With almost 15 years working for the CIA and the FBI and now another 17+ in the private sector, I still regularly bring those well-honed government skills to bear in the ever-changing threat environment of the private wealth arena. My experience in those organizations gave me a foundation of anticipation and agility, and then for good measure they layered on top tradecraft, investigations, weapons, tactics, protection, and a global cultural awareness. All of these serve me well each day as we support families and clients around the world.
However, it’s the anticipation and agility that have provided Red Five the ability to forecast for our clients about imminent trends over the horizon, and this has allowed us to innovate and help them avoid problems. Bad actors continue to find ways to capitalize on emerging technologies and trends, and the unaware are usually complacent victims. 2022 is looking to be on a similar path – although accelerated.
In 2022 we will continue to see growth in the recently emerged trend of adversaries leveraging artificial intelligence, or AI in phishing and hacking attempts. AI is now being used to read your social media, learn about who you are and how you write, and the little nuances surrounding your online personality. All to better imitate you and create deceptive communications in spear phishing attacks. According to Verizon’s 2021 Data Breach Investigations Report, during the past year more than a third of all data breaches employed phishing as a tactic to successfully compromise client data. If that large a percentage were to overnight up its game with AI, I suspect we’d see an exponential increase in breaches and subsequent loss of confidence in protecting our most personal data. Is your IT or cybersecurity team ready to counter an AI-enabled cyber adversary? Perhaps you should investigate that.
Social and human engineering efforts will continue to be one of the top ways systems are breached, second to the ever-present lack of urgency in patching software and systems. Human beings continue to be the weakest link in access control to systems and addressing this insider threat is critical to all organizations. When characterizing insider threats some are concerned that it demeans their employees, characterizes them as lesser people – the reality is they aren’t necessarily active participants in these nefarious acts. Insider threat teams; however, must address both the active and passive sides of the same insider threat coin. Some insider threats are unwitting to their collusion. Some insider threats are actively looking to deceive, thieve, and leave – taking with them valuable intellectual property, financial instruments, or other digital assets. It’s time to up your insider threat program. If your organization doesn’t have one – perhaps it’s time to get a professional to advise you.
Resiliency remains a key word for 2022, as the pandemic continues to plague much of the planet, natural disasters are increasing in intensity and frequency, and organizations and private families are not keeping up with the times. Raising a family office’s readiness, a businesses’ preparedness, and your individual resiliency is becoming a national security imperative. Yes, we as a country need to start thinking about how law enforcement and first responders are not resourced to respond to simultaneous mass emergencies, civil unrest in affluent neighborhoods, and natural disasters. Cities like Houston and New Orleans face a myriad of challenges from hurricanes; wide swaths of the west face unprecedented wildfires and mudslides; our schools continue to experience tragic shootings; and the trend for climate-related security impacts is increasing. Conduct an audit, make a plan – for you, your family, and your business. To not do so puts additional strain on those already limited local and national response resources. The more each of us can be self-sufficient, or rally as a neighborhood or a community the more resilient we will be as a country. Is your executive team ready? Your facility managers?
The converged space of digital and physical security continues to evolve, and holistic assessments must now be the norm. As security professionals continue to talk about getting an assessment, it can no longer just be a “physical security assessment” of cameras, sensors, hardware, guards, procedures, and policies. Red Five has been incorporating cyber and privacy issues into its assessments for years, and our clients always benefit from the insight provided on the converged space. The adversarial placement of a physical recording / transmitting device in your private space to collect information continues to be a persistent threat to boards, CEOs, technology teams, investors, and private families. The use of physical drones to carry out assassination attempts is now commonplace, but they are also being used to collect data or carry out cyber-attacks from above.
Your team should be compartmenting corporate, personal, and board email domains so legal subpoenas don’t “unintentionally” collect adjacent data. Your team should be reducing your online footprint to make it harder on your adversaries to collect valuable information they need to conduct a successful physical attack on your family. Your team should be making sure that those limited partners that joined your team and walk into your office are who they have claimed to be and aren’t also investors in your competitors’ best interests. Question is – Is your guard company, IT provider, or your consulting team addressing these issues? 2022 will test them. Are they looking at risk holistically? Make sure you have the right team as the threat environment continues to morph and accelerate.
Deloitte Private recently sponsored a Campden Wealth survey in their European Family Office Report noted that 38% have been victims in the last 12 months. Don’t be another statistic. For the affluent families, the single-family offices, the multi-family family offices, the wealth managers, the estate planners, and the legal teams – early 2022 is a time to take stock. Review your risk management team and make sure that it is holistic: that the team that you have is the team that you need. Your team should be addressing online privacy issues, technical surveillance threats, corporate due diligence on key partners, resiliency planning, insider threats, conducting sophisticated experience-based training, and preparing for AI-enabled cyber-attacks.
This is what 2022 looks like. Be ready.