Board directors can be easy prey for cyber attacks and data breaches. Does your board pass the test?
A companyâs people are its greatest asset. Except when theyâre not. Virtually all cybersecurity advice advocates internal education programs: to raise employeesâ awareness and inform them of the precautions.
Security is as much a people issue as a technology one, since insiders feature statistically in around half of all cyber incidents: the naive clicking on infected links or plugging in rogue USB drives, the disaffected equipping themselves for their next jobs. Education wonât stop the bad doing bad things, but it can stop good people being unwise or careless.
Thatâs easy to say for employees. But what about us: the boards and the C-suite? When was the last time you undertook a cyber-awareness program? Has anyone ever led your board through a âlessons learnedâ exercise over, say, the cyber attacks on US companies such as Target or Equifax? Cases where customer trust was smashed after millions of confidential records were stolen, evaporating billions in shareholder value and costing both CEOs their jobs?
Youâll have been assured your company has a cyber-response plan should a similar attack happen, but has management ever walked the board through the actual steps they propose to satisfy you theyâre adequate? Except for those individual directors who go in search of their own self-education, most directors rarely get any form of strategic cyber training, let alone updates. So itâs not a surprise to know that we, the corporate worldâs biggest fish, are also the hacker worldâs juiciest targets â so tantalising in fact, theyâve slapped the nickname âwhalingâ on their attacks on us.
This doesnât sit too well with âsetting the tone from the topâ. Can we really expect the front line to treat this issue as seriously as weâd like if boards and top management donât personally demonstrate the tone ourselves?
Worse, cybersecurity professionals complain that company leaders are the group of insiders most likely to flout their own data security rules. Is that because we arrogantly think the rules donât apply to us? Or is it more benign; that we simply donât know what those rules are, because no-oneâs included us in the education we agree everyone else should get?
This is not hard to improve. We can start by asking to be included and updated. Doing that will not only improve the dynamic, but weâll probably also see some strong cultural ripple effects inside our companies.Of course, our ignorance isnât the sole reason weâre such juicy targets. Iâll give you four more â and propose one immediate action you can take to reduce your personal risk to the company.
Why weâre whales
The first reason is that the hackers know that by âharpooningâ one of us theyâll find gold â literally. As high-value targets, we have access to much of the companyâs most sensitive information.
Second, weâre attuned to clicking on documents. We receive important reports all the time, and we â or perhaps a helpful assistant â dutifully open them.
Combine that with the third reason â that a lot of our personal details are âout thereâ in media profiles, interviews, speeches and social media postings â and it makes it easy for hackers to craft emails that look authentic enough to fool all but the most suspicious of us.
âHi Peter, can you take a quick look at this draft of the dividend paper? And when you get a chance, can you tell me about Morocco. Iâm thinking of taking David there for our next anniversary. Maureen.â
To find out the chairman and CEOâs names, all the hackers did was peek at the website. To know the chairman just visited Morocco, they took a look at his Facebook page. The CEOâs husbandâs name they got from a charityâs photo gallery promoting their last fundraiser. That was just three minutesâ work.
Emails arenât the only way for hackers to hook a big fish. The fourth reason weâre juicy targets is because weâre more often off company premises than weâre actually working on them â meaning that we connect via various mobile devices, which serve to multiply a hackerâs attack points.
Cyber hygiene test
During the past month, did you at any time connect to public wi-fi at an airport, hotel or cafe and download sensitive board papers, confidential emails or perhaps do a bit of internet banking?
If your answer is âyesâ, then your cybersecurity people will probably be tearing out their hair. Thatâs because by this simple and all-too-common act you exposed the company to a significant risk of whatâs known as a âman-in-the-middleâ attack. Thatâs where you think youâre connecting your mobile device to a legitimate organisationâs wi-fi, except youâre not.
What you may actually have clicked on is a lookalike signal from a hackerâs $100 wireless router, which theyâve cleverly wedged in between your device and the legitimate public wi-fi. By impersonating the real wi-fi, they can quietly observe and record everything you send or receive: sensitive emails, board papers, credit card information â you name it.
If you log into the company network, you could be handing over your security credentials.
Once equipped with those, the hackers can pretend to be you and, whenever they like, go searching for your companyâs crown jewels. The simplest way to avoid this risk is never connect to public wi-fi. âThank you, Starbucks, but no I wonât have wi-fi with my frappuccino.â
This may be a whale of a story, but itâs true.
Better Safe Than Sorry?
- Facebook Political consulting firm Cambridge Analytica harvested personal data of 87 million Facebook users from 2014 onwards via apps masquerading as sex or personality quizzes. The data was used to create targeted online ads during the 2016 US presidential election. CEO Mark Zuckerberg testified before the US Senate about the breach in April.
- Equifax A 2017 website data breach led to the exposure of nearly 148 million US consumersâ personal data. Equifax received significant political backlash and as of March 2018, the hack had cost it US$439m in security upgrades, legal fees and ID theft services to affected consumers.
- Uber A 2016 security breach exposed the contact details of 57 million customers and drivers. Passwords and personal credentials had been stored on a third-party cloud. Uber tried to cover up the theft by paying $100,000 ransom to the hackers. The resulting scandal caused Uberâs valuation to drop by US$20b.
- eBay Despite encrypted passwords, eBay was hacked via a phishing attempt on 100 of its employees in 2014. Hackers acquired the personal data and passwords of all eBayâs 145 million users. The company advised users to reset their passwords and apologised.
- Yahoo Three billion Yahoo user accounts were compromised after two separate âstate-sponsoredâ attacks on its database in 2013â14 leaked personal data and passwords. Yahoo was in negotiations to sell to Verizon and, after the disclosure, its sale price fell by US$350m.
John M Green's views are not necessarily those of his companies.
Latest news
Already a member?
Login to view this content