There are many posts on corporate directors’ responsibilities toward the organizations where they are board members. In fact, corporate directors themselves may be targets for hacktivists or cybercriminals and need to make sure they have adequate protection. This protection should include both home and professional office. Directors obviously will have access to sensitive insider information that many unauthorized parties would like to get access to. Many directors will also be targets as High Net Worth (HNW) individuals. Cybercriminals always target the weakest link; as corporate information security improves, they increasingly will target the home networks of key executives or directors.
Breaches such as Equifax have put so much personal information into the hands of criminals, that individuals increasingly will become targets. Directors represent a perfect demographic cross-section to be attacked. Attack vectors may include phishing, ransomware and social media.
Earlier this year, an NSA employee was in the news as hackers apparently stole US government secrets from his home network. Directors with access to confidential strategic or financial information should make sure their home networks are protected above and beyond the usual consumer grade defenses. Another attack path may be through tools and services used by directors. In 2010 attacks were reported against Directors Desk, a NASDAQ meeting portal. It is not clear if any sensitive information was stolen at that time.
What should directors do? First, make sure your home network is built to corporate standards. You need a commercial firewall, not just a consumer router. Most critically, any devices, especially firewalls and routers should auto-update their firmware. Auto-update is now included in Windows 10, most smartphones, and many home network devices, but not in older devices. Anything you put on your network will be found to have vulnerabilities, so this software and firmware update feature is critical to keep hackers out.
Passwords represent a second critical area; many breaches result from theft of user credentials. You should use two-factor authentication to log in to sites with your financial or personal information. Applications for your smartphone such as Google Authenticator and Duo Security generate one time tokens that serve as a second factor. More familiar is the text messaging that many sites still use to send one time codes to users. This process has been deprecated by the Federal government (because of potential eavesdropping attacks), so use the dedicated security apps, if possible. Still, other financial sites do not yet have any two-factor authentication available. For these make sure to use 12 character strong passwords. Such complex passwords should be managed using password vaults like LastPass or KeyPass.
The last factor to consider is encryption. Never store any sensitive data online without encrypting it, using a password known only to you. It is true that collaboration sites like Dropbox do encrypt the data you save there. But they still have the encryption keys and can view the data. These keys can be hacked or stolen by a disgruntled employee. That’s fine for 99% of the information you store online. But for the other 1%, especially personal or corporate sensitive material, only you should have the encryption key. Applications like Boxcryptor integrate with Dropbox and enable you to further protect your information.
These three security precautions will help you keep your personal and professional information secure. Since threats and vulnerabilities are constantly changing, you must keep up to date using the online resources and other peer group information on this topic.