Nearly three quarters of family businesses globally have experienced cyberattacks in the past two years, a report from Deloitte Private has revealed.
Cybersecurity threats have affected an average of 74 per cent of family businesses worldwide over the past 24 months, resulting in financial and reputational losses in many cases, according to the firm’s research.
The report was compiled using information from over 1,500 business executives at family businesses with a minimum revenue of $100 million and the families owning a controlling share of the company. These businesses generated an average revenue of $2.8 billion in 2024, meaning many of those affected by these cyberattacks are HNWs and UHNWs.
Related
Of the family businesses surveyed, 41 per cent experienced one cyberattack in the past two years. Just over a quarter experienced two cybersecurity incidents, while seven per cent reported three or more.
When broken down by region, there is a clear disparity in exposure to cyber threats. In the Asia Pacific (APAC) region, which includes countries such as China, Japan and Singapore, 90 per cent of family businesses were affected by at least one cyberattack in the past two years. This high level of exposure is partly due to high levels of digitisation across the region, as well as regulatory environments and, in some cases, less mature cyber resilience, according to Deloitte.
[See also: The best security, intelligence & investigations advisers]
In Europe, by contrast, 67 per cent of family businesses reported exposure to cybersecurity threats, with one third claiming they faced no digital risk over the past two years. While the risk remains high, with well over half exposed to at least one cyberattack, the figure is lower than in APAC due to stricter controls on data handling and breach reporting under the General Data Protection Regulation (GDPR) across the European Union, the report suggests.
Content from our partners
Cyberattacks can take many forms, the report notes. Malicious software designed to steal data over a prolonged period, known as malware, was experienced by 49 per cent of respondents and can result in sensitive information being held to ransom. Email scams, in which employees are tricked into transferring funds or sensitive information to deceptively trustworthy contacts, known as phishing attempts, are also widespread, with 48 per cent of respondents reporting such incidents.
One American family principal and CEO surveyed described his business’s experience with phishing: ‘An employee was phished, allowing attackers to access our system for 45 days. They intercepted invoices and redirected payments, resulting in a loss of over $500,000, which we never recovered. This incident underscored the importance of robust cybersecurity measures and vigilance across our organization.’
While less common, 27 per cent of global family business leaders reported exposure to internal threats, where an employee intentionally leaks confidential information or compromises systems. Such incidents expose family businesses to both human and cybersecurity risks.
[See also: What UHNWs can learn about home security from £10 million London mansion heist]
How can family businesses protect themselves from cyberattacks?
Having a robust strategy that prepares businesses for a range of cyber threats is essential for family firms, the report notes.
According to Deloitte’s findings, just over a third of family businesses, 36 per cent, regularly assess their cybersecurity measures, which can help prevent and detect threats before they arise. The remaining 64 per cent do not, instead relying on antivirus software and data backups without an overarching strategy, leaving them vulnerable to attack.
Hiring a chief information security officer is one way family offices can maintain control over their digital safety, argues Lucy Burnford, CEO of cybersecurity firm Coc00n.
‘Be clear on who owns the risk,’ Burnford says. ‘Without clear risk ownership, it is unlikely that what is in place is robust.’
Speaking specifically about family offices, Burnford notes that their boutique size can make them attractive targets for financially motivated cyber crime.
She adds: ‘Cybersecurity should not be considered a point in time activity but should form a part of the very set up of a Family Office throughout their lifecycle.’
Another way for family businesses to protect themselves from cyberattacks is by establishing clear guidelines covering all forms of cyber crime, says David Allison of cybersecurity firm Octaga.
‘Some measures include segregating networks, enforcing strong access controls and multi-factor authentication, monitoring for unusual activity, and providing age-appropriate cyber awareness guidance for family members,’ he says. ‘Regular security assessments and clear verification procedures for financial transactions are essential.’
He adds that where there is overlap between a family’s personal online activity and its business operations, real risks can emerge.
‘We have seen real world incidents where a seemingly harmless download on a child’s laptop ultimately led to the leakage of confidential family information and attempted fraud,’ he recalls.
Burnford echoes Allison’s view that personal devices should be strictly limited to non-business use.
‘Personal devices are a major attack vector,’ she says. ‘Either completely prevent access to data and systems from personal devices, or ensure personal devices are configured securely.’
