earlier this year which found that more than one-third of pet owners in the US had their pet’s name in their password.
Education, education, education
‘Extended family members can create large areas of compromise, so there needs to be a significant education component to one’s cyber efforts,’ he says. ‘Some of that can be simple online courses, building and gauging levels of cyber awareness. For a family office, we might actually send in experts for a tabletop exercise – staging an attack, like a war game. You make it very real, sit people down in the room and ask: ‘What are you going to do next?’. We get them to work through the scenario and learn by doing.’
What should be stressed is that these are not one-off efforts, but must form part of an ongoing strategy. ‘No decision about cyber-risk is a single point in time decision,’ Hanlon agrees. ‘It’s a continual journey to sustained cyber resilience. That requires a trusted adviser. Much like you don’t want to be constantly moving from doctor to doctor, you need this to be an honest, long-term relationship. It must be someone who you allow to fully understand and appreciate your risk profile.’
‘We talk about “the cyber loop”. There’s nothing linear about this. You start by assessing, find vulnerabilities, then look at ways of mitigating them. Where you can, you transfer elements, try to take them off the balance sheet. Then you loop around to that recovery piece: if bad things happen, do you have the ability in place to recover quickly? It never stops, but if you can ensure you’re as secure as you can be, criminals should move onto the next target.’
More from Spear’s
Defuse’s Philip Grindell on helping security-conscious HNWs with cybercrime
How to protect assets in an evolving threat landscape
Is this the beginning of the end for beneficial ownership registers?