How security measures in family businesses can be prioritised and organised for impact
As more and more family businesses move their governance activities online, security concerns become ever more prevalent. How can organisations analyse their security status, develop frameworks for control and combine both proactive and reactive activities needed for successful security management? All while maintaining control of the budget and continuing to run the business operations.
Implementing security and protection presents a number of challenges. Firstly, most family businesses and family offices often have a very small team in charge of information technology, and typically don’t have a lot of in-house security expertise. Secondly, amongst the board, the shareholder and all the family relations in the business, there isn’t a single centralised IT system. Many family members will use personal email addresses and their own devices, and it is difficult if not impossible to maintain a central security and technology strategy.
The cloud is here to stay, and its use in personal lives has gradually transitioned into business life, particularly when people have crisis situations thrust upon them and are unexpectedly required to use technology like never before. Without time to develop appropriate corporate security policies and strategies, many people are simply using personal emails and mainstream cloud storage solutions to share sensitive corporate communications amongst family members. This is particularly prevalent in family businesses, where many family members do not actually work directly for the company. In this scenario, there is usually a reactive, incident-driven rather than a proactive, planned approach to security.
It is easy to see how without centralised control, security concerns can spiral. Just taking email as an example, information can get copied very quickly. For instance, if an email with an attachment is sent to ten people, each of whom syncs their email between their PC, phone and tablet device, the document is already on potentially 30 devices. When information gets copied very quickly, on a lot of different devices, it is hard to protect. Just simple email also brings other security challenges, such as proof of delivery, lack of authentication required to send and receive email, or accidental forwarding of emails. It is easy to see how the ‘single source of truth’ for information can be lost.
As remote work is ever-increasing, and more technology is being used, a strategic approach to security becomes ever more important, securing information with a remote workforce and continually bearing in mind that a company is only as secure as its weakest link.
So, where can companies start, particularly in multigenerational family businesses where family members can span huge geographies, age ranges, and degree of involvement with the business? The key need is working out how to organise and prioritise the security practice in the organisation: understanding what practical policies can be put into place, and clarifying the route causes of security breaches such that they are taken into account. Prioritisation often takes precedence over budget, because regardless of how much budget is available, there is no clarity on how to actually spend it. Gaining this clarity in how to best invest the security budget, time and resources can not only get the most benefit and value, but can also help manage stakeholder expectations, which are often of particular concern to family businesses.
Practical guidelines for prioritisation and organisation of security cover four key areas: policy, accountability, risks and education.
Policy means ascertaining the details of the basic measures for the organisation and its stakeholders, and asking relevant questions. What security measures are essential, such as two factor authentication as a minimum, and how can they be enforced for everyone? Does writing down the policy make it enforceable? The business case behind potential incidents should be borne in mind, and incident responses should be tailored with respect to business continuity. For example a power outage that makes all systems unusable may impact operations but is not as relevant to security as for example a lost password for a key family member. In this case, what policies are in place for the team’s response and what happens out of office hours? Security measures should be kept practical, starting with the business case of making sure that data stays within the realm of people who should have access to it.
Accountability is not about blame. Rather it is about making sure that there is someone responsible for leading the security effort, managing the security team and delivering the security function. Rather than focusing solely on high level and long term objectives, the most important approach should be to actually focus on delivering the functions and processes that are most important, such as responsiveness and communications, particularly when starting out. Security is a constantly moving target and getting bogged down in defining objectives in the short term can risk leading to failing to notice what is changing. However, once the team is established and the overall security functional processes are working, longer term objectives can play a larger role.
Risks need to be understood in terms of not just which devices or what ‘information buckets’ might be compromised, but also other organisational risks such as the risk of attrition. It is useful to establish, maintain and keep revisiting a risk register, which should be developed collaboratively with stakeholders and take into account impact, probability and timelines when prioritising security activities.
Education is based around the fact that security is only as strong as the weakest link. An education plan does not necessarily have to be a formal training programme, but it could include open discussion, simulation exercises or onboarding and offboarding policies to incorporate watchfulness among employees and family members. Education can start with employees in sensitive positions and build outwards from there, making sure that everyone is aware of their roles and responsibilities and the measures that are in place to protect and secure company information. Only in this way can the organisation as a whole be strong.
Understanding the root causes of security breaches is instrumental to designing and implementing the practical guidelines needed. There are three key causes:
- People, with human error accounting for just under a quarter of breaches
- Technology, with malicious attack contributing to just over half of security incidents
- Processes, accounting for the remaining quarter of breaches
Each of these elements can be broken down into a checklist to ascertain where security can be an issue and how this can be taken into account when developing security guidelines.
With regard to people, it is important to keep coming back to the fact that security is only as good as the weakest link, and it is not just the security team that is involved in keeping the organisation secure, but every member of the family business. Many of the people issues to consider directly contribute to the accountability and education aspects of the practical guidelines above. Who is accountable for security? How is education assured for the family, the business as a whole, and the affiliates in the broader market, such as customers, partners and suppliers? Clear onboarding and offboarding procedures are one of the most essential security measures, making sure that people assimilate into the security practices of the organisation upon entry and have a debrief upon exit. In between, investment in education of people, with regard to training and retraining, are essential. Finally, with regard to people, there needs to be a method in place for communicating with the security team, alerting and escalating issues as appropriate, and interacting with the team. This way, every person in the organisation feels they have some personal responsibility and individual ownership of security, which will benefit the organisation as a whole.
Technology is the largest cause of security issues. The approach to technology will vary between organisations, and should take into account issues such as the need for firewalls and other defence mechanisms, mobile device management policies and their enforcement, rules for interactions between devices, and credential management. Technology choices are limitless, and this is where experts are essential. What is needed is technology implementation that is appropriate to the organisation, its risk profile, and its incident response policies, together with continual monitoring and revisiting of how the technology is doing its job as the company and the wider world evolve. The rigorous approach to technology should also extend to regular reviews and audits of the defences and processes of suppliers and other external agencies the family business deals with.
Processes are the third root cause of security breaches, linked to failures in credential management, incident escalation and incident response. Clear, documented processes are essential for successful security guidelines and policies. Systems and processes should be rigorously tested and monitored, in line with a system of continuous improvement, to make sure that they always remain fit for purpose as threat vectors continue to evolve. Before adding to current processes, those processes themselves should be improved.
Upon establishing a thorough understanding of the key practical guidelines for prioritising and organising security, and the root causes of security issues that need to be taken into account, there are two key factors required for successful security implementation. Firstly, someone needs to actually be in charge. It is not necessarily a fulltime job, but someone needs to own it and be the key person to communicate with the rest of the organisation and take responsibility for execution. Secondly, there needs to be a budget allocated to it. As well as education and training, budget needs to be assigned to the appropriate tools and technology required for security that is fit for purpose. With multigeneration family businesses, as well as the everyday security needs of the organisation it is useful to use technology platforms that support their specific requirements, including the governance issues across a multigenerational, often geographically dispersed family. The best such technology platforms will incorporate security mechanisms that are appropriate to and fit in with overarching corporate security policies, supporting family governance measures such as confidentiality, integrity and compliance, in a secure and trusted manner.
Security can be a minefield, and like every other business issue it can be approached in a structured, rigorous manner: understand how problems can, do and will occur, develop a structure for the guidelines that will help you prioritise and organise it, and assign a named person and budget to the issue. Then implement and execute, assess and measure and continuously improve along with the evolution of the organisation, to maximise your security framework in the context of the continued success and evolution of your family business.