Cybersecurity is boring, an IT concern, right? Something to deal with when necessary. Nothing has happened yet, so nothing will likely happen.

A bit like saying you don’t wear your seatbelt because you’ve never had a car accident.

Deloitte Private just published their family business cybersecurity report this week and it echoes findings from their family office report just over a year ago.

Key findings read almost identically: cyberattacks are widespread, attacks are varied in nature, and there’s a need for more than basic defenses. 

The latter is particularly interesting, since despite cybersecurity becoming such a risk, frequently causing measurable financial, operational and reputational damage, there is still a big gap between stated concerns and taking effective precautions.

We spoke with Dr. Rebecca Gooch, Global Head of Insights at Deloitte Private and author of both the family office and family business insights series, to understand why this gap persists and how family businesses and offices are affected differently.

“The biggest difference is the scale of exposure and impact. Family businesses are significantly more likely to experience a cyberattack than family offices, which more commonly operate under the radar,” says Gooch, noting the new Deloitte Private report reflects 74% of family businesses have experienced a cyberattack, compared to 43% of family offices - still a significant amount. 

Also noteworthy is that damage caused by family businesses cybersecurity incidents is more severe.

“Of the family businesses which have been attacked, nearly all claim to have suffered some form of financial, operational or reputational damage. In family offices, it’s closer to one in three.” 

Prevention requires advanced measures such as third-party cybersecurity specialists and threat monitoring systems, yet most family offices and businesses only take basic precautions. 

Strong passwords, multi-factor authentication and software updates won’t stop advanced malware or hackers using sophisticated phishing methods that catch employees unawares.

“The biggest misconception is that cyber risk is mainly about technology. In reality, it’s often  about people and processes. Most successful attacks don’t start with sophisticated code – they start with a human being clicking on something they shouldn’t or trusting someone they shouldn’t.”

Gooch says the real differentiator isn’t always firewalls or software, but rather culture: training, awareness, governance and how quickly issues are escalated.

That culture isn’t prevalent in most family offices: Deloitte Private’s previous report showed only around a third of family offices had done a cybersecurity maturity assessment. 

“There can sometimes be a perception that cyberattacks are not a serious risk because cybersecurity can suffer from a visibility problem. When it works, nothing happens. There’s no obvious return on investment, so it’s easy to deprioritise.” 

“Many leaders still see it as an IT issue rather than a wider business risk. Until something goes wrong, it feels abstract. But once an organisation is hit, it very quickly becomes a board-level and even family-level issue. It’s classic risk psychology – people underestimate low-frequency, high-impact events until they experience one personally.”

One such account shared in the new Deloitte Private report is from a family business CEO stating the direct cost of a cybersecurity incident they experienced was $2 million - nothing abstract about that number!

Read the full Deloitte Private Family Business Cybersecurity report