For leaders who are concerned about potential exposure following the Yahoo breach, here are four ways that boards and senior executives can keep communication secure and efficient without compromising usability or convenience.
November 29, 2016
Yahoo Breach: A Wake Up Call To Board Members
Every day, data breaches dominate headline news, offering a grim reminder of both the growing sophistication of attacks and the vulnerabilities that still exist inside and outside of our firewalls.
While the causes of these data breaches vary, it’s not just the hacker or threat actor that companies need to worry about—it’s the employee, too. A recent Experian study found that employees were the cause of more than half of security- or breach-related incidents. Whether intended or accidental, employees introduce added layers of risk that must be adequately managed against in order to mitigate vulnerabilities and protect against future loss events.
But what if it’s not the average employee at the source of the breach, but an unsuspecting board member or director?
With all of the confidential information and materials handled by boards, one would hope that these individuals are operating at the highest levels of security. But that’s not always the case, and, in fact, convenience and personal preferences often trump secure communication and collaboration. This is precisely why the recent Yahoo breach of 500 million user accounts is so troubling.
Based on Diligent’s research of Fortune 1000 companies, more than 30% of U.S. board members are using free email service providers (ESPs) to conduct business. Of the domains analyzed, Google was the most commonly used (44%), followed by AOL (17%) and Yahoo (9%). What’s worse, the same Diligent research found that a combined 23% reported using antiquated domains that no one would recognize today.
This suggests that there is a significant portion of active board members who are not only resisting modern security best practices, but are also operating recklessly in a way that introduces unnecessary risk and potential non-compliance into the business.
While 9% seems small, consider this: no one knows how the stolen Yahoo data will be used. One small breadcrumb of information—an email address, a contact list, an answer to a security question—in the wrong hands could be easily manipulated to carry out exploits at the expense of the account holder.
And if that account holder is a board member communicating with other high-profile leaders, the consequences could be disastrous.
For leaders who are concerned about potential exposure following the Yahoo breach, remediation requires more than just changing a password, or closing an ESP account (which, you should do ASAP)—it requires a work style change. As such, here are four ways that boards and senior executives can keep communication secure and efficient without compromising usability or convenience.
Diligent’s research suggest that as many as 1 in 3 board members are using free ESP addresses. If you’re not one of them, chances are that a fellow board member could be, putting the entire board at risk. In fact, Diligent found that 1 in 4 boards have at least one member with a Yahoo account. If you suspect that someone is communicating or sharing documents on insecure or unencrypted platforms, flag it immediately and, if necessary, inform other stakeholders—such as IT, legal and the risk management group—who may need to get involved should anything escalate.
With security, you’re only as strong as your weakest link. Thus, it’s everyone’s job—from the mailroom to the boardroom—to adhere to operational policies that are designed to protect the organization. Board members and directors that sit outside of the firewall, however, may consider themselves to be exempt. In reality, they need to be held to the same standards, and like regular employees, should receive frequent training on proper protocols—ideally, at least once per year. If you are unaware of your organization’s security policies, or worse, they have never been shared with you, it’s time to add it to your next board meeting agenda.
Board members and directors are constantly on the go, and the ability to work remotely on any device is critical. Yet, the work also needs to be done securely, particularly when individuals are unable to access protected internet connections (e.g. at the airport, or in-flight). In order to ensure that communication and confidential information is fully encrypted in transit and in rest, the use of board collaboration tools such as board portals and secure messaging platforms should be used, providing both the security and flexibility that busy executives need to effectively fulfill their board obligations.
Regulators are sharpening their focus on boards, and as a result, certain laws have been established to govern board-level communication. While some requirements are common knowledge, others, particularly those involving popular ways of communication and collaboration (such as the use of chat or messenger applications, or sharing password-protected documents), are often unfamiliar territory. Business leaders must understand what constitutes acceptable behavior and for companies to put proper controls in place—such as audit trails, message retention and expiration policies—through the use of secure technology to ensure compliance is upheld. This is another area in which board portals are highly effective.
For the more than 30% of board members who are still using free email providers or antiquated platforms for business purposes, the recent Yahoo breach should serve as a startling wake up call. Complacency, convenience, and creative work-arounds have no place in the boardroom. In order to truly safeguard private information, materials and communication shared among top executives, the use of modern technology combined with adherence to world-class security best practices must be the new gold standard.