Social Engineering & Phishing Emails in the Boardroom

Board members and high-level executives are prime targets for both social engineering and phishing, and techniques for both are becoming more and more sophisticated.

Cyber risk and cybersecurity are something boards are now monitoring within their own organizations. Deloitte encourages boards to challenge management to come up with key performance and risk indicators, among many other measures to combat cyber risks. But one of the primary targets for criminals who carry out these attacks are board members themselves due to the high-level access most have to sensitive company data.

Use a Dedicated Board Portal for Communications

Phishing is when a fraudulent email which is made to look like a legitimate one is sent out to gather credentials or information, and they are endemic because they work. 95% of successful cyberattacks resulted from phishing emails in 2017. MacEwan University in Edmonton, Alberta lost $12 million to a phishing attack in 2017, and Alberta Health Services had 20 staff email accounts compromised in 2018. Phishing emails are very cleverly disguised, and most major organizations deal with a number of phishing attempts per day. 

A phishing email usually looks like it comes from a trusted organization, such as Google or Microsoft. It typically asks for the target’s user name and password to log onto its site, or a payment method such as a credit card number. It may also ask you to click on a link which can download malware – up to 92% of malware is delivered this way. One of the key things to get across in anti-phishing training is that no service will ever send you an email asking you for your login credentials or payment method.

Social engineering is another way that criminals use to obtain credentials. They will impersonate someone who requires your credentials and will usually use information obtained through social media profiles to make their request and job title sound credible. For example, they may impersonate another board member’s executive assistant to obtain your login information because their boss has lost theirs.

 Have a Dedicated Company Email Address

Many members use personal emails for board communications if they are not employed by the company. In 2017, the Global Transportation Hub, a Government of Saskatchewan initiative, was reprimanded by the provincial privacy commissioner for its board members’ use of personal email in sensitive communications involving the organization. The simple solution for this problem is to ensure that board members have their own emails on the company domain, and to have access to log into their company email in a separate, secure manner apart from their own personal email. This way, all filters and phishing protection measures in place at the company will be applied to these sensitive emails. There is a small measure of personal inconvenience for the board member, but this must be sacrificed for the sake of security.

 Have In-Class Training Sessions for Board Members

Since board members are often primary targets for hackers, they should receive specialized training on avoiding social engineering, phishing, and other methods that could be used to obtain their credentials and sensitive company data. If your organization is large enough, a session with an IT employee or the CIO should be enough to properly train them and provide   assistance and answers to questions. According to PhishMe, employee susceptibility rates to phishing emails reduced to 5% with proper training. A webinar would not be sufficient, as a time-strapped professional may miss key items, and it may not answer specific questions they have. This training would ideally be placed immediately before a board meeting in order to respect everyone’s time.

Ensure Email Security is Enabled for the Organization 

 Proper cybersecurity measures help to eliminate the possibility of human error at an executive level, as well as everywhere else in the company.

Use a Dedicated Board Portal for Communications

Dedicated board portals such as DiliTrust Exec have significant security measures in place that go over and above cybersecurity best practices. They also make participating in and running board meetings much easier,   members can join securely and share files from anywhere in the world. Measures used include hosting certified to the international standard ISO/IEC 27001:2013, which guarantees use of an information security management system for data security. Data is encrypted while stored with the Advanced Encryption Standard (AES) with a 256-bit key. In transit, it is protected with TLS encryption at the highest levels of encryption available. Using one secure solution for the majority of board communications will elevate the security and quality of your board meetings.