PCR Tech and IT retail, distribution and vendor news
Paul Stark, UK General Manager at OnBoard discusses the steps boards and board members can take to protect against cyber breaches, across all sectors and industries.
In all types of organisations board members play an integral role in how the company moves forward and continues to evolve. A board of directors provides complete oversight and strategic vision, while ensuring that the organisation, or company, remains honed-in on its overall mission.
But for a business to operate effectively, boards must trust a workforce implicitly to handle sensitive corporate data, so that they can effectively carry out their job roles day in and day out. But this does come with danger – a data breach leaking corporate board information can result in costly litigation, devastate an organisation’s reputation and, ultimately, lead to severe financial losses for an organisation.
The High Cost of a Board Cybersecurity Breach
According to an annual IBM Security Report, the average data breach in the United States costs $8.64 million – a very costly conclusion indeed. And the expense rises for organisations in highly regulated industries – such as health care organisations, which actually incur the highest average cost for a data breach.
As mentioned, boardroom breaches can tarnish an organisation’s reputation too and see clients lose trust in a company to safely handle their data. Lost business costs — including customer turnover, revenue lost by system downtime, and efforts to gain new business with a diminished reputation — account for about 40% of the average total cost of a data breach.
When the pandemic first broke out, our “new normal” turned into remote work, Zoom meetings and distributed IT. These measures bolstered health and safety, but also invited increased cybersecurity and identity-based attacks. In April 2020, the FBI’s Cyber Division reported receiving about 400% more cybersecurity complaints daily.
While recent research shows 100% of senior IT and IT security leaders say they’re more focused on security than in the past, OnBoard’s latest survey of board directors, administrators and staff members found only 57% see cybersecurity as an important issue.
It is clear that IT security leaders and boardrooms are not on the same page when it comes to cyberthreats – but they need to be, before they fall foul of a cyberattack.
Where Are The Cybersecurity Threats Coming From?
Such is the sophistication of today’s cybercriminals a security threat can happen at any time, whether your board meets in-person or virtually. But where do the threats originate from?
According to Verizon’s 2020 Data Breach Investigations Report, outsiders executed 70% of all breaches. Breaches take many forms, including malicious attacks, phishing tactics, human error, or compromised credentials.
Cybercriminals will often target executives and professionals who sit on boards, because of their access to a large amount of sensitive information. In 2020, IBM X-Force uncovered a global phishing campaign that targeted more than 100 high-ranking executives.
Cybercriminals have also been known to impersonate a board member, or even CEO, to try and coerce a colleague to divulge information to them. Spotting subtle differences in the email’s tone and language, compared to the usual communications from that person, is one way of detecting a board member may not be who you think they are.
Though less frequent, a board member may even leak confidential data on social media, leverage insider information for personal gain, or feed information to the media.
Best practices to prevent board cyberattacks
While boardroom cyberattacks remain a constant threat, the recent increase in remote meetings and electronically shared information require organisations to take action to reduce risk.
Best practices to mitigate the risk cyberattacks present, boards would be well-placed carrying out the following:
Digitalise and secure all board materials
Some institutions choose cloud-based services like Google Drive and Dropbox to share materials. But these solutions offer inadequate security to prevent cybercriminals from stealing sensitive data, including personally identifiable information (PII).
A secure, digital solution prevents such attacks. It also gives board members access to relevant documents from a single portal. Security measures for a board portal include encryption, two-factor authentication, and biometric scanning devices. These include tools for voice, fingerprint, facial, or iris recognition.
In addition, tracking which documents each board member accesses and shares gives boards the power to thwart insider attacks — and more quickly contain them, if they happen.
Implement permissions accordingly
Board members need access to the right information to fulfil their roles, but not all board members need the same level of access.
Board members in many industries, for example, complete an annual questionnaire disclosing any personal conflicts of interest. A conflict of interest might limit a member’s access to information on certain topics.
A boardroom could also assign appropriate positions to board members to give them access to what they need to succeed — no more and no less.
Secure meeting minutes
Meeting minutes represent the official record of a board meeting and offer protection against liability, provide evidence of decisions, and create a clear list of actions and next steps.
Board administrators often distribute meeting minutes via email or online. Minutes delivered this way can inadvertently expose confidential information, resulting in litigation, expense, and a damaged reputation.
Make it a priority to protect meeting minutes. Prepare minutes quickly and destroy notes used to compile them. Make minutes available to board members in a read-only format. Consider limiting how long a member can access them digitally for best board cybersecurity practices.
Avoid using email as the channel for board discussions
Most email accounts lack adequate security for sensitive information. What’s more, using email to discuss sensitive board matters can create discoverability issues should legal challenges ever arise for your board.
Utilise a secure board portal as either the sole or primary means to communicate between the board and its members. From a defensive point of view, this makes sense. Board portals are better able to ensure privilege for directors’ communication.
Historically, there has been some resistance at first to moving communications to a board portal. This makes sense as most board directors have a tendency and comfortability with email. But when secure communication in a portal is built well, it offers a seamless user experience and frequently becomes the preferred method of all board communication.
Erase devices that may be easily exploited
Board members often access information on a number of electronic devices. While it’s important to ensure they can work while on the go, it’s also critical to insist board business be conducted only on safe, trusted devices.
Board members may lose or replace their personal device for whatever reason. According to Statista, consumers replace smartphones about every three years, and enterprise devices are replaced more frequently. So, consider wiping all locally stored information from devices that haven’t connected to the internet within an established period, such as 90 days.
The Time is Now to Make Cybersecurity A Priority
Cyberattacks in the boardroom can be extremely costly. Board members must take action now to mitigate the cybersecurity risks they are faced with, while ensuring they can still access the vital information they need to be successful in their essential roles.
In an age where cybercriminals are becoming ever more sophisticated, it is vital that businesses equip their boardrooms with robust security measures – to defend against both external and internal threats.
Read the latest edition of PCR’s monthly magazine below:
Like this content? Sign up for the free PCR Daily Digest email service to get the latest tech news straight to your inbox. You can also follow PCR on Twitter and Facebook.
