How Cyber-Secure is your Family Enterprise? A special report for clients of PANGEA Private Family Offices with Anwar Visram, CEO of Visram Security.

1. 1 Summer 2014
Special
Report
Helping global families flourish for generations.
A Special Report for Clients of PANGEA Private Family Offices with Anwar Visram, CEO of Visram Security.
How cyber-secure is your family enterprise?
For private client use only

2. “
information being leaked from an unknown source. After many
weeks of investigation, it was determined that the source of the
leak was none other than Steve’s own laptop.
”

3. Who are the Targets?
Private wealth management, Family Offices, accounting and many
other firms that have access to private and confidential information
of the high net worth clients are increasingly being targeted.
These businesses may be small in terms of the number of
employees they have, but their clients have billions of dollars
in assets, making them a large target.
Small businesses and high net worth families are particularly
prone to these types of attacks. In case you are wondering,
I group high net worth families with small businesses because
many of these families operate like a small business as they have
many people directly involved in their lives, from lawyers and
image consultants to assistants and cleaning staff. Your family
may not be a business per se, but you are still vulnerable.
Why are small businesses and high net worth families particularly
prone to cyber-attacks? Because very few businesses and families
have worked with a Reputation and Security Strategist that would
assist them in understanding all the risks they may be exposed to.
Not knowing the risks, most small businesses and families use the
very basic cyber- security protection, e.g., anti-virus or firewalls.
They rarely have awareness training on the do’s and don’ts of
cyber-safety. They employ weak password protection mechanisms
and expose sensitive data without even knowing it. These are
just a few examples of common cyber-protection behaviours that
people think are sufficient to prevent cyber-attacks. In truth, small
businesses are often unprepared for cyber-attacks because they
don’t put the resources into protecting themselves.
Who are the Perpetrators?
As the types of cyber-threats evolve and become more
sophisticated, so do the types of cyber-criminals or “actors”.
Among many actors in the cyber-crime space, the main four are:
1. Petty Criminal – Generally not well-funded or organized.
They just want to get in and out so they can sell what they
stole for money.
2. Hackavist/Cyber-Terrorist – Not well-funded but well-
organized. They set up political campaigns and target specific
companies, organizations, or governments. A well-known e
xample of such an actor is the hacker group Anonymous, who
targeted financial companies because the group believed the
companies were responsible for the 2008 financial crisis.
3. Organized Crime – Well-organized and well-funded. They
use a variety of malware such as viruses, Trojans, ransomware
and botnets. These programs can infiltrate your computer,
corrupt it, and leave it vulnerable to future attacks. Financial
gain is the purpose of such attacks.
4. State-Sponsored Attackers – Elite hackers and hacker
groups hired by governments to steal state secrets and
other sensitive information or inflict damage on the internal
systems. They may also perform corporate espionage, or steal
confidential information and intellectual property to assist
“friendly” companies. You may remember the highly publicized
“Stuxnet” attack against Iran’s nuclear facility an example.
ANWAR VISRAM
A Leading Canadian Reputation & Security
Strategist, Anwar is CEO of Visram Security.
He specializes in assisting high net worth families
& private wealth management firms to protect
themselves from the rapidly growing cyber threat.
Questions for Anwar can be e-mailed to:
thought.leadership@pangeafamilyoffices.com
How cyber-secure
is your family enterprise?
Even wealth services providers are concerned about cyber-attacks
to access private client information.
You may think to yourself that this was just an isolated incident
and that this would never happen to you. Unfortunately, that is
precisely what Steve believed before this happened to Steve and
his law firm.
If this little anecdote didn’t raise an internal alarm in you,
consider the following statistics.
Cyber-attacks in Numbers
Last year was an epic year for global data breaches as cyber-
criminals were busy stealing private and confidential client
information. It broke 2011’s record for the number of pieces
of information exposed by 200%.
In Canada, it is estimated that there were seven million cyber
-victims last year. If you exclude children under the age of fourteen
that means one in four Canadians was a victim of a cyber-crime!
Bear in mind, these numbers only represent cyber-attacks that
have been reported. There are many more thousands of cyber-
attacks that go unreported each year, very much like the one
that involved Steve’s firm.
Unlike in the years gone by when cyber-criminals looked to
make headlines, modern cyber-criminals prefer to work in “stealth”
mode. In fact, most cyber-breaches go unidentified for weeks,
months, or even years. Undetected, cyber-thieves can cause great
damage to their high net worth targets because they can exploit
the same security weaknesses and continue stealing valuable
information over and over again.
| PANGEA Private Family Offices
In 2013 alone, 822 million
records were exposed in
2,154 separate incidents and the
top three countries targeted
by cyber-criminals were the US,
United Kingdom, and Canada.1
www.pangeagamilyoffices.com Page 2 of 5
TM

4. When the Marvels of Tecnology Backfire
Not only do we now have a variety of cyber-perpetrators, but
we also have a greater number of ways in which security can be
breached and your information can be stolen.
Do you, or someone you know, use a security company to
monitor the security of your home? You would probably never
think that such a service may present a cyber-security risk for you,
but you might change your mind after reading the following story.
I was speaking with an owner of a company that specializes in
environmental controls, home entertainment, and physical
security systems for the homes of high net worth clients. The
system that he was installing into these homes controls all the
features of the home: inside temperature, lighting, audio/video
media units, cameras, and electronic doors- luxury to be sure,
but one that could prove fatal.
The homeowners could access the system in three different
ways: from a single control panel within the home, over the
Internet using an Internet browser, or through a smartphone
app. Although the ease of access and the variety of options to
control the system delighted the customers of this home security
company, they had no idea what a terrible cyber-risk they were
exposed to!
Because the monitoring station is connected to all the clients
of this company, a breach at the monitoring station would result
in direct access to all of those clients. Criminals could monitor
their intended victim via the cameras for weeks, or even months,
undetected. At the opportune moment, they could disable
the alarm and open the doors for a perfect break-in, all via
the Internet.
I asked the owner of the company some basic questions, such
as what was in place to protect the customers from a cyber-at-
tack against the control system or if there was a way the system
would be able to monitor and alert the company if the security
system was breached? Unfortunately, he did not have a definite
response to these questions and many more. In fact, I don’t
believe he had even considered some of the risks we discussed.
The challenge of the modern day is that we have fantastic
technology that allows us to do amazing things, but it also
leaves us vulnerable, particularly in areas we least expect it.
Many companies are embracing newer and newer technology
to innovate their products, yet they aren’t aware of the potential
negative consequences of doing so. In order to weigh the
consequences of remaining in the dark, I ask you to consider
the real cost of security breaches.
The Real Costs of Security Breaches
One common misconception is that the security breach in and
of itself is the main problem. However, though the breach itself
is terrible, the real devastation occurs during the fallout, the time
after the breach has been discovered and when steps are being
taken to recover. This recovery process is often a long road to
walk and not all come out on top.
One of the primary impacts will be to the victim’s reputation.
As Warren Buffet correctly suggests, “It takes 20 years to build a
reputation and only five minutes to ruin it. If you think about that,
you’ll do things differently.” In addition, cyber-crime goes beyond
the irreparable damage to your family or a business reputation.
It often includes exposure of sensitive information, intellectual
property loss, cyber-espionage, identity theft, as well as losses
that impact third parties like friends, family, clients and customers.
You aren’t only putting yourself at risk-you endanger those close
to you, too.
Imagine for a moment your family was a victim of identity theft.
It would take criminals minutes to obtain your credit card
information and begin misusing your identity for their profit.
Before you finish drinking a cup of your morning coffee, they
could destroy your credit rating that took you decades to establish.
How do you think clients of Steve’s firm reacted when they were
informed of the breach to his law firm? If you were a client, would
you continue to work with his firm or would you be more likely to
find someone else? How many people would you tell about your
experience, further damaging the law firm’s reputation?
As a client, you would not want to receive the following letter,
which was sent out by one Wealth Management company after
a breach in their security, “We are writing to inform you about
a recent incident that may have involved personal information
about you. We recently discovered that, between February 21
and March, 6, 2013 , a server containing information about you
was accessed by an unauthorized third party. We deeply regret
that this incident occurred and take very seriously the security of
personal information.”2
Not convinced of the potential damaged to be done? Statistics
show that “nearly 60 percent of small businesses will close within
six months of a cyber-attack”. 3
The reason for the shutdowns is
more than the cleanup costs, which can vary between hundreds
of thousands to millions of dollars. It’s the fact that many current
clients will walk away and potential clients will find someone else
more “trustworthy” to deal with.
The Silver Lining
Now that you know just how vulnerable you might be to a
security attack, you might be wondering how you can possibly
prevent those attacks. If anti-virus and firewall software is not
enough, what can protect you?
“It takes 20 years to
build a reputation and only
If you think about that, you’ll
do things differently.
”
www.pangeafamilyoffices.com Page 3 of 5

5. 29
Although there is no foolproof process or technology that will
prevent a determined cyber-criminal from breaking in, most
cyber-breaches are actually preventable. They are the result of
someone on the inside – yourself, a staff member, or someone
working for a company you hired – clicking a link, opening an
attachment, installing some software, or otherwise doing some-
thing that rolls out the red carpet to invite the cyber-criminal
in, completely bypassing any security you may have in place to
protect your information. However, with some awareness training,
changes in behavior, and implementation of secure technology,
you can reduce the risk of a cyber-attack and, therefore, protect
your reputation, privacy, family, business, and finances.
The ABTs of Cyber Safety for High
Net Worth Families
Imagine that you are driving on a particularly cold day, and all
the roads are icy. Would it be safe to take corners at 100 km/hr?
No, because you are aware that you will likely end up in the ditch
or perhaps worse. Therefore, you adjust your behavior to drive
much slower. Certainly, you can equip your car with better tires
and brakes, but it is unlikely that the technology will prevent you
from crashing your car if you also don’t adjust your behaviour to
match the conditions.
The same goes for cyber-security. If you understand your
environment, including what technology can and can’t do for
you and how your behaviour impacts your environment, you
will adjust your behaviour and your technology choices
accordingly.
As such, it is my conviction that both the strongest and the
weakest link in any type of security is us, humans. We can often
make mistakes, but given enough information, we will make
the “right” decision the majority of the time. For that reason,
educating you as my client is a core component of how I take
care of you. I do it through what I call the “ABTs of Cyber Safety”.
Awareness
The first step to cyber-safety is awareness training that covers all
the relevant areas for your family. Here, it is important to review
the possible consequences of typical risky behaviours such as
using easy-to-guess password, ignoring PC and smartphone
software updates, or not encrypting sensitive information in
to raise the likelihood of you adopting new, safer ones.
Once you understand why it is important to use different pass-
words for different accounts and devices, be it smartphones or
other systems, you are more likely to do it. The same goes for
understanding why it is important to be cautious when clicking
on links, opening attachments, and installing apps on your
smartphones or computers. Once you know that the link
advertising a new weight-loss technique could be the potential
downfall of all that you worked to achieve in your business and
family, you will think twice before clicking.
Social media is becoming an important way in which many
families communicate and express themselves. However, posting
pictures of your children, sharing when you are away from home
for holidays or business trips, or listing personal information
like birthdates can all be used against you by cyber-criminals.
Understanding these risks and being more cautious about what
information you share about yourself and your family can reduce
your exposure to a cyber-attack.
Behavior
Once everyone is on the same page as far as understanding the
cyber-risks to your family, I help you begin to implement what
was learnt in the awareness section.
The new behaviours may include:
• using unique passwords for websites and systems
• adding passwords where there were none,
e.g, on smartphones
• deleting emails and links that come from unknown sources
• appropriately researching apps before installing them
• removing and not posting any personal or private information
about you and your family on social media
As this relates to the previous metaphor, this is where we begin
to slow down and drive much more safely. If you anticipate the
curves in the road ahead, you would avoid being thrown off
when one comes.
Technology
Buying and implementing technology has often been the gut
reaction for most people to solve a problem. The challenge is
that we become reliant on the technology to keep us safe.
We then engage in risky online behavior and falsely believe
our security software will keep us safe.
Unfortunately, this is far from the truth as the number of cyber
breaches and their victims continues to grow at an astronomical
level. Just like having better tires and brakes would not save
you from a sure accident on an icy road if you are making a
sharp turn travelling at 100 km/hr, having tech gadgets will
not save you from a cyber-attack if you are engaging in online
risky behaviour.
Instead, security technology should be just another layer in the
“onion” of cyber-protection. However, before going out and
purchasing the latest security software that is touted to be the
ultimate protection against cyber-security, I recommend reviewing
your existing systems. It goes for both security (e.g., anti-virus,
firewalls, etc.) and non-security (e.g., desktops, smartphones, etc.)
systems. When it comes to social media, adjusting your privacy
settings to limit who can access the information that you do post
and ensuring that you use some of the enhanced security fea-
tures will help prevent hackers from easily taking over your social
media accounts.
By taking these simple steps to improve the security of those
simple systems, you can reduce the cyber-security risk in some
cases by as much as 80% within days, if not hours.
www.pangeafamilyoffices.com Page 4 of 5

6. www.pangeafamilyoffices.com Page 5 of 5
30
6 Practical Steps to Protect your Business from
Cyber-criminals
I strongly believe that implementing simple and easy cyber-
security protection mechanisms are the best way in which
small businesses can protect themselves. It ensures a greater
level of success over solutions that are too complex or difficult
to implement. For this reason, I advocate easy-to-learn and
simple-to-implement solutions that allow my clients to gradually
ease into taking cyber-security measures, one step at a time.
1. Strategy
Step one is always building a strategy. It involves having an
understanding of what major cyber-risks face your business and
planning simple and easy strategies to remediate those issues.
2. Awareness Training
This is the most critical step businesses can take in protecting
themselves from the cyber-security threat. This training would
include assisting you in learning techniques that will help you
protect yourself from the common attacks that cyber-criminals
are using via smartphones, email, internet, social media, etc.
This includes the creation of a simple cyber acceptable use and
awareness policy that every member of the business reads, gets
training on, and signs to ensure understanding and compliance.
3. Critical Asset Classification and Protection
This phase concentrates on developing an understanding of
what your critical assets are (e.g., client databases, confidential
documents, financial information, intellectual property, emails,
passwords, etc.), where they are located, and what the conse-
quences would be if they were to fall into the hands of criminals
or otherwise unauthorized individuals. Because not all assets
have equal value, we develop a strategy on how to protect the
various types of assets. This may include stronger passwords,
encryption, relocating the assets to a more secure location, etc.,
depending on the asset.
However, non-technical controls are often overlooked and need
to be reviewed as well. It is important to know who has physical
and virtual (network) access to critical assets. For example, your
IT team may need to have access to your confidential documents
to back up your critical data, but the members of the IT team
should not be able to read those confidential documents.
4. Review of the Existing Security Software and Network
Appliances
Unfortunately, there are many assumptions when it comes
to security software, e.g., anti-virus, firewalls, etc. and network
appliances such as wireless routers, switches, printers, etc.
Below are examples of such assumptions:
• The security software is enabled on all systems
• The default configurations will protect you
• The security software and network appliances are up-to-date
I am often surprised to see how many businesses hold the above
assumptions and leave glaring holes in their security that would
take a few minutes to review and a few clicks to rectify.
5. User-Level Access
By default, almost all systems grant administrative access to
users. That means that anyone can install software, including
a virus, or remove security protections such as an anti-virus
program. This poses a serious risk to businesses.
By simply having separate log-ins for everyday use and for
administrative purposes, you can protect yourself from as much
as 95% of most viruses, Trojans, and other malware.
6. Removing High Risk Software
There are many examples of high risk software that often come
installed by default or end up being installed on our systems.
Many of these types of software riddled with holes. As I write
this article, software vulnerabilities in Java, Flash, and Adobe
Reader are the top three targets that cyber-criminals use to attack
their victims. They represent 66% of all Microsoft windows and
many Mac OS X software vulnerabilities.4
By simply removing
these programs from the systems that do not require them,
you remove a massive cyber-risk to your business.
The Verdict
The cyber-threat is continuously evolving. Cyber-criminals are
using smartphones, social media, and the Internet to monitor,
stock, and perform recon before launching an attack on their
victims with precision. Attacks include identify theft, financial
fraud, ransom, information theft for profit, and preparation for
physical attacks like burglary. Partnering with a Reputation and
Security Strategist will allow you to implement proactive solutions
to assist you in protecting yourself, your family, and your business
from a constantly changing cyber-threat landscape.
1
2013 Norton Report (http://www.symantec.com/content/en/us/about/
presskits/b-norton-report-2013.en_ca.pdf)
2
State of California Department of Justice – Office of the Attorney General
(http://oag.ca.gov/ecrime/databreach/reports/sb24-41702)
3
House Committee on Small Business (http://smallbusiness.house.gov/
news/documentsingle.aspx?DocumentID=325034)
4
http://www.tripwire.com/state-of-security/top-security-stories/
surprised-majority-systems-infected-via-adobe-java-exploits/
About the Author
Anwar’s experience spans over 20 years in Information Technology
with over 9 years in cyber security management and protection.
He has led security teams responsible for protecting multi-billion
dollar global financial companies from cyber attacks. Anwar has
been a keynote speaker at numerous events including the recent
Rogers Group Financial wealth management event in Vancouver.
He has also been featured in Business In Vancouver and
News Radio 1130AM.
Anwar tailors simple-to-understand and easy-to-implement
strategies that allow his clients to protect themselves from
the latest cyber threats.
Software vulnerabilities in Java, Flash, and
Adobe Reader are the top three targets that
cyber-criminals use to attack their victims

7. 31Spring 2014 31Spring 2014
Contents Copyright © 2015 by PANGEA Private Family Offices Inc.; may not be reprinted without written permission. PANGEA Private Family Offices Inc.
is a part of the PANGEA Global Wealth Group corporation. PANGEA Global Wealth Group is a Canadian controlled private corporation.
The information in this PANGEA Private Family Offices Special Report is for informational purposes only and is not intended to provide specific financial,
investment, tax, legal, accounting or other advice to you, and should not be acted or relied upon in that regard without seeking the advice of a professional.
Your advisor can help to ensure that your own circumstances have been properly considered and any action is taken on the latest available information.
PANGEA Private Family Offices does not make any express or implied warranties, representations, or endorsements with respect to the information, processes,
products or advertisements included in this publication. PANGEA Private Family Offices is foremost a private, family wealth strategy firm serving first and second
generation creators of significant wealth, and their children, with independent thinking that redefines their family wealth experience. We specialize in resolving
complex family wealth issues for global families with thoughtful guidance and insider perspective. Our purpose is to help global families flourish for generations.
Website: www.pangeafamilyoffices.com LinkedIn: PANGEA Private Family Offices Twitter: @PANGEAPrivateFO
Helping global families flourish for generations.