The management of risk is essential to the human experience. We do it every day, to greater and lesser degrees; planning travel, investing in businesses, crossing the road. Most of our essential life decisions involve at least a degree of risk and while these can be managed, they can rarely be eliminated entirely.
For families who may be targets for attempted fraud, extortion or, in extreme cases, personal security risks such as kidnapping, mitigation begins with consciousness of the risks and having the right underlying protections in place.
Writing in issue 73 of CampdenFB earlier this year, John Chase and Brittany Damora drew on their first-hand experience of kidnap, ransom and extortion to explain how to prepare for and weather such events: familiarise yourself with your local risks, insure appropriately, engage with specialist advisors as necessary, and – crucially – protect your privacy and that of your family before, during, and after an event.
Privacy, however, is not a fixed point and while most of us would unequivocally place a value on privacy the manner in which this is expressed can be highly personal.
Gabriel García Márquez famously wrote that all human beings have three lives: public, private and secret.
However, living in an age of intense online activity – where communication, connectivity and personal exposure are tightly bound – it is clear that different people put different actions, activities and even photos in each of these three categories.
Even within families tastes will vary, meaning one family member with a propensity to post prolifically can unintentionally undermine the privacy and security of the whole.
While millennials are often accused of loose living online it would be reductive to describe this variability purely in generational terms.
In my experience, a doting grandparent unintentionally ‘checking in’ to locations on social media can overshare just as easily as a teenager keen to connect with peers.
The reality is that few people really know how they look to a third party online.
According to recent research conducted by Schillings and Campden Research on how family offices and their principals approach privacy and cyber security, 51% of respondents have never audited, or are unsure if they have audited their public profile online.
Under these circumstances – and given that social media and online monitoring has substantively replaced human intelligence as the means by which extortionists target their victims – families looking to maintain awareness and control of their privacy are increasingly seeking to develop family privacy plans which complement investment in their physical and cyber security.
This begins with a few disconcerting, but necessary questions:
• Who is sharing information about me?
While people often assume that the only information about them in the public domain is information they consent to share, this is rarely the case. Family, friends and other third parties frequently give away details on locations, habits and personal preferences that could be used to undermine security or front a social engineering attack.
• What can a reasonably skilled, motivated person discover about me?
What publicly available documents could a malicious actor find if they knew where to look – and what would these reveal? Frequently families who spend heavily on security and privacy in some respects have blind spots such as planning permissions, which often detail the full layout of a private residence – up to and including fine points such as the location of safes.
• What dots could be connected to undermine my security and that of my family?
Sometimes people who are diligent about protecting certain details – such as a home address or a child’s school – are unintentionally giving away more than they think.
An attacker will seek to build links, so a social media photo including a school uniform, or a property held by a trustee who has been publicly associated with the family can be a giveaway.
This dovetails with family investment in cyber security and is, arguably, part of any robust cyber plan, given that the most common cyber attacks now involve an element of social engineering or manipulation of the target.
Maintaining an awareness of what personal information might surface – and how – is an increasingly essential element of managing the risks associated with exposure online.
Lily Kennett is director of intelligence at Schillings -an international issues and crisis law firm specialising in privacy, security and reputation consultancy.