Artificial intelligence was inarguably the market story of 2024. But as much as the potential of this rapidly evolving suite of technologies has padded investor portfolios, AI also has a darker side when it comes to cybersecurity. So-called deepfakes in text, audio and video—which can be generated with AI from mere snippets of data—are becoming powerful new weapons in the arsenals of threat actors.
As I wrote in a recent commentary, family offices and high-net-worth families are prime targets. AI is making it easier for cyber criminals to play offence. But how can family offices play defence?
The good news is that the cybersecurity industry is working on solutions that will undoubtedly prove effective in identifying and combatting AI-generated attacks. The bad news? Those technological solutions are still largely works in progress, and the most advanced of them are currently feasible only for very large enterprises. There are a lot of ideas—for instance, watermark technologies that validate communications as authentic, or AI deepfake detection technologies that can help distinguish legitimate video, audio or text from fakes. But the day when anti-deepfake tech is widely available and effective is still some ways away.
As it stands, “this is absolutely an arms race,” as my colleague Bruce Watson, an expert on AI who sits on several high-level global commissions, puts it. And the bad guys, at least for now, are in the lead.
That does not mean, however, that family offices are helpless in the face of AI-enabled cyberattacks. Technologically, they may be at a disadvantage, but there are concrete strategies and best practices available to establish a layered defence.
Take stock of your digital “life.”
Unless you have been living completely off the grid for the past decade or so, your use of connected technologies—your smartphone, your laptop, even your home appliances—has generated reams of data about your habits, your location, your finances, your family members, your friends, your buying preferences, and on and on. Even if you think you leave a minimal online trace, don’t let that lull you into a false sense of security. “Some people might have the luxury of having absolutely no digital presence, but they shouldn’t rely on that as a defence,” Bruce says. “There’s always the possibility someone captured an audio clip of you speaking somewhere, or looked over your shoulder on the airplane, or secretly recorded a private meeting.”
For threat actors, who can use AI to create a convincing text, audio or video likeness of a real person from even the smallest bit of information, this data represents a potential treasure trove. Understanding and assessing your digital footprint is a critical first step in addressing this risk.
Threat actors have formed a clandestine market in confidential information—passwords, financial information, and so on—on the dark web.
For most people, however, that’s not an easy thing to do on their own. At DeepCove, we can undertake a comprehensive audit of a client’s digital presence. That includes not only social media and other online platforms, but also an in-depth examination of data-broker databases and harder-to-find data, like court filings and regulatory documents. We can also search the dark web, a secretive network of Internet sites not visible to the public or accessible through standard search engines. Threat actors have formed a clandestine market in confidential information—passwords, financial information, malicious software and so on—on the dark web, buying and selling it to either realize a profit or to support future attacks.
This taking-stock of a client’s digital “life” allows for insights into their risk and threat posture. It can also help identify potential adversaries and competitors who could leverage data to conduct attacks. Next steps might be as simple as changing passwords, activating multi-factor authentication of online accounts or adopting social media best practices. Or they might be more involved, such as acquiring sensitive data (through legal means) and purging it from the dark web (at least temporarily).
Practise good social media hygiene.
Social media has become an intrinsic part of life for many of us, and not just the younger generation. But when we share our messages, photos and videos with online friends, we may also be sharing with threat actors, and social media data can be rich fodder for cyber criminals.
The most effective way to address this threat is to not participate in social media at all. That can be a very tough conversation to have with family members, who mostly just want to live their lives and do what they like to do. But short of banning social media, there are levels of risk mitigation that can help.
Having clear social media protocols for the family and/or family office is one level. Do you require multi-factor authentication for all social media sites? Are passwords updated regularly? Do you limit the types of data that family members/employees share?
A next step would be to avoid using the higher-risk social media platforms. For instance, TikTok has come under sharp regulatory and governmental scrutiny for its poor security and confidentiality protocols, as well as its ties to China. If the kids simply refuse to uninstall it, then one approach may be to have a safety-encircled device that is only for TikTok—no financial transactions, no e-mail, no other apps. You want to watch TikTok? Then you can do it on this device and only this device, and it does not touch anything else.
Prioritize face-to-face interactions.
Some wealthy families have been secretive for long before the Internet came along, but for most families, becoming a hermit—digitally and physically—is neither feasible nor appealing. People have public presences. They sit on boards. They participate in philanthropy and community events. They run companies. Striking the right balance between privacy and public engagement is an increasingly delicate challenge.
From a security perspective, I think the current issues around AI and other cyber threats should lead families and family offices to become more mindful of the purpose of their interactions. Do you really need to be on that videoconference? Can someone else handle that call with a counterparty you’ve never met before? If the answer is yes, you need to be there, then consider whether the meeting can be conducted in person rather than through technology. When an interaction is complex or potentially impactful enough for you to be part of it, then doing it physically instead of digitally may be the safer option.
So, hop on that plane or book that lunch. At least then you will know that you will be communicating with a real human being. In an era when digital communication in any format can be hard to trust, the in-person meeting is becoming increasingly valuable as a simple, low-tech approach to mitigating cybersecurity risk.
One last note: if these comments about AI-enabled threats have you thinking that I’m some kind of AI doom-and-gloomer—well, I’m not. On the contrary, I’m quite optimistic about the development of effective cybersecurity technologies and about the potential positive impacts of artificial intelligence for family offices. In a subsequent commentary, I’ll explain why.
Mike Krygier is CEO of DeepCove Cybersecurity, based in Toronto, which he founded in 2022 with the goal of providing industry-leading solutions to organizations in need of cybersecurity. With over two decades of experience in cybersecurity, Mike has held multiple leadership roles throughout the private and public sector, including at Google, New York City Cyber Command, and Mandiant. Mike holds a M.Sc. in Information Security from the University of London, Royal Holloway, along with various industry certifications.
The Canadian Family Offices newsletter comes out on Sundays and Wednesdays. If you are interested in stories about Canadian enterprising families, family offices and the professionals who work with them, but like your content aggregated, you can sign up for our free newsletter here.
Please visit here to see information about our standards of journalistic excellence.