Addressing insider threats: in the boardroom

Board members play an essential role in organizations of all types, including financial institutions, healthcare organizations, nonprofits and government bodies — just to name a few. Collectively, the board of directors provide oversight and ensure the organization is always working toward its mission and vision.

Board members are often entrusted with sensitive data and information, which ensures they can be effective in their roles. But if that data gets into the wrong hands, the organization could run into costly legal trouble and reputational damage.

As more board executives, directors, and administrators have adopted digital board management processes over the past year, the risks associated with piecemeal digital adoption leaves them more vulnerable to cyberthreats that have become more and more sophisticated.

The Costly Risk of a Breach in the Boardroom

According to an annual IBM Security Report, the average data breach in the United States costs $8.64 million. Those costs are even higher for organizations in highly regulated industries. In fact, healthcare organizations incur the highest average cost for a data breach.

Regardless of size or cost, data breaches in the boardroom have the potential to wreak havoc on an organization’s reputation, tarnishing the trust it’s worked so hard to earn. A weakened reputation can make it a lot more challenging (and expensive) for an organization to win and retain business. In fact, lost business costs (including customer turnover, lost revenue cost by system downtown, and the heightened costs of getting new business with a diminished reputation) account for about 40% of the average total cost of a data breach.

Then COVID-19 hit and remote work, Zoom board meetings and distributed IT became the “new normal.” Although these measures were (and in many cases, continue to be) necessary for health and safety, they’ve brought an increase in cybersecurity and identity-based attacks, especially against healthcare, financial services and government institutions. In April 2020, the FBI’s Cyber Division said it was getting about 400% more cybersecurity complaints each day. And the International Criminal Police Organization (Interpol) reported that an “alarming” number of cyberattacks were aimed at major corporations.

It’s probably no surprise, then, that recent research found that 100% of senior IT and IT security leaders indicate they’re more focused on their organization’s security than in the past. What is surprising (and perhaps alarming) is that OnBoard’s latest survey of board directors, administrators and staff members found that just over half (57%) see cybersecurity as an important issue.

The Sources of Cybersecurity Threats in the Boardroom

There’s no denying that the boardroom -- whether in-person or virtual -- can be the site of a security threat. But where are these threats originating?

According to Verizon’s 2020 Data Breach Investigations Report, 70% of all breaches were caused by outsiders. These breaches can have a number of causes, including malicious attacks, human error or compromised credentials.

And if history is any indicator, there’s reason to believe that executives and professionals who sit on boards are likely targets of hacks and breaches, due to the large amount of information and data they often have access to. As an example, in 2020, IBM X-Force uncovered a global phishing campaign targeted at more than 100 high ranking executives.

Though rare, there’s also the possibility of an insider attack in the boardroom. This could take the form of a board member deliberately leaking confidential data to another person or entity -- or using insider information inappropriately for personal gain. But again, it’s important to reiterate that such attacks are extremely rare as board members are typically very esteemed and well-connected, and they generally go through a comprehensive vetting and election process.

Best Practices to Prevent Cyberattacks in the Boardroom

There’s always a risk of cyberattacks in the boardroom. This is especially true now, when the majority of board meetings take place remotely and materials are often shared via email.

However, there are actions organizations can take to lessen the risk of a damaging, costly attack -- regardless of where it originates.

Securely Manage all Board Materials Digitally

Today, a good number of boards still depend heavily on printed board books, disclosures and other important information and materials. But it’s easy for these printed materials to get into the wrong hands, which could lead to costly legal trouble. This is especially true now, when the majority of board meetings are remote and printed materials are often sent through the mail.

Some institutions are moving away from printed materials, opting instead to use services like Google Drive and DropBox to share materials. Though this digital transformation is a step in the right direction, these solutions aren’t secure enough to stop cybercriminals looking for ways to tap into workflow processes to extort money or steal sensitive data, including personally identifiable information (PII).

The best approach is to use a secure, digital solution that enables board members to access everything they need from a single portal. Of course, it’s critical to ensure the security of your board portal so the wrong data doesn’t fall into the wrong hands. Measures including encryption, two-factor authentication and biometric security are just a few of the ways to do that. In addition, tracking which documents each board member accesses and shares can be a powerful way to thwart insider attacks -- and more quickly contain them if they happen.

Set Appropriate Permissions

Board members need access to the right information and materials to be effective in their roles. But all members may not necessarily need the same level of access.

For example, in many industries, board members are required to complete an annual questionnaire outlining any personal conflicts of interest. A conflict of interest might impact what data and information a board member should (and shouldn’t) have access to.

It’s important to always ensure appropriate positions. That way, your board members have access to what they need -- no more and no less.

Protect Meeting Minutes

Meeting minutes act as the official record of a board meeting and are an important way to protect against liability, provide evidence of decisions and create a clear list of actions and next steps.

All too often, meeting minutes are distributed via email attachments or a service like Google Drive or DropBox. Though these methods are convenient, they’re not always secure. That means your minutes could easily end up in the wrong hands and expose confidential information that could lead to legal and financial problems, not to mention a damaged reputation.

So make it a priority to protect your meeting minutes. Ensure the method you’re using to compile and distribute meeting minutes is safe and secure. This is a simple, yet powerful way to minimize the risk of the wrong information getting into the wrong hands.

Provision Company Email Addresses — and Require Board Members to Use Them

Board member’s personal email accounts lack the proper security needed to keep sensitive information secure. Instead, provide each member with a company email address -- and require them to use it for all board-related communication. Another option is to require all written communications to happen within your digital board portal.

Wipe Vulnerable Devices

Board members often access information and materials on any number of devices, from their laptop computer to their mobile phone. While it’s important to ensure these busy professionals can work while on the go, it’s critical to ensure sensitive information and materials are only available on safe, trusted devices.

There’s always a chance that a board member’s device could be lost or stolen. Be sure to remove any stored data from such devices. In addition, it’s important to remember that devices don’t last forever. According to Statista, consumers replace their smartphones about every three years, and enterprise devices are replaced even more frequently. Old devices might be donated, gifted or trashed -- and in all of these cases, data could get into the wrong hands. So consider wiping all locally stored information from devices that haven’t been connected to the internet within a certain amount of time, such as 90 days.

It’s Time to Make Boardroom Cybersecurity a Priority

Cyberattacks in the boardroom can lead to costly consequences. Now’s the time to take action to mitigate the risk, while still ensuring your board members have access to the information they need to be successful in their essential roles.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.