To those who run or serve on corporate, local government or non-profit boards:
Your board members are at risk, and this places your organizations at risk. Your board members could be targeted by spearphishing (that is, directed personalized attacks) or other hacking because
- They are often not technologically sophisticated
- They have access to valuable information
- If they are breached, you may not know
- Their email accounts and devices are not locked down using the enterprise-grade cybersecurity technology used to protect employees
In other words, they have a lot of the same information and access as executive employees, but don’t share in their protections. Even if you give them a corporate email address, their laptops, desktops, phone, and tablets are not covered by your IT cybersecurity systems.
Here’s an overview article I read today. It’s a bit vague but it does raise the alarm (and prompted this post). For the sake of the organization, it might be worth spending some small time at a board meeting on this topic, to raise the issue. But that’s not enough.
What can you do, beyond raising the issue?
- Provide offline resources and training to board members about how to protect themselves from spearphishing
- Teach them to use unique strong passwords on all their devices
- Encourage them to use anti-malware solutions on their devices
- Provide resources for them to call if they suspect they’ve been hacked
Perhaps your IT provider can prepare a presentation, and make themselves available to assist. Consider this issue in the same light as board liability insurance: Protecting your board members is the good for the organization.