Today, few organizations are immune to cyberattacks. Family offices and small businesses are no exception.

Increasingly, small organizations are being targeted with the same phishing, malware and ransomware attacks that each year cost bigger businesses trillions of dollars in losses.1 It’s therefore essential for them to develop robust cybersecurity controls and have a well-thought-out recovery plan in place—hopefully before a cyber breach occurs.

A cautionary tale

Cybersecurity for a family office client that was managing investments, real estate properties and day-to-day finances for several generations of one family, primarily depended on weekly backups of data and systems—plus incremental backups every night. The office team believed this two-pronged strategy would allow them to recover data from many different points in time if a problem ever arose.

Unfortunately, a ransomware attack quickly revealed the flaws in this approach: All of the office’s day-to-day systems as well as its backups were stored on the same network.

Hackers were able to gain control of all of the office’s systems and information, and demanded a ransom of $500,000. Initially, the family declined to pay the ransom, hoping to find a workaround. But after a 10-day shutdown of the office, they paid the ransom to restore their systems.

Steps to take now

J.P. Morgan’s cybersecurity specialists can help you develop, test and execute resiliency plans in the event of a cyberattack. Here are some of their recommendations to help you get started:

Manage people and processes

  • Put an employee training program in place—Many cyberattacks start with phishing or malware. Teach your employees how to identify and report suspicious emails or other online activities. Periodically, test their knowledge and skills.
  • Limit employees’ internet access from company-owned devices—Reducing the number of sites employees can visit can reduce the likelihood of malware being introduced into your operations.
  • Add an advanced spam-filtering service to your operations—A spam filter can help you identify and block phishing emails and reduce the likelihood of someone on your staff responding to a spoofed email domain. Even better: Opt for a spam filter that includes these features:
    • URL rewriting—Analyzes links sent in emails and blocks users from accessing potentially malicious websites.
    • Attachment sandboxing—Automatically opens and scans files attached to incoming emails to detect if malware or viruses are hidden in them.
    • Email impersonation detection—Helps identify if a sender is attempting to impersonate a colleague’s or business partner’s email account.
  • Install system patches and software updates as soon as they become available—Prioritize patching efforts according to:
    • The types of data contained in a given system.
    • Their degree of importance to your overall operations.
    • The likelihood of the patches themselves disrupting business operations.

Have a backup plan

  • Create multiple data backups—To restore systems in the wake of a cyberattack, consider storing copies on cloud services or completely offline.
  • Conduct a business impact analysis—Assess the potential consequences of a cyberattack on your operations as well as on your recovery strategy. For example:
    • Could your business operate offline if no online systems are available?
    • How would you make crucial payments?
    • Which systems would need to be recovered first?
    • Who inside the organization would make critical decisions?
    • What outside parties (partners, regulators, press, customers/clients) would need to be notified if a cyberbreach occurred?

Don’t go at it alone

  • Develop a relationship with a cyber-resiliency partner before an incident occurs—A partnership with a digital forensics and incident response firm, for example, can help you mitigate the impact of an attack and reduce the amount of time it takes to recover.
  • Supplement your recovery plans with a cybersecurity insurance policy—This can help defray a portion of the losses you may incur.
  • Test the strength of your system security—Have an IT and security provider assess the strength of your cyber protections and implement more robust controls and technologies, if needed.

Document and practice

  • Create a playbook—Take the time to map a clear path to recovering from a cyberattack.
  • Conduct regular reviews—Practice and update your resiliency plans on a regular basis to ensure they will be executed successfully in the event of an incident.

We can help

J.P. Morgan is committed to providing safe, resilient services to our clients and partners within an ever-evolving threat landscape. To learn more about protecting your business and yourself from cybercriminals, please contact your J.P. Morgan team.


1.Damages from cybercrime are expected to hit $6 trillion in 2022, doubling since 2015, according to a recent study by Black Fog.


This information is provided for educational and informational purposes only and is not intended, nor should it be relied upon, to address every aspect of the subject discussed herein. The information provided in this document is intended to help clients protect themselves from cyber fraud. It does not provide a comprehensive listing of all types of cyber fraud activities and it does not identify all types of cybersecurity best practices. You, your company or organization is responsible for determining how to best protect itself against cyber fraud activities and for selecting the cybersecurity best practices that are most appropriate to your needs.