Today, few organizations are immune to cyberattacks. Family offices and small businesses are no exception.
Increasingly, small organizations are being targeted with the same phishing, malware and ransomware attacks that each year cost bigger businesses trillions of dollars in losses.1 It’s therefore essential for them to develop robust cybersecurity controls and have a well-thought-out recovery plan in place—hopefully before a cyber breach occurs.
A cautionary tale
Cybersecurity for a family office client that was managing investments, real estate properties and day-to-day finances for several generations of one family, primarily depended on weekly backups of data and systems—plus incremental backups every night. The office team believed this two-pronged strategy would allow them to recover data from many different points in time if a problem ever arose.
Unfortunately, a ransomware attack quickly revealed the flaws in this approach: All of the office’s day-to-day systems as well as its backups were stored on the same network.
Hackers were able to gain control of all of the office’s systems and information, and demanded a ransom of $500,000. Initially, the family declined to pay the ransom, hoping to find a workaround. But after a 10-day shutdown of the office, they paid the ransom to restore their systems.
Steps to take now
J.P. Morgan’s cybersecurity specialists can help you develop, test and execute resiliency plans in the event of a cyberattack. Here are some of their recommendations to help you get started:
Manage people and processes
- Put an employee training program in place—Many cyberattacks start with phishing or malware. Teach your employees how to identify and report suspicious emails or other online activities. Periodically, test their knowledge and skills.
- Limit employees’ internet access from company-owned devices—Reducing the number of sites employees can visit can reduce the likelihood of malware being introduced into your operations.
- Add an advanced spam-filtering service to your operations—A spam filter can help you identify and block phishing emails and reduce the likelihood of someone on your staff responding to a spoofed email domain. Even better: Opt for a spam filter that includes these features:
- URL rewriting—Analyzes links sent in emails and blocks users from accessing potentially malicious websites.
- Attachment sandboxing—Automatically opens and scans files attached to incoming emails to detect if malware or viruses are hidden in them.
- Email impersonation detection—Helps identify if a sender is attempting to impersonate a colleague’s or business partner’s email account.
- Install system patches and software updates as soon as they become available—Prioritize patching efforts according to:
- The types of data contained in a given system.
- Their degree of importance to your overall operations.
- The likelihood of the patches themselves disrupting business operations.
Have a backup plan
- Create multiple data backups—To restore systems in the wake of a cyberattack, consider storing copies on cloud services or completely offline.
- Conduct a business impact analysis—Assess the potential consequences of a cyberattack on your operations as well as on your recovery strategy. For example:
- Could your business operate offline if no online systems are available?
- How would you make crucial payments?
- Which systems would need to be recovered first?
- Who inside the organization would make critical decisions?
- What outside parties (partners, regulators, press, customers/clients) would need to be notified if a cyberbreach occurred?
Don’t go at it alone
- Develop a relationship with a cyber-resiliency partner before an incident occurs—A partnership with a digital forensics and incident response firm, for example, can help you mitigate the impact of an attack and reduce the amount of time it takes to recover.
- Supplement your recovery plans with a cybersecurity insurance policy—This can help defray a portion of the losses you may incur.
- Test the strength of your system security—Have an IT and security provider assess the strength of your cyber protections and implement more robust controls and technologies, if needed.
Document and practice
- Create a playbook—Take the time to map a clear path to recovering from a cyberattack.
- Conduct regular reviews—Practice and update your resiliency plans on a regular basis to ensure they will be executed successfully in the event of an incident.
We can help
J.P. Morgan is committed to providing safe, resilient services to our clients and partners within an ever-evolving threat landscape. To learn more about protecting your business and yourself from cybercriminals, please contact your J.P. Morgan team.
References
IMPORTANT INFORMATION
This information is provided for educational and informational purposes only and is not intended, nor should it be relied upon, to address every aspect of the subject discussed herein. The information provided in this document is intended to help clients protect themselves from cyber fraud. It does not provide a comprehensive listing of all types of cyber fraud activities and it does not identify all types of cybersecurity best practices. You, your company or organization is responsible for determining how to best protect itself against cyber fraud activities and for selecting the cybersecurity best practices that are most appropriate to your needs.
Check the background of our firm and investment professionals on FINRA's BrokerCheck
To learn more about J. P. Morgan’s investment business, including our accounts, products and services, as well as our relationship with you, please review our J.P. Morgan Securities LLC Form CRS and Guide to Investment Services and Brokerage Products.
This website is for informational purposes only, and not an offer, recommendation or solicitation of any product, strategy service or transaction. Any views, strategies or products discussed on this site may not be appropriate or suitable for all individuals and are subject to risks. Prior to making any investment or financial decisions, an investor should seek individualized advice from a personal financial, legal, tax and other professional advisors that take into account all of the particular facts and circumstances of an investor's own situation.
This website provides information about the brokerage and investment advisory services provided by J.P. Morgan Securities LLC ("JPMS"). When JPMS acts as a broker-dealer, a client's relationship with us and our duties to the client will be different in some important ways than a client's relationship with us and our duties to the client when we are acting as an investment advisor. A client should carefully read the agreements and disclosures received (including our Form ADV disclosure brochure, if and when applicable) in connection with our provision of services for important information about the capacity in which we will be acting.
INVESTMENT AND INSURANCE PRODUCTS ARE: • NOT FDIC INSURED • NOT INSURED BY ANY FEDERAL GOVERNMENT AGENCY • NOT A DEPOSIT OR OTHER OBLIGATION OF, OR GUARANTEED BY, JPMORGAN CHASE BANK, N.A. OR ANY OF ITS AFFILIATES • SUBJECT TO INVESTMENT RISKS, INCLUDING POSSIBLE LOSS OF THE PRINCIPAL AMOUNT INVESTED
J.P. Morgan Wealth Management is a business of JPMorgan Chase & Co., which offers investment products and services through J.P. Morgan Securities LLC (JPMS), a registered broker-dealer and investment adviser, member FINRA and SIPC Insurance products are made available through Chase Insurance Agency, Inc. (CIA), a licensed insurance agency, doing business as Chase Insurance Agency Services, Inc. in Florida. Certain custody and other services are provided by JPMorgan Chase Bank, N.A. (JPMCB). JPMS, CIA and JPMCB are affiliated companies under the common control of JPMorgan Chase & Co. Products not available in all states.
Please read additional Important Information in conjunction with these pages.
You're now leaving J.P. Morgan
J.P. Morgan’s website and/or mobile terms, privacy and security policies don’t apply to the site or app you're about to visit. Please review its terms, privacy and security policies to see how they apply to you. J.P. Morgan isn’t responsible for (and doesn’t provide) any products, services or content at this third-party site or app, except for products and services that explicitly carry the J.P. Morgan name.