October 31, 2019
To Mitigate Cyber Risks, Some Board Members Should Look in the Mirror
October 31, 2019
When chief information security officers (CISOs) present the state of cybersecurity to board members, the “insider threat” is a common topic. And for good reason—insiders are the number one security threat facing organizations today, according to the Optiv Security 2019 State of the CISO Report. CISOs tell the board often that they are trying to mitigate this problem through employee education, since many breaches caused by insiders are due to careless, rather than malicious, behavior.
But one thing CISOs probably don’t talk about—unless they’re
particularly brave—is that board members can identify the most dangerous
non-malicious insider threats by looking in the mirror. When one considers that
board members have access to the company’s most sensitive information, and that
they are likely too busy (or too disinterested) to participate in cybersecurity
training programs, it becomes clear that this toxic combination makes them a significant
How Board Members Become Insider Threats
There are a number of ways in which board members
inadvertently become security risks:
- Falling victim to “whaling” attacks. These are highly researched, highly targeted phishing attacks directed at board members, designed to gain access to their computers and to sensitive information. For example, a whaling attack could take the form of a spoofed email from the chief financial officer with a malicious file attachment and a message saying, “I’ve attached the minutes from the meeting last week—please let me know if you have any changes. We need approval from everyone by 5 PM tomorrow.” Board members who are unaware that they are prime targets for whaling attacks can be susceptible to these types of scams and click on the attachment.
- Using personal email. A study by Forrester Consulting and Diligent Corp. found that 56 percent of board members use personal email, rather than business email, to communicate with other directors and executives. This may be well-intentioned—they may be concerned that IT personnel monitoring email could see their messages—but as a cyber risk, this practice is a disaster. Companies should establish secure portals or encrypted email for all board communications.
- Giving away too much personal information. As noted in the discussion of whaling attacks, cybercriminals understand who the most valuable targets are, and will conduct in-depth research as the basis for targeted social engineering scams. Board members may be contributing to this problem without knowing it. If they, or even their family members, disclose personal information on social media channels, it can be used as the basis for such attacks. For example, if criminals see through posted photos or the like that a CEO’s family is going to Hawaii on vacation, they can execute a business email compromise attack where they send a bogus message from the CEO to an accounts-payable person in the company, saying, “My Hawaii vacation is off to a terrible start—the president of one of our biggest partners called me in the airport about this delinquent invoice. Please wire the money to them ASAP. I don’t want to be bothered by this.” There would be a bogus invoice with wiring instructions to the criminals’ bank account attached to the email, and the poor finance person would wire the money, fearing the wrath of the CEO. The FBI reports that these kinds of scams bilked companies out of $26 billion between June 2016 and July 2019, and they are growing by 100 percent every year.
Turning Insider Threats into Hardened Targets
These are just three examples of how board members can
compromise the security of their companies. The first step to solving this
problem is to remember the famous quote from the classic comic strip Pogo: “We have met the enemy, and he is
Once board members have established that degree of
self-awareness, the next step is to ask the CISO to make sure to include the
board and all senior executives in cybersecurity training and awareness
programs. Then, when they look in the mirror, they’ll see a hardened target—not
an insider threat.
Brian Wrozek is vice president of Corporate Security at Optiv.