A version of this article appeared in Brink on December 17, 2021.
Tech moguls, private equity barons, corporate CEOs, celebrities, sports stars, and other elites enjoy notable wealth and prominence. Yet in today’s digital world, they can’t rely solely on the defenses of gated manors, private islands, or security details. The wealthy and their staff need to sharpen their cybersecurity capabilities to protect themselves, their families, and their entourages, from data breaches, ransomware, scams, extortion, and other digital harms.
“Prominent individuals are targets because it is assumed that they have access to funds and their brands are valuable,” says Alec Harris, managing director of security specialist firm Halo Privacy. “Wealthy people get hit by everything from low-level phishing attacks to coordinated campaigns involving spear-phishing, social engineering, and other persistent cyberattacks.” Their children also may be vulnerable, especially if they post actively on social media about their activities, adds Kevin Kelly (pictured above), the firm’s chief executive.
Inequality being a political issue, the cyber travails and tribulations of the 0.1% may not attract significant sympathy. However, cyberattacks against them can affect a much wider population if such events undermine corporate operations or profitability. Importantly, the public at large can learn lessons from the cybersecurity strategies of the rich and famous.
Kelly and Harris talked recently with Paul Mee, lead partner of Oliver Wyman’s Cyber Risk Platform and co-head of the Oliver Wyman Forum’s Cyber Risk initiative.
How much of a threat is cyber to wealthy families and their assets?
Alec Harris: It’s significant and underappreciated. People talk about cybersecurity and physical security as if they’re 50-50 equals. The reality is more like 90-10. Cyber events occur all the time while physical security events are, thankfully, rare.
What are the typical outcomes or objectives in these cases?
Harris: One notable and worrying outcome can be the appropriation of an individual’s brand, identity, email address, or phone numbers – basically anything that would allow an adversary to act as if they are, or are acting on behalf of, the victim. If you’re prominent on Twitter and your account gets taken over, it can be used for a period of time to elicit scams, misrepresent you, or provide a digital treasure trove of contact information and conversations.
Within the compromise spectrum, there can be exploitation and coercion that results in the loss of funds, control, or data. An affluent party could be convinced that someone is acting on behalf of the family or firm and be persuaded, often in an urgent manner, to share or provide access to otherwise sensitive, personal, or confidential information.
The third type of attack involves a brand or reputation event. We saw this recently when someone infiltrated a large US video game producer and obtained information about when a new game would be released, on what platforms, and on what terms. The revelations undermined the company’s marketing strategy because consumers became aware that they could wait and get the game for free with their existing subscriptions.
Can cyberattacks serve as a path to something more physical?
Kevin Kelly: There is certainly that potential. It is critical to create situational awareness with certain people because they’re still going out and acting in their daily lives like they’re not targets. It can be worse with the younger generation because they want to post on social media platforms about what they’re doing, where they are, who they are with, and where they’re going
How does someone’s digital footprint affect the likelihood of a physical incident?
Harris: The key intersection is what we call pattern of life – where you go, how you pay for things, what devices come along with you. It creates a very accurate profile, like an individual fingerprint. If you go to the same gym class each Wednesday at 8 a.m., it’s very likely you’ll be there next Wednesday. We live in a world of granular, specific, ubiquitous personal information, a lot of which can be acquired commercially. This modern digital phenomena significantly increases physical risk, and security details need to be aware and posture accordingly.
How do you enhance awareness and preparedness?
Kelly: We talk about the three Ts – training, tradecraft, and technology. Training is the most critical. Having an ability to sit down and take time with family offices is essential. Given a greater appreciation of the threats, we find they’re more willing to do that than they have been historically. We’re talking about two or three hours, engaging them on how to be aware of certain situations, what to do and what not to do when traveling, how to engage with social media and digital technology, and how to do basic things like the privacy settings on their smartphone.
Can you quantify who is most at risk?
Harris: We’ve seen cases where a cyber attacker will seek to find out through access to a corporate network if a company has cyber insurance or kidnap and ransom insurance, and how much that insurance covers. Consequently, when an attack occurs the ransom request is, not coincidentally, for the exact same amount – to the dollar. The bad actors know that someone is prepared to pay, and it may seem like everyone walks away unscathed. Except these insurance policies are becoming increasingly expensive with more stringent terms. Also, successful attackers frequently leave behind a back door so they can come back for seconds.
What are the top practical recommendations you have for keeping prominent people cyber safe?
Harris: First, you’ve got to deal with your cell phone number and your SIM card. A cell phone number has become more valuable to an attacker than a social security number. Someone can try to SIM swap it, which involves switching a phone number from one device’s subscriber identity module to another, and use the number to impersonate you or access your accounts – especially where you use the phone for second-factor authentication. You need to treat your cell phone number as privileged information and then lock down the access and management of your SIM card to the fullest extent possible.
Second is cyber hygiene writ large: How you authenticate your accounts, how you save your passwords, what kind of alias you use for email, how you lock down your logins. A lot of it is fairly achievable. If we can get someone to use a password manager, that is an 80% solution.
Then you need to deal with the sprawl of your publicly available information: Public records, data brokers, social media – all the places that attribute your pattern of life. The places you donate money, the schools your kids attend, where your residences are, what kind of cars you own, hunting and fishing licenses, boats, airplanes, gun registries. A capable adversary will readily compile this but even a lesser adversary can usually buy that information. You have to deal with what is already out there and adopt a more judicious approach and discipline regarding future use of digital tools, apps and services which call upon personal data.
How do you do that second part – containing what’s already out there?
Harris: We typically do it through brute force. We will go to data brokers and use various approaches. With some data brokers you need to use the right form. Some you call, some you persuade or threaten, some you beg. We undertake the basic process of going through over one hundred data brokers and aggregators, petitioning for client data to be removed. Over time, it significantly reduces the attack surface. You also can do suppression campaigns to reduce the prevalence of certain information in search results. If you have a problem, we’re not going to be able to fix it in a few days, but given some time, we can do a lot to mitigate.
Why should people in general care about the risks facing the 0.1%? Will attack strategies targeting the ultra-high net worth be commoditized to go after the public more broadly?
Harris: People might not care in isolation. However, the more affluent typically run businesses. We have never worked with any high-net worth individual where an attack didn’t also have an impact on the associated organization. It’s going to affect rank and file employees. It’s going to affect capital allocation goals by diverting resources into remediation and risk mitigation, and that’s not good for the organization.
Ransomware is already a commodity and that makes it easier to attack anyone. The people who perpetrate it aren’t the ones who come up with the malicious code. They rent it and then share the proceeds or pay off the coders. There’s a whole industry and it’s not a cottage industry. As Fyodor Yarochkin articulated in a recent article, Ransomware as a Service (RaaS) is highly organized and very lucrative. It’s a quasi-licit economy in some parts of the world. In certain countries you can have a day job at a cybersecurity firm and then by night code ransomware.
The techniques used to exploit the wealthy, once proven, are being rapidly deployed across populations more broadly and as part of a growing cyberattack armory for advanced persistent threat campaigns. Given this, we owe it to ourselves and our families to be security conscious, to be disciplined in how we care for our personal data, and to be vigilant in our digital lives.