About the Authors:
Nora Denzel is a Board Director of Advanced Micro Devices (AMD), Ericsson and NortonLifelock. She has more than 25 years of technology, software and technology leadership experience including roles at Intuit, Hewlett-Packard and IBM.
Melissa Hathaway is a Board Director at BT Federal Inc. and at the Centre for International Governance Innovation. Hathaway served in two U.S. presidential administrations, spearheading the Cyberspace Policy Review for President Barack Obama and leading the Comprehensive National Cybersecurity Initiative (CNCI) for President George W. Bush. She is globally recognized as a thought leader in cybersecurity and advises governments, global organizations and Fortune 500 companies on cybersecurity, enterprise risk management and technology assessments.
Cyber criminals have long known that an effective way to breach a company’s security is to target its top-value personnel, including the board directors and senior executives who have unfettered access to the company’s most sensitive information. With the majority of company directors and officers now relegated to working exclusively from their homes and not inside a better-fortified office environment, these executives are increasingly being targeted by opportunistic and malicious actors who seek to monetize information, impersonate these leaders and gain access to the corporate crown jewels.
Prior to COVID-19, organizations put significant thought into the physical security, health and well-being of corporate directors and senior officers Rarely was the individual digital resilience and security of these people discussed.
Today, however, cybersecurity and data governance risks are top of mind in many corporate boardrooms. Investments to date have focused on strengthening the digital defenses of the company’s networks, protecting valuable data and ensuring third-party services and infrastructures remain secure. Yet how many companies are investing to protect the directors and officers at home and online? Given the global health crisis that has forced so many companies to shift to long-term remote work strategies, companies need to do much more to secure executive’s homes—which are now a true extension of the enterprise.
Identifying and Safeguarding Against Digital Vulnerabilities at Home
When where you live is where you work, knowing where your company faces digital vulnerability, even within your own home, is paramount. Many high-profile individuals are ill-prepared to prevent or respond to a cybersecurity crisis when it enters their home. It is critical that they do so, and that they adopt adequate measures to better anticipate, defend and respond to digital attacks. The stakes are higher than ever: your money, privacy and reputation, as well as your corporation, are all now on the line.
So, what can top executives do to better protect themselves from cyber incidents?
- First, know that your home is a complex system of connected devices and networks. Many of them are vulnerable to exploitation. In fact, routers and connected cameras make up 90% of infected devices in a home, but almost every other connected device is also vulnerable, from smart light bulbs to voice assistants. It is important to review and know what is connected; appreciate what is running on your networks and systems (e.g., security cameras, HVAC, smart speakers); and understand who has access to these devices, networks and systems.
- Have your company conduct a security assessment of your home and give you a list of all the paths through which malicious actors can gain digital access to your home. It might be a frightening list. The assessment may suggest some best practices that are routinely done at the corporate office.
- Implement corporate best practices at your home. Among them:
- Update the software on all your devices regularly. Some updates are critical patches that if ignored can—and will—be exploited.
- Ensure routers and other devices are not set to the manufacturer’s default password. Establish new, complex passwords (at least 16 characters) for the home/private wireless network.
- Configure all the connected devices in the house or associated with the board member for maximum security and privacy.
- Create separation between work and non-work activities. Segment your network so that you are not sharing it with your children’s gaming system, for example. Have a separate Wi-Fi network for guests, and use different passwords for each network and account.Next, turn to your home office. Designate a “clean room” to conduct your sensitive work. Ideally, this should be an area that can be closed off from people as well as from listening devices such as Amazon Echo (Alexa), Google Home or even a smart TV. Savvy cyber criminals look for clues to your personal life in the background while you are on a video call. They can gather information to target you better in a phishing attempt, from the books and personal items on display to the photos of your family. Regardless of which digital channel you use for work—Zoom, Microsoft Teams, Webex, Google Hangouts or another platform—be deliberate about what can be seen on the camera or heard over the microphone.
- Many times, phishing attacks are launched via your personal network or email, which lacks some of the prevention tools your company may be using for your corporate account. Assess whether your personal or a company-provided email is more secure for your board work by asking the CISO or an expert on staff, and make the appropriate changes if needed.
- Be fully aware you are no longer operating on a trusted and secure corporate network. It is important to always use a virtual private network (VPN) to connect to the company’s network, applications and intranet. A VPN allows you to create a secure connection over a less-secure network and is one of the smartest ways to protect your online privacy and maintain your data security.
- In addition to using a VPN, it is also a good idea to implement multifactor authentication (MFA) on as many business applications as possible. MFA means using a password and a second form of identification, such as a code sent to your mobile phone or a biometric scan, to access your work applications. It’s easily set up for most applications you are using, and should be required for access to any board’s portal.
Nobody Is Off the Grid
Remember, you are a high-profile and high-value target. Nobody is off the grid when it comes to data. All internet-connected devices (e.g., cell phones, smartwatches, etc.) collect and transmit data about us. With each day, data aggregators and criminals can know where we have traveled, what information we search for on the internet and even the calories we burn.
As we embed more smart technologies into our homes and private lives, we must always be thinking of who might be able to access these devices and related information about us. Be mindful that criminals are harvesting data from your Facebook, LinkedIn, Twitter and other social media profiles to gain information that could be useful to break-in to your systems and information assets.
Further, it is important to know what is in the public domain about you and your family. In July 2020, Twitter announced that the data and personal accounts of companies and individuals was compromised. It was a sobering demonstration that political, corporate and cultural elites are not immune to intrusion or impersonation. Augment your protection by making sure to select the most stringent privacy settings allowed on your social media accounts. Engage an expert or cyber-concierge company to monitor your digital presence on the internet and on the dark web to help manage your personal risk.
Your money and credit are also being targeted. The 2018 Equifax and Marriott data breaches affected more than half of the U.S. population. Your personally identifiable information (PII) has likely already been compromised, including your credit card numbers, bank accounts, passport numbers, birth dates, etc. To protect yourself and your money, consider freezing your credit with all four credit agencies (Experian, Equifax, TransUnion and Innovis). All these agencies have an online portal that makes it easy to freeze and unfreeze your credit—a free service.
The internet has become the digital lifeline during the COVID pandemic, and it has helped us remain connected to our friends, families and institutions of all kinds. Even pre-pandemic, it played a huge role in keeping our businesses afloat. Corporate board members, whose job includes thinking ahead, have a critical role to play in shaping and securing the digital work-from-home future—not least for themselves. Doing this starts with recognizing that the enterprise has a new perimeter, and that the digital weaknesses in our homes and personal lives could be the backdoor to our businesses. Invest the time now to mitigate risks and keep intruders outside those gates.