Non-executive directors (NEDs) have seen an alarming increase in the frequency and sophistication of cyber security attacks. NEDs often work on behalf of several organisations and in many locations, which dramatically increases their personal exposure to a range of security issues.
Having consulted Boards across industries and around the world on cyber security, we’ve found four key ways in which a NED can operate more securely.
1. Travel more securely
Many NEDs travel extensively for each organisation within their portfolio, often including trips outside the UK. This presents challenges, such as:
- connecting to public Wi-Fi
Public internet connections are unsecured and therefore vulnerable to attackers. NEDs should connect via a trusted hotspot, such as your own mobile phone network, instead of using Wi-Fi in hotels, airports, train stations or coffee shops.
- having screens visible
With convenient ways of working remotely continuing to evolve, many NEDs work while on the move, giving onlookers the chance to peek at information. Install a privacy screen on your laptop to prevent people viewing sensitive information.
- being approached in person
Face to face cyber-attacks are easy to carry out. They often begin with someone asking to borrow a phone, plug in a USB (or another device) or access a site when their own network is unavailable. Anytime you let someone use your device, however briefly, there’s a risk of them covertly installing malware or attempting to steal data. In many cases, they can do this in seconds.
2. Keep a secure gap between your different NED roles
NEDs may hold many different appointments at the same time, each requiring access to different systems, email accounts and phones. It’s vital for NEDs to ensure they have different security details for each organisation and account. That way, if an attacker compromises one account, they won’t have easy access to all organisations.
Enusing a gap between different NED roles can include:
- using organisation-specific equipment for NED-related work. Using separate devices minimises the risk of a cyber-attacker gaining access to numerous organisations in the case of a threat
- using different passwords for different accounts - this decreases the chances of an attacker accessing multiple systems, if one is breached.
3. Be careful with unexpected contacts and requests
NEDs can be involved with many organisations and communicate regularly with dozens of people. And it’s common for new contacts to emerge with requests, offers, messages and updates. Attackers take advantage of this by:
- posing as a known contact, for example by using a similar but non-identical email address, and assuming you won’t notice
- posing as a known contact by using a different email address and asking you to use that address due to ‘technical errors’
- pretending to be another colleague within your organisation, sending (or requesting) some important information
- getting in touch offering an opportunity (such as speaking at an after-dinner event) and asking you to visit a site or download a form to progress the discussion
- sending an invoice to you in the hope you will forward to a more appropriate colleague, who may assume its authenticity has been verified.
Attackers take advantage of human error because basic security defences can now prevent the historical low-tech attacks, such as an overseas lottery win. If unknown contacts do approach, ensure they can verify their authenticity by speaking to them via a trusted phone number, or via a trusted contact.
4. Carefully manage your online NED profile
NEDs may be unaware of the volume of material attackers can access, as well as how and why to limit that access. For example:
- use an office address (rather than personal home address) when registering as a company director, as this information is available at Companies House
- ensure profile pages on organisation websites don’t contain personal information (for example spouse’s or children’s names) as this type of information can be used maliciously
- restrict social media privacy settings so attackers can’t locate personal details, family information or places regularly visited.
NEDs are constantly targeted by cyber criminals due to the highly sensitive and valuable information they have access to. With many NEDs managing several appointments, technology often becomes both the first and last line of defence, but human error is still the main vulnerability. By taking the four steps above, a busy NED can better protect themselves against cyber-attacks.