If you are on the board of directors of any company in any industry, you have a duty to understand what company leadership is doing to mitigate cyber-security risk. But with that comes the responsibility to secure the information you are entrusted with to ensure you aren’t the weakest link into the organization.
Make no mistake: Board members are a vulnerable and valuable target of cybercriminals. If gaining an employee password gives attackers the ability to become insiders, then gaining a board member’s password gives them a seat at the table. Board members are attractive targets for several reasons:
- The value of the data they have access to
Board members have access to information that is sensitive, timely, and materially important to the business.
- Ability to influence
It’s not uncommon for a hacker to impersonate an influential person when sending a creative phishing lure. If a phishing email comes from a board member, the recipient is likely to pay attention. Some of the most successful phishing scams succeeded because the victims thought they were acting upon the orders of someone in charge.
- “Non-employee” status
If a board member is not an employee of the organization, she may bring her own device to meetings, which might have the same level of security that a regular employee’s device has. Board members also typically do not go through the same security training that employees do, making them easier targets.
Because the information board members have access to can tip the scales of risk to the business, it is imperative to understand how the organization is providing protection to that data and to those who access it. Some of the most important conversations board members can have with their peers and technical teams are around how they access data.
If using a username and password is the only barrier to escalating privilege or compromising the next device, then you could be extremely vulnerable. But If passwords alone are not enough, how does the company ensure that when a board member authenticates, it authenticates who she really is? What has the company instituted beyond passwords? When thinking about withdrawing money from a bank account, it’s hard to imagine a bank that wouldn’t require both an ATM card and a pin. The same concept should apply within an organization to the accessing of data.
There are some key questions board members should ask the next time they access data:
- What is the value of the information we have access to?
- How are we getting access to that information?
- How is that information protected?
- Given the sensitivity of the information, do we think it is protected enough?
As influential leaders, board members play an important role in the culture of security in an organization. By asking the questions above, a director can demonstrate that he or she is thinking critically about the company’s cyber best practices and efforts to prevent credential theft. In doing this, they can help ensure that the organization is adequately protecting itself against the single most common element across cyber-attacks: credentials theft. Your future, and the future of the company, depends on it.
Originally published on: September 12, 2017