The blind spot in plain sight
The most likely source of a quiet loss in a family office is rarely a stranger overseas. It is more often someone with legitimate access — the estate manager, the executive assistant, the nanny, the contractor, the property manager — whose trusted position was never matched by deliberate controls. This is the household-staff blind spot, and handling it well is mostly a matter of quiet, even-handed administration. This is general information, not legal advice, and not a substitute for retained counsel or employment-law guidance for your jurisdiction. It is the deep version of one item in the broader family-office cybersecurity risks overview.
Insider risk is mostly access, not malice
CISA frames insider threat as a spectrum — from unintentional negligence to deliberate harm — and the useful insight is that the controls are largely the same across it. A loyal assistant who reuses a single password across the family's accounts creates the same exposure as a disgruntled one who plans to misuse it. The goal is not suspicion; it is to ensure that access is scoped, visible, and revocable, so that trust is never the only thing standing between the family and a loss.
The access lifecycle
- Onboarding and vetting.Before access is granted, confirm identity and background appropriately for the role, and decide what each person actually needs to do their job — nothing more. A nanny does not need the wire-approval inbox; an estate manager does not need the children's school portal.
- Least-privilege access. Give each person the narrowest access that lets them work, on named accounts rather than shared logins, with multifactor authentication on everything. Shared passwords are the single most common way access outlives the person who held it.
- Device hygiene. Personal phones and laptops that touch the household network or family accounts are part of the attack surface. Separate guest and household networks, keep devices updated, and avoid mixing personal and family-office accounts on one device.
- Offboarding. When someone leaves, run a written routine: revoke app and account access, rotate any shared credentials they knew, and retrieve keys and devices. This is the step most often skipped, and the one that leaves doors open longest.
The data the staff handle
Household staff routinely touch information that, if leaked, fuels other attacks — travel schedules, home addresses, family members' details, vendor relationships. Some of this already circulates through people-search and data-broker sites, which the FTC notes will keep reselling personal information even after an opt-out. Treating staff-handled data as sensitive — and limiting how much of it sits in personal inboxes and phones — is part of the same program.
Why it deserves real attention
Deloitte's research underscores that family offices are attacked often and are frequently under-prepared. Insider exposure is the quietest part of that picture, because it rarely announces itself and is uncomfortable to raise. But raised early, framed as ordinary professional practice, and applied to everyone alike, it is one of the more tractable risks a family office carries.
Handled with discretion
Done badly, this work damages relationships; done well, it protects them, because clear boundaries keep good people from ever being suspected. Most engagements begin with a quiet review of who has access to what today — usually more people, to more things, than anyone expects — and a calm plan to bring that back in line.
Sources
- Deloitte Private, The Family Office Cybersecurity Report 2024. https://www.deloitte.com/global/en/services/deloitte-private/research/family-office-cybersecurity-report.html
- Cybersecurity and Infrastructure Security Agency (CISA), Insider Threat Mitigation Guide. https://www.cisa.gov/resources-tools/resources/insider-threat-mitigation-guide
- Federal Trade Commission, What to Know About People Search Sites That Sell Your Information. https://consumer.ftc.gov/articles/what-know-about-people-search-sites-sell-your-information
