For many family offices—especially the smaller ones—the thought of spending tens of thousands of dollars on one key element of cybersecurity, penetration testing, is a daunting prospect.

Though certainly helpful, penetration testing is often overkill for many offices. A better approach may be to start with a vulnerability scan.

The terms “vulnerability scan” and “penetration testing” are frequently confused or incorrectly used interchangeably. While a vulnerability scan identifies and reports potential vulnerabilities, a penetration test also attempts to exploit both the technical vulnerabilities and the human element in order to determine if unauthorized access to a family office network is possible. Offices can run vulnerability scans on a more regular basis because it is more affordable (typically in the low hundreds of dollars and maybe less for on-going testing). The scans can analyze your network and provide a detailed vulnerability report including recommendations on how to fix the problems that have been uncovered. And while penetration testing is a more thorough test, an optimized vulnerability assessment can be a sound choice as offices can run them quarterly or monthly and still spend less than they would on one penetration test.

Of course, cybersecurity is a critical issue for family offices, and something like a vulnerability test is just one element in a comprehensive approach every office should have. Another is training—arguably the easiest aspect of cybersecurity to maintain in a family office, but sadly all too overlooked. Many family offices simply don’t spend enough time or money training their IT staffs or their users (including family members) about potential tech threats.

For end users, there are a number of online courses that can train users on everything from managing emails and passwords, to privacy and data protection, to social media basics. For an office’s IT staff, training should help ensure they are up-to-date on all the newest threats and solutions. I recently came across a family office that had been struck by a virus that would “encrypt” people’s files and then require them to pay a sort of “ransom” in order to decrypt it. A security firm has since developed a way to decrypt the files for free, but if an IT person were not aware of this development, the family could (and, in the case of the family I spoke with, did) wind up caving and paying the hackers.

Cybersecurity training should be an ongoing process—typically, at large companies, users will take a refresher course as often as once a month just to keep these issues at the forefront of their minds.

For more information on cybersecurity and the family office, I recommend my webinar “Before the Data Breach: Planning Ahead to Minimize Risk,” which you may view on-demand on the FOX website. These are also the types of issues we address in our Technology Operations and Data Security Network (TODS). Members can enroll in this Network by speaking with their FOX Relationship Manager, while non-members can learn more by emailing us here.