Group of business people working and communicating in boardroom

Addressing Insider Threats: In the Boardroom

Whether we talk about a government body, a nonprofit, a healthcare organization, a financial institution — or an organization of any type at all– the board members have a crucial role to play. The board of directors oversees the organization and ensures that it’s always walking towards the right direction, moving closer to fulfill its mission and vision.

That critical job requires knowing essential information, which is why board members are often in possession of sensitive information and data — they need it to perform their role effectively. However, if that critical information falls into the wrong hands, the organization becomes endangered. Legal problems and reputational damage could ensue.

We’ve seen a worldwide trend over the recent years for digital board management processes to adopt digital technology. And, over the last year, the pandemic’s influence has poured fuel over an already intense flame, so that process has accelerated to unprecedented rates.

Unfortunately, digital adoption in boardroom management often occurs in a piecemeal fashion that creates additional vulnerabilities because cyber threats are becoming increasingly advanced.

Data breaches in the boardroom: An expensive threat

Any organization’s reputation is a valuable asset. Most organizations work hard to build it up and earn the trust they need to perform in their respective industries. So a reputation that becomes soiled because of a data breach will complicate the organization’s ability to win and retain business, regardless of the size of the said organization, its previous reputation, or the cost in the breach.

According to a yearly IBM security report, the average data breach in the US will cost 8.64 USD million to its victim. If the organization in question belongs to a highly regulated industry, the cost will be even higher. For instance, the highest average price of a data breach comes in healthcare organizations.

The cost of lost business can account for as much as 40% of any breach when you consider the increased costs of getting new business, lost income because of the system downtown, and customer turnover.

That was true even before January 2020 when the Covid-19 pandemic brought us all into the current new normality in which the necessary health and safety preventive measures have made Zoom board meetings and distributed IT the rule. But once the pandemic hit, cybersecurity threats and identity-based attacks are on the rise, especially in healthcare, financial services, and government institutions. Unfortunately, some of these new realities are here to stay because even if the vaccines end up solving the pandemic’s worst restrictions, the toothpaste that’s been already spilled can’t be placed back in the tube.

In April 2020, the FBI’s Cyber Division reported a 400% increase in security complaints. The International Criminal Police Organization (Interpol) also saw an “alarming” number of cyberattacks against major corporations. And we’re not even including relatively new threats such as ransomware.

So the current context makes it natural to see that every senior IT and IT security leader worth its salt is more focused on its organization security than ever before. However, this concern is not shared across the board within organizations. For example, an OnBoard survey shows that no more than 57% of board director members and staff think cybersecurity is a vital issue. This lack of concern, given the current security climate, is alarming.

Where do cybersecurity threats in the boardroom come from?

Boardrooms (physical or digital) are security threat zones. Unfortunately, that is just the nature of the beast. But it’s not enough to know that the threats are there; it’s essential to understand their origin so they can be prevented effectively.

According to RedefinePrivacy, 45% of data breaches are due to hack attacks. These causes are manifold and can go from seemingly innocent factors such as human error to more malicious reasons, including compromised credentials or targeted attacks.

Suppose history is any guide (and it usually is). In that case, the executives and professionals who sit on the board are the preferred targets of hacks, attacks, and breaches because their information is of critical importance in both volume and quality. For example, IBM’s X-Force uncovered a global phishing attack aimed at hundreds of high-ranking executives globally.

And attacks can originate from the inside. It’s rare, but it happens. We could see this when a board member leaks secret information to another person or player, for whatever reason, or when it uses that same information unethically for personal gain.

However, the thing to keep in mind about these types of incidents is how infrequent they are. Board members usually have to go through a comprehensive vetting process before they are chosen. They are also very well esteemed individuals who tend to be well-connected as well. So when we are dealing with these issues, it’s crucial to think of horses before zebras.

The best practices for cyber attack prevention in the boardroom

The boardroom attracts cyberattacks now more than ever before. And because boardrooms have become digital recently, with meetings that occur remotely, materials are often distributed by email and other digital means, creating possible vulnerabilities.

The good news is that these costly and damaging attacks can be lessened significantly by adopting a few good practices.

Manage all digital board materials securely

Many boards are still depending on printed board books, disclosures, and other materials. But, unfortunately, those printed pages can get into the wrong hands easily. Such a misplacement can lead to costly legal problems. This is especially true now when so many board meetings are remote, and printed materials are sent through email or other digital means, and in the age of the ubiquitous camera-enabled smartphone.

It’s no surprise that physical meeting materials give way to digital media shared through Dropbox or Google Drive. It’s a step in the right direction. But adopting these options won’t guarantee the security level needed to stop cybercriminals from trying their hand at the workflow processes to attempt money extortion or stealing important information –which would include personally identifiable information.

In this regard, the best thing to do is to adopt a secure digital solution. Every board member should get everything they need for their next meeting from a single portal. The portal in question, of course, must be secured correctly through encryption, two-factor authentication, and biometric security, to name the most widely-known tools of the trade. Keeping logs is also critical if the system knows which documents have been accessed by individual board members and when; this could provide all the information needed to thwart an insider attack and contain the damage if the occasion should arise.

Appropriate permissions

Every board member needs the information that enables them to perform their job adequately. However, even within boards, the levels of access are not necessarily uniform for all the members.

There are industries where board members are customary to answer an annual questionnaire designed to outline possible conflicts of interest. If there is any, then the conflict in question could, and should, change the type of information that the board member should have access to.

The most important thing is to determine the accurate rights and needs for information every board member has. Each board member must have access to all the information they need exactly. No more. No less.

Protecting the minutes

Meeting minutes are the board’s written records and institutional memory. They provide documentation for the decision process, protect against liability, provide a clear list of actions and steps to take next.

Those minutes are often distributed as email attachments or links to Dropbox or Google Drive files. That’s very convenient but rarely secure enough. Without additional security measures, the minutes could find their way into the wrong hands, thus leaving insider information out in the open. This is a nightmare that can create legal and financial problems, let alone the damage to the company’s reputation that’s even harder to repair.

Prioritize the protection of meeting minutes. Carefully choose a distribution method that is safe and secure, even if you need to sacrifice some convenience in the process. This straightforward measure can be a very powerful way to prevent some significant security risks.

Require board members to use their company email addresses

Company email accounts exist for a reason –many reasons, in fact.

A board member’s personal email account is not meant to keep sensitive information secure. So make sure you provide each member with a company email account. Also, require them to use that account for all the board activities and information communications. Additionally, you can require that every written communication among board members occurs in your digital board portal.

Locate vulnerable devices and wipe them

Board members will typically use more than one device to access the information related to their board activities. So, at the very least, you should expect them to use one computer (desktop, or laptop, probably both ) and a smartphone (or several other mobile devices like a tablet).

Granted, board members are critical organization members, and busy professionals whose ability to work on the road can’t be compromised. But it is precisely because they are so vital that it is also critical to ensure that the sensitive materials they handle on an everyday basis are only available in trusted, secured devices. Any device can be lost or stolen. So do your part to ensure that any critical information is removed from those devices.

It’s also important to consider that devices have a lifespan. Statista shows that most consumers will replace their smartphones once every three years, on average. Enterprise devices get replaced even more often. The dismissed devices could be trashed, gifted, or given away — and every single one of those actions provides an opportunity for valuable information to arrive into the improper hands. So a good policy to adopt in this regard would be to wipe all locally stored data from all devices that have not been connected to the internet in a given period, say 90 days.

The time for boardroom cybersecurity is here

Cyberattacks can happen everywhere in an organization. But those in the boardroom erode the organization’s reputation, which is far costlier and harder to repair than any other type of attack.

Security risks can never be avoided entirely, but boardroom attacks require maximum risk mitigation, which is the time to do so.

The challenge, of course, is to maximize the company’s security while keeping a high degree of functionality and convenience that still allows the board members to fulfill their vital roles within the organization.