Boards must entrust their members with sensitive data to ensure they effectively fulfill their roles. But a data breach involving sensitive board information can result in costly litigation and devastate an organization’s reputation.
When COVID-19 hit, companies turned to remote work, Zoom meetings and distributed IT. These measures bolstered health and safety, but also invited increased cybersecurity and identity-based attacks. In April 2020, the FBI’s Cyber Division reported receiving about 400% more cybersecurity complaints daily.
While recent research shows that 100% of senior IT and IT security leaders say they are more focused on security than in the past, OnBoard’s latest survey found that only 57% of board directors, administrators and staff members see cybersecurity as an important issue.
According to an IBM's 2020 Cost of a Data Breach report, the average data breach in the United States costs $8.64 million. The expense rises for organizations in highly regulated industries, such as healthcare organizations, which incur the highest average cost for a data breach.
The Sources Of Cybersecurity Threats In The Boardroom
According to Verizon’s 2020 Data Breach Investigations Report, outsiders executed 70% of all breaches. Breaches take many forms, including human error, compromised credentials, or malicious attacks on known vulnerabilities for software such as remote meeting tools.
Cybercriminals often target executives and professionals who sit on boards, because of their access to a large amount of sensitive information. In 2020, IBM Security X-Force uncovered a global phishing campaign targeted at more than 100 high-ranking executives.
Best Practices to Prevent Board Cyberattacks
While boardroom cyberattacks always remain a threat, the recent increase in remote meetings and electronically-shared information require organizations to take action. Below are five ways to reduce risk:
- Securely manage all board materials digitally: Many boards still rely heavily on printed versions of board books, disclosures and other important materials. But printed materials can easily get into the wrong hands, especially now, as more boards meet virtually or send documents in the mail. Some institutions choose cloud-based services like Google Drive and Dropbox to share materials. But these solutions offer inadequate security to prevent cybercriminals from stealing sensitive data, including personally identifiable information (PII). A secure, digital solution can prevent such attacks. It also gives board members access to relevant documents from a single portal. Security measures for a board portal include encryption, two-factor authentication, and biometric scanning devices, such as voice, fingerprint, facial or iris recognition. Additionally, tracking which documents each board member accesses and shares give boards the power to thwart insider attacks, and more quickly contain them if they happen.
- Set appropriate permissions: Board members need access to the right information to fulfill their roles, but not all board members need the same level of access. For example, board members in many industries complete an annual questionnaire disclosing any personal conflicts of interest. A conflict of interest might limit a member’s access to information on certain topics. Assign appropriate positions to board members to give them access to what they need to succeed—no more and no less.
- Protect meeting minutes: Meeting minutes represent the official record of a board meeting, offer protection against liability, provide evidence of decisions, and create a clear list of actions and next steps. Board administrators often distribute meeting minutes via email or online, but minutes delivered this way can inadvertently expose confidential information, resulting in litigation, expense, and reputation damage. Make it a priority to protect meeting minutes. Prepare minutes quickly and destroy notes used to compile them, make minutes available to board members in a read-only format, and consider limiting how long a member can access them digitally.
- Require board members to use company email addresses: Personal email accounts lack adequate security for sensitive information. Provide board members with a company email address and require that they use it for all board-related communication.
- Wipe vulnerable devices: Board members often access information on a number of electronic devices. While it is important to ensure they can work while on the go, it is also critical to insist that board business be conducted only on safe, trusted devices. Board members may lose or replace their personal device for whatever reason. According to Statista, consumers replace smartphones about every three years, and enterprise devices are replaced more frequently. Consider wiping all locally stored information from devices that have not connected to the internet within an established period, such as 90 days.
Making Board Cybersecurity a Priority
Cyberattacks in the boardroom can lead to costly consequences. Take action now to mitigate board cybersecurity risk, while ensuring that board members can access the information they need to be successful in their essential roles.