Secure Your Family Legacy: 3 Tips to Protect Your Information in 2024

Whatever your role in your family business, whatever generation you’re in, and wherever you are in the world, using technology in some shape or form is going to be mandatory. In a world where cyber security issues and breaches continue to rise alarmingly while increasing in sophistication, it is the businesses that have the least protection that provide the greatest attack surface for malicious actors. This means that best-in-class security, whilst sometimes adding overhead, is not optional.

Adding to the complexity of the situation, family businesses have perhaps even more inherently private information than other businesses. You need to store, access, and distribute this information in a timely and appropriate manner, while also being assured of its safety and security. Taking operations and communications off-line and manual, whilst sometimes desirable, is not optional.

Bearing in mind the balance between these two non-optional but often conflicting requirements, technology needs to be an enabler, with the least friction possible, if it is to truly protect your family’s private information.

Here, we outline 3 tips from our team of family business experts, across three key categories of private information.

NOT ALL PRIVATE IS CREATED EQUAL

There are three different categories of information in family businesses, all of which can be considered ‘private’:

1. Documents and other files
2. Communications and interactions
3. Credentials and personal information 

Each of these presents different security risks and requirements, and vary in severity. The ultimate severity is where credentials are unknowingly stolen, allowing malicious actors to gain access to the entire system. 

CATEGORY 1: DOCUMENTS AND OTHER FILES

Information and documentation are the backbone of any organisation. Not everyone in the family business needs to, or is qualified to, be privy to every piece of information in the organisation. So how can documents and other materials be protected and yet easily accessible by those that have the appropriate rights?

The main risk here is that information is not appropriately protected once properly verified users are inside the organisation’s systems. 

Some of the key ways in which technology can be used to protect private information include:

• Data security and integrity as basic requirements
• Managing who can see what
• Providing visibility of who does what

Data security and integrity

Data security within the organisation is achieved through storing all confidential files and documents in a central hub. Particularly sensitive or private files can be uploaded to personal or shared vaults, with additional security permissions included. The integrity of data can be assured through regular backups distributed geographically, avoiding the need for any locally stored copies of files.

Managing who can see what

Managing who can see what is achieved through groups and permissions for boards, committees and other working spaces. Access permissions can be appropriately assigned for different groups and individuals, and user roles customised with view, edit and delete permissions as appropriate.

Providing visibility of who does what

Providing visibility of who does what is achieved through systems such as document review and change tracking, audit logs and e-signatures, which make the activities of individual users visible and recorded. This can extend to using the technology platform for surveys and in-house voting systems, where not only is feedback streamlined but the activities of each participant recorded.

Our recommendation: use a technology solution that is fit for purpose and has been designed for the specific circumstances and nuances of operating family businesses.

The result: confidence and control over the sensitive data.

CATEGORY 2: COMMUNICATIONS AND INTERACTIONS

Communications and day to day interaction are often simply taken for granted, when in fact they present another opportunity for security breaches, whether from ‘man in the middle’ attacks or simple eavesdropping.

There are more ways of communicating than email, which, while also vulnerable to man in the middle attacks, is usually encrypted or otherwise protected. Text messages and communication via social media platforms have become increasingly accepted even within business contexts. And for family businesses, where the lines are so often blurred between personal and professional, possibly even more so.

Just some of the risks presented in day to day communications are:

• Inadvertently including, whether as attachments or links, access to other documentation and information over and above the text content of the message
• Careless sharing of credentials over a text message, such as usernames and passwords
• Innocently mentioning details of family members or referencing business-confidential information informally in communications

The primary method that family businesses can mitigate against these risks is to embody communications within the family business management platform, with its in-built security and all communications encrypted as standard. This can include features such as event channels for group communications, in-built direct chat, space for private notes, and even integration with other third party platforms such as video conferencing or calendars. 

The easier and more seamless the communications within the technology platform is, the more likely it is to be adopted and become commonplace: it will be as easy to send a message within the platform as it is to write a text message. If it is difficult or presents user friction, then it will be resisted.

In addition, there should be clear rules as to the acceptable use of non-platform communications within the business, in terms of what is and what isn’t allowed. This becomes part of the onboarding and continual education of members of the business, and should include the basic principles of cyber security and best practice in communications.

Our recommendation: use a technology solution that unifies communication in-platform, whilst making it easy to use.

The result: continuity and confidence in the security of communication throughout the organisation.

CATEGORY 3: CREDENTIALS AND PERSONAL INFORMATION

The security risks presented by the loss or theft of credentials and personal information are the highest of all, for two reasons. Firstly, often it is not known that credentials have been stolen, and therefore hackers and malicious actors can gain access to entire corporate systems. Secondly, much of this comes down to human behaviour, which is next to impossible to monitor and police.

The security risks here cannot truly be eliminated, but they can be minimised and mitigated against to some extent through a combination of cyber security best practice and ongoing user education. This includes:

• Robust login policies that include as a minimum robust multi-factor authentication and where possible some form of biometric information
• Corporate rules including never sharing passwords and never writing down credentials
• Forced reset of passwords on a regular basis
• Invite-only approved access to corporate systems
• Limited number of systems administrators 
• Specific categories of users and associated access permissions, set to the minimal access required for each user
• Audit trails and digital footprints while inside the platform
• Proactive monitoring of internal communications and activities to spot any suspicious behaviour
• Continued education as to cyber security best practice and how to spot possible loss of credentials, such as provision of ‘last login’ details for users each time they log in
• Mechanisms that make it easy to report infractions and quick to revoke access privileges until reset
• Regular security reviews within the organisation, and a security policy that continually evolves to reflect best-in-class security recommendations

Our recommendation: use a technology platform that embodies the best possible security, without compromising on its accessibility and use.

The result: control and continuity over access to the family business platform.

WAY FORWARD

Protecting your family’s private information combines two key elements. 

First – best-in-class security policies and best practices, strictly and uncompromisingly policed. Second –  a corporate culture that continually educates members of the family and the business as to how to interact, communicate and behave appropriately.

With this combination, a culture of cyber security best practice backed up by the right technology choice, the control, continuity and confidence in the privacy of family information can be maximised and maintained.