As cyber attacks grow in velocity and severity, enterprises face the challenge of achieving the highest levels of security and data protection without compromising the speed, usability, or access needed for business. Although many technology tools exist to help prevent and mitigate hacks, the greatest source of risk is posed by people — personnel, contractors, partners, and others who we trust will conduct business securely.
As data breaches proliferate, more work must be done to heighten security policies, educate all personnel, and enforce cybersecurity best practices, particularly at the leadership level. Security can't rest solely on the shoulders of IT; security mandates must be modeled by the company's CEO, other C-level executives, and, perhaps most importantly, the board of directors.
Board members are responsible for a company's overall performance and governance, and have access to the most sensitive information the company owns, but they often feel the least confident in their level of cyber-risk awareness and receive the least cybersecurity oversight. The use of free email service providers (ESPs) and open Internet connections to send/review confidential board materials is rampant.
A recent survey report of 381 board directors by NYSE Governance Services, in partnership with Diligent, found that 92% of respondents use personal email accounts at least occasionally for board communications. Further, 63% said their boards aren't required to undergo security training. These insecure practices have put companies at heightened risk, particularly as cybercriminals zero in on high-profile individuals via whaling attacks (phishing targeted at high-level executives), and other means.
To reduce risk, directors need to become significantly more aware of their companies' security practices and be held accountable to high-level security standards. Here's how some of the most effective boards are becoming more hands-on.
Getting Smart About Data
Forward-thinking board members are having more meaningful security-centric conversations about the importance and value of data. According to many board members attending the 2017 Diligent Director's Experience event, these conversations have been possible thanks to closer collaboration among board members and IT, security, and data teams. Questions such as "Where does our data live?" and "How can we make these areas less vulnerable?" are becoming common in boardrooms.
As part of this process, boards are assessing operational security practices, including reviewing current and past security practices, as well as defining and controlling access to networks and various systems, third-party platforms, applications, and data storage. Once vulnerabilities are pinpointed (for example, via auditing), savvy boards are following through by providing the proper guidance and directives to ensure their organizations are making it a priority to properly fund data security.
Revisiting BYOD Policies
Attacks on mobile devices continue to increase, particularly as a growing number of people use one device for hybrid work/personal use. Not only does this introduce security risks to the enterprise, but most people don't realize how much information is captured by popular mobile applications themselves — for example, contacts, calendars, geolocation apps, photos, and attachments.
In an age of remote working and contract employees, it's not enough to have just a static bring-your-own-device (BYOD) policy in place — this essential corporate mandate must grow/contract based on business needs, cyber-risks being faced, and the needs of the workforce. It must also be stringently enforced, starting from the top down. Board directors are stepping up their responsibilities, working with security and IT leadership to develop and refine these policies, evaluating their effectiveness, and improving them based on evolving industry best practices.
Evaluating the Cost of "Free" Applications
Along with BYOD programs, board directors are also more closely scrutinizing the use of free applications and providers. For example, the NYSE/Diligent report found that nearly half (47%) of respondents agreed that the move to digital file sharing has increased the risk of improper handling of sensitive information. From the use of file sharing and data transfer applications such as Dropbox and WeTransfer, to free ESPs such as Yahoo and Gmail, directors are seeing the negative impact that these insecure, hackable applications can have on the enterprise and are taking steps to reduce or mitigate risks, starting in the boardroom.
Understanding Personal Hacker Motivations
While board members are aware of hacking and data loss risks for the enterprise, too few understand how they can be personally targeted by cybercriminals. There's a treasure trove of confidential corporate information within the reach of a board director: M&A deals and strategy, intellectual property, even litigation. But a board member's contact information — with access to powerful individuals that govern boards in all sectors — is incredibly valuable as well.
With crucial information at risk for both the employee and the organization, boards are now required to become more attuned to the criminal motivations involved in hacking. They must also be aware of the consequences — just ask former FACC CEO Walter Stephan, who was fired in 2016 following a successful whaling attack that cost the company nearly $50 million.
They must also become increasingly aware of evolving hacking techniques, online threats, and exploits that are designed to not only snare them but other high-profile or high-net-worth individuals in their personal networks as well. Executive-level workshops as well as crisis communication plans and drills are proving effective for helping boards understand their role in cybersecurity and the steps to take if they believe they've been targeted.
As more breaches are reported around the globe, and as the sophistication of these attacks evolves, it's imperative that directors immerse themselves in cybersecurity strategy and execution. They must collaborate directly with security teams, follow corporate policies and processes, pursue ongoing training to boost their security knowledge, and, above all, be open to changing the way they work in order to fight back against hackers and greatly reduce the likelihood of costly data leaks and breaches.