Is your board of directors the weak link in your organisation's cyber security?

Board directors can be easy prey for cyber attacks and data breaches. Does your board pass the test?

A company’s people are its greatest asset. Except when they’re not. Virtually all cybersecurity advice advocates internal education programs: to raise employees’ awareness and inform them of the precautions.

Security is as much a people issue as a technology one, since insiders feature statistically in around half of all cyber incidents: the naive clicking on infected links or plugging in rogue USB drives, the disaffected equipping themselves for their next jobs. Education won’t stop the bad doing bad things, but it can stop good people being unwise or careless.

That’s easy to say for employees. But what about us: the boards and the C-suite? When was the last time you undertook a cyber-awareness program? Has anyone ever led your board through a “lessons learned” exercise over, say, the cyber attacks on US companies such as Target or Equifax? Cases where customer trust was smashed after millions of confidential records were stolen, evaporating billions in shareholder value and costing both CEOs their jobs?

You’ll have been assured your company has a cyber-response plan should a similar attack happen, but has management ever walked the board through the actual steps they propose to satisfy you they’re adequate? Except for those individual directors who go in search of their own self-education, most directors rarely get any form of strategic cyber training, let alone updates. So it’s not a surprise to know that we, the corporate world’s biggest fish, are also the hacker world’s juiciest targets — so tantalising in fact, they’ve slapped the nickname “whaling” on their attacks on us.

This doesn’t sit too well with “setting the tone from the top”. Can we really expect the front line to treat this issue as seriously as we’d like if boards and top management don’t personally demonstrate the tone ourselves?

Worse, cybersecurity professionals complain that company leaders are the group of insiders most likely to flout their own data security rules. Is that because we arrogantly think the rules don’t apply to us? Or is it more benign; that we simply don’t know what those rules are, because no-one’s included us in the education we agree everyone else should get?

This is not hard to improve. We can start by asking to be included and updated. Doing that will not only improve the dynamic, but we’ll probably also see some strong cultural ripple effects inside our companies.Of course, our ignorance isn’t the sole reason we’re such juicy targets. I’ll give you four more — and propose one immediate action you can take to reduce your personal risk to the company.

Why we’re whales

The first reason is that the hackers know that by “harpooning” one of us they’ll find gold — literally. As high-value targets, we have access to much of the company’s most sensitive information.

Second, we’re attuned to clicking on documents. We receive important reports all the time, and we — or perhaps a helpful assistant — dutifully open them.

Combine that with the third reason — that a lot of our personal details are “out there” in media profiles, interviews, speeches and social media postings — and it makes it easy for hackers to craft emails that look authentic enough to fool all but the most suspicious of us.

“Hi Peter, can you take a quick look at this draft of the dividend paper? And when you get a chance, can you tell me about Morocco. I’m thinking of taking David there for our next anniversary. Maureen.”

To find out the chairman and CEO’s names, all the hackers did was peek at the website. To know the chairman just visited Morocco, they took a look at his Facebook page. The CEO’s husband’s name they got from a charity’s photo gallery promoting their last fundraiser. That was just three minutes’ work.

Emails aren’t the only way for hackers to hook a big fish. The fourth reason we’re juicy targets is because we’re more often off company premises than we’re actually working on them — meaning that we connect via various mobile devices, which serve to multiply a hacker’s attack points.

Cyber hygiene test

During the past month, did you at any time connect to public wi-fi at an airport, hotel or cafe and download sensitive board papers, confidential emails or perhaps do a bit of internet banking?

If your answer is “yes”, then your cybersecurity people will probably be tearing out their hair. That’s because by this simple and all-too-common act you exposed the company to a significant risk of what’s known as a “man-in-the-middle” attack. That’s where you think you’re connecting your mobile device to a legitimate organisation’s wi-fi, except you’re not.

What you may actually have clicked on is a lookalike signal from a hacker’s $100 wireless router, which they’ve cleverly wedged in between your device and the legitimate public wi-fi. By impersonating the real wi-fi, they can quietly observe and record everything you send or receive: sensitive emails, board papers, credit card information — you name it.

If you log into the company network, you could be handing over your security credentials.

Once equipped with those, the hackers can pretend to be you and, whenever they like, go searching for your company’s crown jewels. The simplest way to avoid this risk is never connect to public wi-fi. “Thank you, Starbucks, but no I won’t have wi-fi with my frappuccino.”

This may be a whale of a story, but it’s true.

Better Safe Than Sorry?

1. Facebook Political consulting firm Cambridge Analytica harvested personal data of 87 million Facebook users from 2014 onwards via apps masquerading as sex or personality quizzes. The data was used to create targeted online ads during the 2016 US presidential election. CEO Mark Zuckerberg testified before the US Senate about the breach in April.
2. Equifax A 2017 website data breach led to the exposure of nearly 148 million US consumers’ personal data. Equifax received significant political backlash and as of March 2018, the hack had cost it US$439m in security upgrades, legal fees and ID theft services to affected consumers.
3. Uber A 2016 security breach exposed the contact details of 57 million customers and drivers. Passwords and personal credentials had been stored on a third-party cloud. Uber tried to cover up the theft by paying $100,000 ransom to the hackers. The resulting scandal caused Uber’s valuation to drop by US$20b.
4. eBay Despite encrypted passwords, eBay was hacked via a phishing attempt on 100 of its employees in 2014. Hackers acquired the personal data and passwords of all eBay’s 145 million users. The company advised users to reset their passwords and apologised.
5. Yahoo Three billion Yahoo user accounts were compromised after two separate “state-sponsored” attacks on its database in 2013–14 leaked personal data and passwords. Yahoo was in negotiations to sell to Verizon and, after the disclosure, its sale price fell by US$350m.

John M Green's views are not necessarily those of his companies.