Cybersecurity

Cybercriminals think you’re an easy target. Prove them wrong

No one likes to manage dozens or even hundreds of ever-changing passwords. No surprise, then, that one frustrated private equity chief operating officer (COO) simply refused. Instead, he used a single password for most of his accounts, both personal and professional.

What happened next should come as no surprise, either: In a hack unrelated to his work, cybercriminals captured his password. Then they used that password to breach the COO’s personal email, work email and eventually his entire company.

Cue ransomware attack. The firm’s environment was shut down, and employees were unable to work for weeks. Not to mention the financial and reputational costs. Accepting a small personal inconvenience upfront could have prevented the breach and its ripple effects.

Preventing cyberattacks goes beyond implementing appropriate security technology. Your business, including your people and your processes, may be vulnerable as well. Often, cybercriminals are looking for footholds in your devices, where they can sit quietly, gather information and learn how you operate before launching a larger attack.

Many families with significant wealth, businesses and family offices find themselves largely unprepared.

A sophisticated crime landscape

Cyberattacks, automated bots, AI deepfakes, supply chain software vulnerabilities, ransomware—today’s cybercrime landscape is much more sophisticated than it was just a few years ago. This is true for businesses of all sizes, not just the large organizations whose cyberbreaches make the news.

In fact, 75% of cyberattacks target small and medium businesses.1 That’s partly because they lack the robust defenses of larger organizations, and partly because many business owners mistakenly believe being in the cloud ensures security. Once a cybercriminal gains access to an organization, they’ll attempt to move laterally in an effort to extract valuable data and generally wreak havoc.

Finding an easy target

High-net-worth individuals and families, investment offices, family offices and private businesses are particularly attractive targets for cybercriminals due to their perceived wealth, significant resources and extensive digital footprints. In our 2024 Global Family Office Report, 24% of family office respondents said they had been victims of cyberattacks. Of family offices with more than USD 1 billion in assets, 40% said they had suffered a breach.

Yet our research finds family offices are largely unprepared. Only 39% require staff to undergo cybersafety training, and only 34% have hired a cyberdefense provider.2 Nearly a quarter—23%—have no cyber protections in place.

Like other crooks/thieves/burglars, cybercriminals look for the weak link. Often, that’s people. Hackers use social engineering in all its forms—email and text phishing, QR code manipulation and voice manipulation—to seize information that would otherwise be protected. Maintain a skeptical mindset toward any request for money or information about your organization, and verify any request via another channel.

Making sure AI works for—not against—you

While artificial intelligence (AI) can provide efficient productivity gains, it can also present security risks.

AI platforms and tools can retain everything you input. This makes it crucial to implement guardrails that will safeguard business data and personal data. If you’re utilizing a public AI tool to read and review resumes and not using an enterprise license, every piece of that data read—names, addresses and other potential proprietary informationare being ingested into a Large Language Model (LLM) platform that you do not control.

To be cybersafe with AI:

  • Use a separate email dedicated for use just with the AI tool. If you are using a public tool, don’t use the same email for the tool that you use with your bank, or for other sensitive information.
  • Ensure that all requests are verified via two channels of communication, such as video, calls and/or text messages. If AI is used to create a persuasive deepfake, it can potentially deceive someone into providing sensitive information or authorizing a transaction.
  • It’s particularly important to examine payment processes and protocols to understand if they could withstand an AI-powered social engineering attack. Be proactive and vigilant as AI tools quickly mature and are introduced in the workplace. Even junior staff should be empowered to question a sensitive request and validate via an alternate form of communication.

Assessing and enhancing cyber readiness

There’s no foolproof way to protect your business from cybercriminals. But there are steps every business owner, high-net-worth individual and family office can take to mitigate risk, and to limit damage should a breach occur.

  • Engage the professionals

    If you’re not a cybersecurity expert, don’t try to navigate the complex cyber landscape on your own. Instead, engage experts and trusted professionals to evaluate and establish cybersecurity controls across your organization’s people, processes and technology. Even if you’ve engaged professionals in the past, maintenance is important to ensure that your defenses stay robust and up-to-date.
  • Do a cyber assessment

    Consider starting with a comprehensive cyber assessment by a reputable firm. An assessment will highlight specific vulnerabilities, allowing you to prioritize the most important ones and address them effectively.

    A thorough assessment identifies potential weaknesses through network testing, physical access checks and social engineering evaluations.
  • Train staff and family

    Educate your staff on potential vulnerabilities, such as phishing (emails, texts, QR codes and phone calls), fraudulent payment requests and other methods cybercriminals use to gain access to information or money. A culture of vigilance will reduce the risk of compromise.

    Family members need to be educated as well. If a family member is old enough to have a social media account, they’re old enough to be educated on its use. Teens, in particular, need to be coached not to share in a way that reveals too much about the family’s activities and location. It’s exciting that the family went on a great trip, but tell the world about it once you’re home.
  • Multi-factor authentication (MFA)

    Multi-factor authentication is a small inconvenience, but it’s much less trouble than a ransomware or extortion attack. It is also one of the strongest layers of defense available to individuals and to businesses. Use it wherever possible, both personally and professionally, and especially to protect critical data and remote log-ins. Bonus points: The use of MFA may even reduce your cyber insurance rates.
  • Control access

    Adopt a “need to know” access policy throughout your organization so that only the people, applications and tools that absolutely need specific information have access to it.

    Access policies aren’t about trustingor distrustingemployees. They’re about limiting damage in the event someone breaks into your systems by using an employee’s credentialsin essence, by impersonating them.

Given the rapidly changing landscape of cyberthreats and their increasing severity, it’s far better to invest a modest amount in an assessment and prevention than to pay an exorbitant amount—in cash, reputation and headaches—in a ransomware or extortion attack that could have been avoided.

We can help

Protecting your assets and your information is our priority. J.P. Morgan is committed to providing safe, resilient services to our clients and partners within an ever-evolving threat landscape. For more information and resources to better secure yourself, your family and your business, please contact your J.P. Morgan team.

1The 2024 Sophos Threat Report (https://news.sophos.com/en-us/2024/03/12/2024-sophos-threat-report).

22024 Global Family Office Report, J.P. Morgan Private Bank, April 2024.

Cybersecurity requires a comprehensive approach

EXPERIENCE THE FULL POSSIBILITY OF YOUR WEALTH

We can help you navigate a complex financial landscape. Reach out today to learn how.

Contact us

Important Information

This webpage content is for information/educational purposes only and may inform you of certain products and services offered by private banking businesses, part of JPMorgan Chase & Co. Products and services described, as well as associated fees, charges and interest rates, are subject to change in accordance with the applicable account agreements and may differ among geographic locations. Not all products and services are offered at all locations. 

GENERAL RISKS & CONSIDERATIONS

Any views, strategies or products discussed in this content may not be appropriate for all individuals and are subject to risks. Investors may get back less than they invested, and past performance is not a reliable indicator of future results. Asset allocation/diversification does not guarantee a profit or protect against loss. Nothing in this content should be relied upon in isolation for the purpose of making an investment decision. You are urged to consider carefully whether the services, products, asset classes (e.g., equities, fixed income, alternative investments, commodities, etc.) or strategies discussed are suitable to your needs. You must also consider the objectives, risks, charges, and expenses associated with an investment service, product or strategy prior to making an investment decision. For this and more complete information, including discussion of your goals/situation, contact your J.P. Morgan team.

NON-RELIANCE

Certain information contained in this content is believed to be reliable; however, J.P. Morgan does not represent or warrant its accuracy, reliability or completeness, or accept any liability for any loss or damage (whether direct or indirect) arising out of the use of all or any part of this content. No representation or warranty should be made with regard to any computations, graphs, tables, diagrams or commentary in this content, which are provided for illustration/reference purposes only. The views, opinions, estimates and strategies expressed in this content constitute our judgment based on current market conditions and are subject to change without notice. J.P. Morgan assumes no duty to update any information on this website in the event that such information changes. Views, opinions, estimates and strategies expressed herein may differ from those expressed by other areas of J.P. Morgan , views expressed for other purposes or in other contexts, and this content should not be regarded as a research report. Any projected results and risks are based solely on hypothetical examples cited, and actual results and risks will vary depending on specific circumstances. Forward-looking statements should not be considered as guarantees or predictions of future events.

Nothing in this website shall be construed as giving rise to any duty of care owed to, or advisory relationship with, you or any third party. Nothing in this website shall be regarded as an offer, solicitation, recommendation or advice (whether financial, accounting, legal, tax or other) given by J.P. Morgan and/or its officers or employees, irrespective of whether or not such communication was given at your request. J.P. Morgan and its affiliates and employees do not provide tax, legal or accounting advice. You should consult your own tax, legal and accounting advisors before engaging in any financial transactions.

Please read the Legal Disclaimer for J.P. Morgan Private Bank regional affiliates and other important information in conjunction with these pages.

©$$YEAR JPMorgan Chase & Co. All rights reserved.

LEARN MORE About Our Firm and Investment Professionals Through FINRA BrokerCheck

 

To learn more about J.P. Morgan’s investment business, including our accounts, products and services, as well as our relationship with you, please review our J.P. Morgan Securities LLC Form CRS and Guide to Investment Services and Brokerage Products

 

JPMorgan Chase Bank, N.A. and its affiliates (collectively "JPMCB") offer investment products, which may include bank-managed accounts and custody, as part of its trust and fiduciary services. Other investment products and services, such as brokerage and advisory accounts, are offered through J.P. Morgan Securities LLC ("JPMS"), a member of FINRA and SIPC. Insurance products are made available through Chase Insurance Agency, Inc. (CIA), a licensed insurance agency, doing business as Chase Insurance Agency Services, Inc. in Florida. JPMCB, JPMS and CIA are affiliated companies under the common control of JPMorgan Chase & Co. Products not available in all states.

 

Please read the Legal Disclaimer for J.P. Morgan Private Bank regional affiliates and other important information in conjunction with these pages.

INVESTMENT AND INSURANCE PRODUCTS ARE: • NOT FDIC INSURED • NOT INSURED BY ANY FEDERAL GOVERNMENT AGENCY • NOT A DEPOSIT OR OTHER OBLIGATION OF, OR GUARANTEED BY, JPMORGAN CHASE BANK, N.A. OR ANY OF ITS AFFILIATES • SUBJECT TO INVESTMENT RISKS, INCLUDING POSSIBLE LOSS OF THE PRINCIPAL AMOUNT INVESTED

Bank deposit products, such as checking, savings and bank lending and related services are offered by JPMorgan Chase Bank, N.A. Member FDIC.

Not a commitment to lend. All extensions of credit are subject to credit approval.

Equal Housing Lender Logo