Guarding Against the Invisible: How to Secure Family Offices in a Digital Age with Dale Buckner

Kirby Rosplock

Welcome to the Tamarind Learning podcast. I am your host, Dr. Kirby Rospllock. We have an incredible guest today. Dale Buckner is the founder and CEO of Global Guardian. Now, be ready, because Dale is a former Green Beret. He's a former Special Forces officer for 24 years. It gives me chills because Dale is probably the biggest badass we've had on the podcast yet, and he's not your average citizen. So he's going to tell us a lot today about what is going on in this crazy world that we live in. And we're really focusing in today on what are the changing threat for the family office because we've had some really scary things happening in this world. We've had an escalation of conflict here at home and around the world. I'm thrilled to have Dale with us today because he has more information than we can probably fit into this podcast, but I'm so excited to hear what he has to think about these complex topics. Welcome, Dale.

Dale Buckner

Kirby, thank you. One, I'm now 56 years old and those Green Beret days are well behind me and I'm not a badass anymore. I like to think I was at the time, but certainly not now. That's a young man's game. I couldn't keep up to those folks in this day and age if I tried. The output of that experience, though, is I do get to carry and use my brain now and try and help people. That part of the experience I look fondly on as I'm now in a corporate space. But I really appreciate being here today. Super fun. I, of course, love talking about the condition of the world and how to support families and corporates equally.

Kirby Rosplock

Well, I don't know that everybody is familiar with Global Guardian, so maybe first just give our listeners and our viewers today a quick background about your company, because I think that will clue into why we're talking about threats and security.

Dale Buckner

Simply put, we're considered what's called a duty of care provider, which is very open-ended statement. What we end up executing is we provide security in all forms. That's camera surveillance, that's executive protection, that's car and driver, it's emergency response when bad things happen. It also includes a robust medical, medical evacuation portion, and a very deep cyber capability. When you put all that together, the intent of Global Guardian from day one till today, and we're in our 14th year, has always been to create this one button so that you as an adult, a parent, a manager, a CEO, at three o'clock in the morning, when you have a material issue, someone is kidnapped, someone is hacked, someone's pinned down, someone has a medical issue, you don't have to think. You have one phone number, one email, the platform stands up and we solve those problems for you. That's really the value proposition from Global Guardian when it started all the way to today.

Kirby Rosplock

Why do you think security is such a big issue for family offices today? Why are affluent and enterprises families? Why do you think they're more of a target than they maybe were 10 years ago?

Dale Buckner

One, the big idea is simply this. The world has changed. If you can see the slide that's up now, as you look at that, the frequency of global disruptive events that are physical, you see on the screen. In addition, all of our lives are now digitized. There's almost nothing I can't find in the open web and or the dark web. And if you don't put effort and energy, and frankly, spend money to secure your assets and secure your privacy, you're probably wide open. So between the physical threats, the frequency, and then when you think about our digital footprint, 10, 20, 30 years ago, the world was a very different place than it is today. And ultimately, we're never going back. It's only going to become more complex. There's going to be friction points around the world that bleed into environments that we can consider low risk. Active shooting in the United States, the political condition, the tribalism, and just all the communication networks that now exist have put us in a place around the world where all of the events that you see on your screen, in addition to what the threats are in the digital space, ultimately leads to this statement.

Dale Buckner

The family and family office has more duress and more enemies and is being targeted in a way that we've never seen. And again, it only gets harder moving forward. So for all those reasons, when you think about a family office and the management and protection of people and assets, I think when you really look at the aggregate, the average of what we see in the market, they're not well-prepared. They're not staying ahead of the digital threats. They're not thinking through the physical threats and the vulnerabilities they have. Then when bad things happen, lots of people are surprised. Ultimately, we want to help people not be surprised. We want them to be prepared. We want to help them frame these different threat vectors and then be prepared for it.

Kirby Rosplock

If you were to maybe rate on a 1-10 scale, how prepared are the family offices that you're seeing? Because I can imagine you're seeing a whole range of preparedness, right?

Dale Buckner

A hundred percent. On a scale of 1-10, and don't take this as if I'm being negative, I would give family offices a four, and here's why. Number one, when you start engaging and start talking to families, they truly do not understand their insurance. They think because they have insurance that somehow they're covered on the medical side, the cyber side, the physical side, kidnap and ransom, extortion, so on and so forth. The issue is when you actually stress test insurance, what most family offices don't realize or don't do, number one, on the insurance side is they don't read the fine print and realize that there are restrictions in insurance. There's three key restrictions. Number one, your assets and people will not be supported in a war zone. Number two, they will not be supported in a terrorist zone or attack. Number three, and this is the big one, they will not be supported and/or protected in a natural disaster. When you think about that framing, you're buying the insurance for the worst case, but yet when the worst case hits, you're actually not protected. That kind of unpeeling that onion is really important.

Dale Buckner

Then on the cyber side, of course, cyber insurance, if you're not watching, keeps getting narrower and narrower and narrower what it covers. But yet all of us, if you're running a business or you're running a family office, we're all paying 30 to 40 to 50% premium every year increases, and you're getting less and less and less for that because, as Warren Buffet said, cyber is uninsurable. I think his thesis from years ago is being proven. So when you think about that, let alone if you have a cyber ransom case, do you really know how it's going to unfold? Do you know how you're going to pay the ransom? Do you know how you're going to index your information back? If someone is actually kidnapped, do you really know who's going to negotiate and how that's going to be executed. My point being, when you take in the gritty details and you start shredding these scenarios of how do I protect the family and its assets, when you get into the hard questions versus 'well we have insurance for that.' When you start peeling that back, you start to realize that family offices have massive vulnerability in the insurance side. They don't really understand ransom, they don't understand cyber negotiations, and they certainly don't understand what they're covered for physically, whether that's an asset or getting those family members out of an environment such as a Paris terrorist attack, such as Hurricane Maria and Irma back in 2017 that wiped out a lot of the Virgin Islands and then made its way to Puerto Rico or just the wildfires recently in Maui.

Dale Buckner

I highlight those for this reason. My simple framing is when I ask family offices, do you think bad things don't happen in what you would consider peaceful or low-risk environments? If I ask most Americans or Westerners, do you think Paris is a safe environment? People are going to say it's a city of lights, it's a city of love. Of course, it's wonderful. Then you look at over 500 people being shot and killed in 2015 with multiple assaults and protests after with lots of people being killed. When you think about Maui being paradise, no one expected those fires, but yet we're getting hundreds of our clients off that island via boat and aircraft because no one saw that happening in (Maui). So there are simple examples where the human condition dictates that bad things aren't going to happen to me, but yet they happen almost annualized now at a higher frequency than ever.

Kirby Rosplock

Yeah. I mean, it's true. The reoccurrence of tragedy and these apocalyptic situations, it's hard to even rationalize it because they do happen so frequently It's numbing. I think we are desensitized to the horrors, but it becomes incredibly real as soon as you get that alert on your security profile that says, Hey, XYZ has been compromised, or Norton finds something, or whatever security thing that you use, comes up and says something's on the dark web or something's been identified here. We feel so vulnerable and we feel so exposed. I can imagine that it's happening more and more. This is only increasing and that this is a real problem. Talk to us more about what burns and what you are helping families and family offices do to protect themselves.

Dale Buckner

Yeah. I think navigating, number one, is lifestyle. You start with, what is lifestyle? Where are our assets? Where do people live? And what do they do? What are their hobbies? Where do they travel? Where do they vacation? What do they do on a weekly basis? What clubs do they belong to? So on and so forth. You start with peeling the onion of lifestyle. Next, you start peeling back assets. A very simple example is, can I find your home address to your primary residence and your vacation homes? Can I find personal items about the family, its family members, and/or its assets? This concept, and this is another thing to be really sensitive to. The concept that you find a lot with family offices is our family, they fly under the radar. They're quiet, so on and so forth. No one knows who they are. When I hear that, I perk up. Because immediately, if all I have to do is Google the the tail number of your jet, or Google the number of your yacht or your aircraft, or Google your address and find all kinds of things about you, then clearly the structure of the family office tied to the family members, we've got to clean that up.

Dale Buckner

So number one is just laying a baseline of what can the world find out about you and how deep does it go on the open web? And then on the dark web, let's find out if your social security numbers are being sold. Let's find out if your bank passwords are being sold. Let's see if there's been a man in the middle with your EA, so on and so forth. Let's really dig in. We have a baseline. Once we have the baseline, then we're going to go into the physical and we're going to transition to, okay, if we have an event at any of your residences or while you're traveling on vacation, you're in the Med, you're in Spain, you're in UAE, you go hunting in Argentina, whatever might look like based on your lifestyle with your family, friends, spouse, partner, whatever it is, we then want to start asking very basic questions. Number one, if there's a real medical issue, how are you getting medical care in the place in the city and hospital that you want, not that an insurance provider or a medical EVAC provider dictates? Number one.

Dale Buckner

Number two, if there is an emergency, whether it's your business and your employees or it's your family, if you had large scale footprint in Ukraine and were surprised, as most of corporate America was, or you had family in Ukraine, and you were surprised that Putin and Russia rolled tanks across the border and attacked Ukraine, and now you've got a real evacuation requirement. Are you ready for that? Do you know who you're going to call? Do you know who is going to bring the assets of helicopters, aircraft, vehicles, and guys with guns, frankly, and women with guns that are going to come get you out of that situation or get your business and your employees out of that situation?

Dale Buckner

Then lastly, if you're hacked, as I stated before, if you've got a cyber threat, you've got ransomware, you now have someone reaching out, and your data has been shut off... How do you navigate that and who are you actually going to call? And do you understand how that gets executed? So when you think about that framework, going from big to little, and then being very gritty about the execution, this is what leads to the preparedness. You now have a playbook. You understand the minute one of these things are triggered, you're not waiting to respond. You already have a playbook. We build that very simply, no more than three to five slides that outlines each one of these scenarios. And that way, you're not panicking at three o'clock in the morning. You have one phone number, one email, you know who you're going to call, and then the platform stands up and starts to address that issue.

Kirby Rosplock

It's incredible that we have to be this cognizant and this cautious, but it's real. I mean, I've had clients who've been hacked and been penetrated through their systems. Managing cyber risk is a real honest threat. Talk to us more what you're seeing from that perspective. I know you have some slides. Maybe we should bring those up.

Dale Buckner

Please do. This was done this year, this spring, February of 2024, from J. P. Morgan. We're I partner with J. P. Morgan on the cyber side with clients and family offices. The reason I wanted to put this up, Kirby, is simply this. I'll just point to the bottom here. If you're looking at those bottom stats, number one, I'll point to the 58% use a technology platform that monitors cybersecurity. This is family offices. That means 42% do not, which is just stunning to me. Number two, 37% require family to undergo cyber training. That means 63% do nothing, which is in the world we live in with everything in our hand and a cell phone and a laptop that we travel the world with, the fact that there's no cyber training and people are just blasting their life on social media and don't understand the threat when they're executing large transactions, so on and so forth. This is why, ultimately, we have a huge problem in the family office space. Third stat, 33% hire third-party defense providers, meaning 67% of family offices do not have an outsourced or insourced cyber defense provider, almost 70%. Then lastly, 8% have hired in-house cyber defense team, meaning 92% don't.

Dale Buckner

When I talked about giving family offices a 4 out of 10 on the cyber side, the digital, this is why. When 92% of family offices have no in-house capability and 67% have no outsourced capability, this is what leads to the next slide. If you go to the slide that shows the cost of global cybercrime, go one more, please. This is what really... I find every time I brief a family or even a corporate CEO, COO, when I put this up, no one really understands this until they see this stat. You can see from 2020 to 2024, and make no mistake, COVID was the precipice that just put this thing on steroids. When COVID hit, everyone went home. All of a sudden, cyber attackers, you're no longer in a protected corporate environment. You're operating off a router in your house that probably hasn't been updated. We're operating off of home Wi-Fi. You don't have an encrypted tube back to your business. And all of a sudden, cybercrime just exploded. So you see today in 2024, this is really the stat that should grab everybody's attention. We're at 9.22 trillion, not million, not billion, trillion dollar losses this year based on cybercrime.

Dale Buckner

When you think about that, that's why we put the big gray bucket or the big gray box here in the bottom right. If this were an economy, 9.2 trillion, it would be the third largest economy in the world behind the United States and China. I don't know how else to put this in dollars and cents of how much money is being taken from the wealthy. They're being targeted. They're playing man in the middle, ransomware, everyone is coming at with bots 24 hours a day. The threat is real. And this is the translation, the third largest equivalent economy in the world of money that's being ripped off in multiple ways in your digital space. When I talk about your social security number and your password to your bank account and man in the middle and ransomware and all these things, the human condition dictates, well, that's happening to other people. That happens to other companies. When you think about just the news cycle, Target, Marriott, Mary Kay, just Starbucks, on and on and on. Massive hacks, $110 million hack of MGM, a $15 million hack of multiple casinos across the Vegas trip. These are enormous losses when you think about it.

 Dale Buckner

So it's real. It's happening every single day. And again, the reason that I give a four to family offices, they're not understanding the gravy, the situation. That's why this slide is so important. When I show this, of course, you'd be amazed at what CEO, COO, CFOs, and of course, head of family office go, we really need to prioritize this.

Dale Buckner

So Dale, I want to bring it back for a minute because I think sometimes GQ Public and family offices maybe confuse cyber and IT. Can you just talk to that point right there? Because I think there gets confusion, and I think you know what I'm talking about.

Dale Buckner

I do. Thank you for bringing that up. I'll say this as gently as I can in the most respectful way. Most family offices do, if they're larger and they will have hired a full-time IT person, executive, however you want to frame it. They'll have someone in charge of IT. This is the fatal flaw, simply put. IT is not cyber. IT is to make sure your phones are connected, printers work, you can do things through Wi-Fi, you properly protect the Wi-Fi, you have an apparatus to communicate, and you have an apparatus to track company-issued cell phones. You have an apparatus to track company-issued computers. That's the definition of IT, simply put. Cyber defense is layering, and there's no one, and this is the fatal flaw on cyber. When I talk about cyber, it's really, really important. No cyber firm can protect a family office, meaning not one platform. Crowdstrike is a wonderful corporate enterprise cyber firm. They've been in the news a lot, obviously, but it's a very powerful and very well-run company and a wonderful platform. Mandian, FireEye, all of these large cyber platforms are well-run businesses for a reason, and we need it.

Dale Buckner

That being said, having just one software platform is not enough. When I talk about cyber defense, you have to train people. They have to understand how to look for email and spam and ransomware and all of those things. You have to train them what to look for on their phone, what to look for and what not to do, and how to use Wi-Fi and when not to use Wi-Fi. They need to understand the use of a VPN, what that means, what encryption means. You have to train people. That's one layer.

Dale Buckner

Number two, typically, if you have one software platform for the enterprise. My first question is, okay, what happens if I work from home and I'm not under that umbrella? How do I connect back to the firm? How do I connect to the bank? How do I connect to the client, the family members? And how do we discuss sensitive items and how do we execute? And what's the protocol to execute large transactions? When you start digging into that, you need to understand the word encryption. What is a VPN? What's a monitored VPN? And simply put, if required, could I wipe your computer or wipe your cell phone if you've been penetrated in a minute, minute and a half or less, anywhere on the globe?That's part of cyber.

Dale Buckner

Lastly, are we monitoring everything on open web, dark web? Are we habitually, every six months, 12 months, every 18 months? Are we doing a full deep dive on the accessibility of our clients and the family office around the world? And are we really doing that systematically? So if there is a red flag, we address it, we lock it down, we change protocol, and we move. Then lastly, I know that AI is just everywhere in the news cycle. What I would say is, if you can bring up the last slide of what right looks like. I'll end here on this. This is really, as we started with IT, this is really what it looks like. It's a combination of IT and cyber, and it's multi-layered. What you're going to see is no one platform is going to protect you. You need training, VPNs, encryption. You've got to have a platform. You've got to have proper protocol. You have to have proper policy as a family office. All of that matters, meaning it is layered, it is complicated, and understand, not one thing is going to protect you alone.

Dale Buckner

So as you look at this, we highlighted top 12 cybersecurity best practices. I highlighted for the audience top 6 for us. This is really the execution, the gritty execution. We're leaping from theory now to execution. When you think about this, cyber policy matters. You need your general counsel to look at the family office as an enterprise, and what does that mean for its assets and having a policy when bad things happen in the cyber realm. Two, you've got to have an actual system that forces, and this is the key word, forces passwords to be changed monthly, quarterly, annually, and Also, it's got to be automated to protect those passwords. We don't have people putting it on their cell phone. We don't have people scribbling it on a little pad at their office, so on and so forth. Three, conduct regular cyber security audits. Someone should be coming in, looking at the hardware, the infrastructure, and the platform, and then very directly put, the proper term is red teaming, meaning the bad guy should try and get in your system. They should try and send ransomware. They should try and tease people through email. They should try and get in your system. You don't need to do that every month.

Dale Buckner

I would suggest at least once a year, ideally twice a year. It doesn't cost much. It's not very time-intensive. It's not going to disrupt because they'll do all this in secret, frankly. But it is well worth stress testing your system. Four, control access to sensitive areas and data. This really for a family office is who has authorization and how do you execute large transactions? And because of AI, have you added a layer beyond the bank of having a very small group of people, three, no more than five, that have a go-to-hell code word to confirm that what you're talking to right now is just not a figure, an automated AI figure that's talking to you. I think that's really a big lesson learned in the short term on AI. Five, monitor the activity and privileges of third party. Really important. Then lastly, multifactor authentication. All of us are living it with our bank. This should be part of just logging into your laptop. You should be forced to execute a login every single time with multifactor authentication just to get on your laptop, just to get on your cell phone, just to get on your desktop.

Dale Buckner

All of those things combined are our basic, this is cyber and IT 101. If you don't have two, three, four of those, you really need to quickly because of the threat factor.

Kirby Rosplock

Wow, this is so helpful. Now, I'm going to throw a doozie at you. It's not in our list of questions, so I know you can handle it on the fly. But I know so many family offices that say, we do this all for the family. They really lock and load all these good things, and they protect the family. Then I'll say, so what are you doing for the employees? They're like, well, what are you talking about? I'm like, well, you are part of this whole ecosystem, you being vulnerable, really makes family vulnerable, right? Yeah, go ahead. I'd love for you to speak to that.

Dale Buckner

Yeah. So if you think, put yourself as the bad guys. Think from your, and I'm not picking on any one country here, but you're a hacker from Russia. You're a hacker from North Korea. You're a hacker in Brazil. You're a hacker in Miami, Florida. Just think of an enterprise that is focused on your family and family office because they found enough to find that you've generated wealth, you've created wealth, and potentially generational wealth. If the public can find that, their bots can find it, you're now a target. Very simply put, with any, and if you think this almost in a militaristic way, if you're going to target someone, automatically, the tactic is to find the weakest link. I don't want to go head on and go after the matriarch or the patriarch who I'm assuming might be very well protected. Let's assume that I just do a little probing, and I find that, wow, they're pretty well locked down. This is not going to be easy. The very next thing I'm going to find out is, can I find the family office, and in most times I can, not hard. If I can find a formalized family office that has an online presence, right off the bat, the first thing I'm going to look for is, how long has this family office been in operation?

Dale Buckner

If it's less than 10 years, immediately, what that tells me is you are young and you potentially have very immature systems. As I just described through the J. P. Morgan survey, almost 70% have immature systems, almost 70%. If you're less than a decade I'm immediately going to think, That's now my target. Now let's pick apart who's in the family office. I'm not going to go after the equivalent of the head or the president or the managing director, if you will. I'm going to go after the EA. I'm going to go after the IT director. I'm going to go after someone that has an online presence but is not a senior person there, and I'm going to be looking for the underbelly. To your point, if I am targeting a family office, and the family office is not protected with the exact same systems, with the exact same robustness. Whether it's travel, kidnap and ransom, cyber, it doesn't matter. They all have to be on that same platform for all of it. Or now it almost doesn't matter the fact that this family is locked down. But if all I have to do is pick away at the underbelly and find my way into the ecosystem, the word you just used, which is appropriate.

Dale Buckner

Now I have my way in and it doesn't matter if I come straight in from the patriarch or not, or I just find that low-level employee that's been there for less than two years who's not locked down. I'm in the ecosystem once I'm in, and now you have a problem. And now I can be patient I can sit and watch. I can map the organization. I can watch who executes transactions. I can watch where they travel. I can watch what assets they buy. I can figure out their plane, their vacation home, and their yacht, so on and so forth. I can just I'm just going to sit inside the system now, and now I'm just going to be very patient until I map everything I need, and I know how I'm going to strike, and I know what I'm going to go after. Then when D-day comes, I push the red button. At that point, there's almost nothing you can do to stop me if I found that weak underbelly. I do think it's an incredibly important point that whatever systems you're putting in place for your family member, I get it, that's your client. At the same time, you're the ones that are executing materially sensitive transactions, probably daily to weekly.

 Dale Buckner

If you're not on that exact same platform, you're just a vulnerability now to that family.

Kirby Rosplock

I'll just add one layer from an HR component. I think it also speaks to why it's so important to end relationships well in family offices, because literally, they walk out of these places and they know so much sensitive information. And boy, you never want them to be your enemy on the outside because of just how they could potentially use that in such an untoward, hopefully not, but it's very different Just how powerful, the sense of data that they own or they know from those very private ecosystems. But Dale, it's mind-blowing what you're sharing. It's also frightening. So I am so appreciative. If there's a few last thoughts, some ideas that you want to leave us with, I would love to hear what you have to say.

Dale Buckner

Look, we're together for a very short period of time. Technology in the world, it doesn't mean that everything is bad and gloomy and dark. The simple reality is what we opened with. The world is not the same as it was 10, 20, 30, 40, 50 years ago, and it's never going to go back. We're not going to the good old days. It's not real. When you frame it that way, simply put, that the vulnerability now, both physically and digital, is more than ever, and it simply needs to be accounted for. If you want to be prudent and you want to be offensive and you want to be ready, you just simply need to think through these things, do the right audits, create a playbook so that you know if and when something bad happens, you're prepared. That's all. That really, at the end of the day, is the key message is, let's run the traps, let's think through these scenarios, let's build an actual platform so you're not surprised. I think that's number one. Number two, we hope nothing ever bad happens. Never. But you don't want to ever take that risk at this point with the veracity and speed of how quickly these events and how these threat vectors can now come at you.

Dale Buckner

So I really think that that's really the two takeaways, if you hear nothing else. Look, the human nature element of this is what makes it so hard. What you are discussing is, look, people get close to cooks and gardeners and EAs and help and so on and so forth, and they're trusting. That human condition leads to trusting potentially people and systems and platforms that might not be in your best interest forever. You have to do, think, through that, and you need to think through protocol and policy on those things for the human beings that are in your circles is really the thing to think about.

Kirby Rosplock

Well, and I think it also extends to knowing that you have to have people in firms and partners. Sometimes you can't do it all inside your own family office. I think that's why it's important to have periodically the audits and the partners and professionals like yourself come in and do a gut check because you might think everything is swimmingly perfect, and then you have a moment of, oh, maybe it's not. You'd rather have that when everything seems okay than when you are hacked or you have something that shuts you down. I know, just had a conversation the other day with someone who I'm very close to who said, Oh, my gosh, our family business had a major breach, a major hack. It literally shut down their entire supply chain, and it literally rendered them stopped and their business ceased for a matter of 48, 72 hours. And that was money, just lost revenue, right? And suppliers were upset. So these things have real, real consequences, and it hurts all the way down the food chain. So I just look at this to say, don't bite off your nose to save your face. It will pay dividends if you can get in front of it and really plan for it so that you are prepared to your point.

Dale Buckner

Yeah. Couldn't agree more. I see it every day. I deal with it every day. In the after-action review of all these major incidents, whether someone gets injured or sick, and then they have a bad outcome medically, whether you have penetration or a hack, whether this affects your reputation, all the things that come with reputation and exposure of private information and PII and so on and so forth. When you peel that back and do the after-action review, you're always going to find somewhere along that path this was preventable in some way. You'll regret not doing it looking back. The message, of course, again, is simply, world's changed. It's different. You've really got to account for these things and get ready. That's all.

Kirby Rosplock

Great. Dale Buckner, what a pleasure. So great to have you on the Tamarind Learning podcast. We will have lots of more resources on Global Guardian, so check out additional information, Dale's bio, transcript of today's podcast, and additional links so you can learn more about Global Guardian services. More assessments on our websites and how you can contact them if you're interested in having an assessment to learn more about where you might be vulnerable. So thanks again, Dale, for being with us today.

Dale Buckner

Thank you. Really enjoyed it.