Spotlight on Board Cybersecurity

In May 2017, more than 230,000 organizations and 150 countries worldwide were affected by the WannaCry ransomware attack. This attack was a form of malware that encrypted the information on computers then demanded a ransom be paid in bitcoin. This style of encryption holds your computer hostage with all the information on them becomes inaccessible. Hospitals, phone companies and countless enterprise corporations were affected.

Google Gmail Scam

A frighteningly effective gmail scam tricked people into divulging their gmail login information earlier this year. Hackers sent emails which appeared to be from a trusted contact. The email included an attachment which asks for a user to reset his/her password when clicked. An estimated 1 Million people were affected and had their Google Gmail accounts hijacked by hackers.

Embarrassing Emails Exposed

Jes Staley, CEO of Barclays had an email exchange with a person thought to be the Chairman of the board. In fact, it was a disgruntled customer. While relatively harmless as a hack, the embarrassment and coverage of the emails isn’t good for a company who is under investigation for trying to reveal the identify of a whistle-blower.

These are a few well-known events from this month alone, when hackers were able to get around security. No person or company is immune to hacks and cybersecurity threats.

Staying Safe in a Digital World

So how do we stay safe? By now, most companies know they have a huge role to play in protecting company and customer data. IT departments are tasked with staying up to date with the latest technologies, security protocols, and threats. Extensive due diligence is completed when purchasing software or implementing a cloud-based solution. IT departments can also control the online behavior of employees by creating Cybersecurity agreements. All of these focuses of the IT department boil down to one thing – minimizing risk.

Board Cybersecurity Agreements

But what about boards of directors? How can they minimize risk? They don’t fall under the category of employee, typically use an outside email address, and most aren’t experts in cyber threats. And yet, they handle/view some of the most sensitive information a company owns. In addition to ensuring that you are providing your board members with a secure way to receive information (emails and password protected pdfs do NOT fall into this category), setting expectations for the handling of this information is critical. At least once a year, a cyber security expert should speak to the board on ways to keep data safe. These sessions should include helpful tips like checking the url of a site which is asking for information and turning on auto-logout.

In summary, companies should continue to improve internal board cybersecurity protocols and stay vigilant about software, hacking threats, and employee behavior. But it’s also critical to get board buy-in on the importance of board cybersecurity. Provide them with opportunities to learn and commit to keeping organizational information safe.