Could Your Firm’s Big Cyberthreat be the Board?
Where is your company’s next major loss hiding? Is it an erroneous market forecast, a sudden national crisis, a big client’s departure?
Company directors, the people working hard to keep business on course, may actually be unwitting targets in a cyberattack — the category of rapidly growing business crimes that can cause a company of any size to suffer a seismic financial hit. Even firms with the most rigorous IT protocols could have a blind spot to these MVPs, when it comes to the machines, accounts and remote access practices of high-level leaders who aren’t part of day-to-day operations.
About 90 percent of large companies have already suffered a cyberattack, Betanews reports, citing a 2015 survey of 5,500 companies. Nearly half of those polled say they lost sensitive data due to some kind of security breach. A large company could spend as much as half a million dollars to recover from a security breach.
The average enterprise cyberattack incurs these costs:
- $73,000 for professional fixes
- $58,000 in lost business opportunities
- $420,000 in downtime
Shedding light on the security risks that boards of directors pose or face is one way to prevent a problem that could be lurking in the shadows.
Types of attacks
Malware is the comprehensive term for the most common and most familiar cyberattacks, such as viruses, worms, Trojans and a rapidly growing threat called ransomware, a Diligent white paper notes. Ransomware takes data hostage by encrypting it and forcing the owner to pay a ransom within a certain number of days in order to receive the encryption key.
Board members may be at even greater risk of malware attacks because they may be connected to multiple organizations. No one is immune.
Halting the Threat
Three of the most common security risks posed by boards of directors have easy-to-execute, technology-based solutions.
- Insiders: While your regular staff may be savvy enough to prevent data breaches, board members may be at greater risk of committing simple, innocent and unintentional mistakes such as clicking in a phishing email, leaving a phone unattended, or opening an email attachment sent through a camouflaged email account. More than half of board members (56 percent) still print and carry around board documents, a Thomson Reuters survey found. These documents could get lost or misplaced, putting corporate data at risk of being found and compromised by people outside of the organization.
Solution: Education. Provide board-specific education including regular communications and security tips regarding updates, new threats and security expectations; hands-on training; social media best-practices guides and the sharing of detection tips and points of contact for board members who may see a potential threat.
Related: Is your organization prepared to handle a cyber attack? Join Firestorm experts and national partners for a 2-hour stress-test event: Cyber Breach/Security on April 6 from 2-4 p.m.
- “Bring-your-own” devices: Most board members own at least four devices, an income-adjusted Global Web Index report shows. IT departments have limited control of these devices, which is problematic — 60 percent of personally owned devices connect to the company network from outside the office. Users on personal devices may not employ best practices when accessing company information from home or on the go. These security issues are liable to worsen: more than 6 billion devices were connected to the Internet in 2016, according to research firm Gartner — 6 billion chances for backdoor hacks or security breaches.
Solution: Data protection. Organizations should worry primarily about protecting the data. Because there are so many users, and hence unique devices, with access to sensitive data, experts are saying traditional perimeter security methods are no longer as effective. Thorough vetting of third-party vendors, encrypting data even when it’s not in use and having security tools for every endpoint, including personal gear, can help.
- User authentication: Passwords are so valuable to cybercriminals that they are trafficked in underground markets. As Wired reports, a board member for Shipley Energy discovered the impact a hacker could have on security when she was phished by one. The hacker didn’t steal it exactly; she unknowingly gave away her password by typing it into a fake AOL page, and the hacker then mined her email and computer. Single password/username combos make light work for a hacker.
Solution: New technology, managed portals. Use of multi-factor authentication systems make entry into the network tougher for hackers. Encrypted portals for communications across stakeholders add another layer of security and limit points of access. Board portals are specifically designed to give board members a single location from which to access information, which means that documents won’t be stored on vulnerable or outdated systems — which could lend themselves to exploitation.
Corporate losses to the tune of $2 trillion are expected to be caused by cybercrime by the year 2019. While malicious outsiders, like hackers, are often pinned as the cause, it’s up to business leaders to reduce the risk of board members creating opportunities for a cyberattack.