Shadow IT in the Family Office: The Hidden Risk of Personal Assistants (and the Case for Professional Custody)

If you run (or advise) a family office, you already know the uncomfortable truth:

Most serious security incidents don’t start with “hackers.” They start with people.
Trusted people. Busy people. Good people… operating at high speed with high access.

And nowhere is that more quietly dangerous than Shadow IT—the unofficial tools and workarounds that keep the private office moving: spreadsheets, Notes apps, WhatsApp threads, personal email, random cloud folders, and screenshots of “important stuff.”

In my world, the most common root cause looks like this:

• Banking logins and card details stored in Excel “just temporarily”
• Passwords pasted into Notes “because it’s faster”
• Vendor payment instructions forwarded through personal Gmail
• Sensitive documents shared via ad-hoc Drive links with unclear permissions
• A well-meaning assistant who becomes the “hub” for everything… with no formal custody model

This isn’t malicious. It’s human. It’s what happens when productivity beats governance.

The fix isn’t paranoia, and it doesn’t require turning the family office into the KGB. It requires something simple but powerful:

Professional custody.
Stop sharing passwords. Start sharing access.

---

The quiet reality: your assistant runs your life (and your risk)

Here’s a pattern I’ve seen repeatedly: families spend serious money vetting the “top” roles—CEO, CFO, Chief of Staff—then treat everyone else as a lower-risk afterthought.

But the person who has the most practical access isn’t always the CEO.

Sometimes it’s the assistant. Or the nanny. Or the driver.

I’ve heard it put bluntly: you might pay more for the CEO background check, but the nanny is in your home 40 hours a week. That’s not just a physical access problem—it becomes a data access problem too. Homes and offices blur. Devices travel. Documents move. Credentials get reused. The “private” becomes portable.

And families often rely on a comforting myth:

“The recruiting agency did the background check, so we’re covered.”

That’s not due diligence. That’s delegation without verification.

Families often don’t know what “good looks like” in screening, ongoing monitoring, and insider risk programs—especially when the staff member is trusted, long-tenured, and “part of the ecosystem.”

It creates survivorship bias:

“Nothing bad has happened yet, so we must be fine.”

That’s true… right up until it isn’t.

---

What Shadow IT looks like inside a private office

Shadow IT in a family office usually isn’t a rogue app. It’s a thousand small shortcuts.

The usual hiding places: Excel, Notes, WhatsApp, personal email, ad-hoc drives

If you want to find your real risk surface, don’t start with your firewall. Start with the workflows:

• Excel “vaults” with tabs like “Banking,” “Cards,” “Vendors,” “Passwords”
• Apple Notes with partial credentials and “security questions”
• WhatsApp/iMessage threads containing photos of passports, invoices, wire instructions
• Personal email used to “get it done quickly” while traveling
• Cloud folders created by whoever had time (not by design), then shared forward forever

None of this is shocking. It’s how small, elite teams operate when they don’t have enterprise-grade governance—and they’re trying to stay agile.

The family office context makes it worse because:

• stakes are higher (money, identity, safety, reputation)
• roles are blended (personal + business)
• urgency is constant
• staff turnover is real
• privacy is non-negotiable, so people avoid “raising flags”

The “recruiter said it’s fine” myth (and why that’s not due diligence)

I’m going to say this plainly: a pre-hire background check is not an insider threat program.

Even if screening is strong, circumstances change:

• financial pressure
• personal crises
• new relationships
• resentment
• burnout
• opportunity

Some research and industry commentary suggests that many family offices don’t run a formal insider threat program, meaning there’s limited periodic re-evaluation after hiring.

That matters because the family office is unusually exposed:

• staff may access home, devices, travel plans, kids’ schedules
• assistants may manage bank portals, bill pay, vendor onboarding
• a single compromise can touch both personal life and operating business

---

Insider risk without paranoia: building an insider threat program that doesn’t feel like the KGB

I like a simple rule:

Diagnosis before prescription.

A lot of security vendors sell the “easy button.” Buy this system. Install these cameras. Deploy this tool. Done.

That’s great for their margins. It can be terrible for the family.

What works better is a calm, structured approach that looks across domains:

• digital security
• physical security
• people risk
• process risk
• vendor/supply chain risk

And it can absolutely be done without turning the office into a surveillance state.

Diagnosis before prescription (and avoiding fear-based security shopping)

Fear-based marketing is everywhere. It pushes people into buying tools to soothe anxiety rather than reduce actual risk.

Instead, start with questions like:

• What are the top 10 actions that could harm the family financially?
• What are the top 10 actions that could harm the family physically?
• Who has access to those pathways—directly or indirectly?
• Where does information actually live day-to-day?

Then map your real “crown jewels”:

• banking access (who can initiate, approve, view?)
• card custody (who holds details, where are they stored?)
• identity docs (passports, KYC, tax docs, medical)
• vendor workflows (who can change payment details?)
• communications channels (where do urgent instructions arrive?)

Periodic re-screening: why “set and forget” fails (do it legally, with counsel)

A mature insider risk program includes periodic updates—not constant intrusion, not random checks, but structured review aligned with local law.

This is where I’m very direct: do this through counsel and within employment law requirements. The point is not “gotcha.” The point is managing risk in a world where circumstances change, sometimes dramatically.

You can design re-screening so it’s:

• predictable
• respectful
• role-based (more access = more rigor)
• documented
• legally sound

And it pairs naturally with operational governance: access reviews, vault reviews, and offboarding readiness.

---

The core fix: stop sharing passwords, start sharing access

This is the heart of Shadow IT in private offices.

When assistants store passwords in Excel, they’re not trying to be reckless. They’re trying to be reliable.

They’ve been asked to do a job that requires speed and continuity—without being given a system that supports speed and continuity safely.

So the fix is a custody model that lets assistants work fast without holding master keys.

Professional custody: ownership, approvals, and least privilege

Professional custody means:

• credentials live in a controlled system (not in someone’s memory or personal files)
• access is granted by role
• changes are logged
• approvals exist where money moves
• offboarding is designed-in

I structure it as “Share access, not secrets.”

That looks like:

• assistants can access banking portals via vault-controlled credentials
• high-risk actions require dual approval (especially for wire changes)
• vendor bank details changes are treated as high risk events
• sensitive docs have a home with deliberate permissions

Shared vaults done right (NordPass workflow example)

A password manager with shared vaults is one of the simplest ways to kill Shadow IT without killing productivity.

Using something like NordPass, you can:

• create vaults by function (Banking, Vendors, Travel, Household, Legal, IT)
• assign role-based access (assistant can view X, CFO can view/approve Y)
• remove the need for spreadsheets entirely
• rotate credentials cleanly
• track who accessed what (depending on plan/features)

The cultural win is huge:

• assistants stop improvising storage
• principals stop texting sensitive details
• the office becomes resilient to turnover

One important mindset shift:
The “vault” becomes the system of record—not the assistant’s inbox.

---

Secure financial documents without slowing the office down

The second half of Shadow IT is documents.

If credentials are the keys, documents are the map.

A simple classification system: what’s sensitive, what’s critical, what’s disposable

You don’t need a 40-page policy. You need three buckets:

1. Critical (would cause major harm if leaked or altered)

• tax packs, legal agreements, banking statements, KYC, investment docs, IDs

2. Sensitive (privacy impact, reputational risk)

• travel itineraries, medical, household staff files, family communications

3. Operational (useful but lower impact)

• schedules, routine invoices, vendor catalogs (still should be organized)

Then you decide:

• who can access
• who can share externally
• how long links should live
• how to revoke access quickly

Controlled sharing and storage (Proton Drive workflow example)

A secure document platform is the “second vault” of a professional custody model.

With something like Proton Drive, you can store and share financial documents in a way that’s:

• centralized
• permissioned
• less dependent on a staff member’s personal cloud folder
• easier to audit during transitions

A practical workflow:

• Proton Drive becomes the home for “Critical” documents
• links shared externally are time-bound and deliberate
• assistants share documents without needing to share credentials
• principals stop forwarding attachments through random email threads

Again, the goal isn’t perfection. The goal is eliminating the most common failure modes:

• orphaned access
• uncontrolled sharing
• documents scattered across personal accounts

---

Offboarding is the real test: when assistants change, does your security break?

If you want to know whether your family office security is real or just vibes, ask one question:

If the assistant left tomorrow, could you confidently regain control in one day?

Most offices can’t. Because too much “custody” lives in a person, not a system.

The first 60 minutes checklist (access, vaults, devices, forwarding rules)

When a high-access staff member exits (planned or unplanned), act fast:

• disable corporate email + revoke sessions
• check email rules (forwarding, auto-replies, delegations)
• revoke access to vaults and rotate the most sensitive credentials
• remove access to document platforms and shared folders
• review banking and vendor portals for authorized devices/users
• freeze vendor bank detail changes until verification is complete

Even if you trust the person, you don’t “trust the state” of every device, token, and share link created over years.

The 7-day clean-up (audits, rotations, vendor verification)

Within a week:

• rotate remaining shared credentials (especially anything reused historically)
• audit shared drives and external links
• verify key vendors (payment details, contacts)
• rebuild “golden records” for banking and vendor info
• update role-based access for the next person

This is where professional custody shines: offboarding becomes a process, not a fire drill.

---

Conclusion

Shadow IT in a family office isn’t an IT problem. It’s an operating model problem.

If your assistant is forced to be the “system of record,” you’re one resignation, one compromise, or one bad day away from losing control of things that matter most: money, identity, privacy, and safety.

The fix is not fear. It’s design:

• diagnose before you buy tools
• implement professional custody (share access, not passwords)
• store critical documents in a permissioned home
• build an offboarding process you can execute calmly
• and treat insider risk as a normal part of running an elite private operation—not a taboo topic