Vulnerable at the Top
Board directors need security training, too. They usually don’t get it.
It seems outlandish at first thought, but a company’s board of directors may be among its most vulnerable targets for hackers. After all, who in your company is more respected? Yet who operates under fewer restrictions and has access to your most important secrets and data?
“You have security tools in place on Alice’s computer in Sales, and you have security policies in place to govern access and information handling for David in Accounting, but Alice and David don’t have access to the most sensitive information the company owns,” tech writer Tom Bradley observes on the Forbes website.
“The reality is that your true Achilles heel is probably your board of directors,” Bradley writes in the article “Your Board Of Directors Is Exposing You To Risk.”
Bradley spoke with the chief security officer of Palo Alto Networks, Rick Howard, who pointed out that board members generally are not subject to the same rules and training as are employees. While employees generally have to follow strict guidelines about whether and how to use personal devices for work or on computer networks, board members are rarely restricted in how they use their own devices or what extra security precautions they should take.
“Furthermore, many board members are members of multiple boards, meaning there is a good chance that their computer or mobile device is a goldmine of sensitive data spanning multiple organizations,” Bradley adds. “It’s easy to understand why board members are simultaneously the low hanging fruit and the Holy Grail for would-be attackers.”
Palo Alto has been working with consulting groups to conduct training for board members and has done about 15 so far.
“The session is framed in the context of business risk. Presenters use plain English and avoid tech or security jargon,” Bradley recounts. “The sessions resonate with board members because, at its core, the function of a board is to increase value and reduce the risk for the company it serves.”
“Once board members understand the critical value of the data they have access to and the risk it’s exposed to, they realize the gravity of the situation,” he adds.
The biggest problem for anyone concerned about cyber security, from boards of directors to IT chiefs to pretty much anyone who uses the internet, is the ever-changing nature of the threat.
Wired recently held its second annual cyber-security conference in London, bringing together a broad array of intelligence and security experts, artificial intelligence researchers and others to discuss emerging threats. It reported major concerns in the story “5 Things You Need to Know About the Future of Cybersecurity.”
Key issues raised included:
- Infrastructure vulnerability. Healthcare systems, for example, could be attacked, making it harder to combat pandemics, one researcher says. Utilities have been the targets of state-backed attacks and could become of interest to terrorists.
- The “trust gap.” The spread of direct people-to-people services like Airbnb and numerous dating apps have lulled people into a false sense of security. Vetting of people offering services online varies from extensive to nonexistent. One researcher urged platforms to take greater responsibility. It cited a babysitting app that subjects sitters to a tough background check and rejects 75% of applicants for failing it.
Pseudo ransomware. The WannaCry ransomware attack this year is now widely regarded as an effort to disrupt rather than to extort. There is concern that some attacks could have been paid for by businesses competitors. The spread of the internet of things could make an alluring target for hackers using ransomware. Connected cars, for example, could be immobilized.