Personal Cybersecurity Protection Guide for Corporate Directors

Board Directors Are at High Risk

Board directors occupy a position of exceptional access and influence, placing them at high risk of becoming a target of malicious cyber threat actors ranging from sophisticated nation-state operatives to organized criminal groups and opportunistic hackers. A recent Mimecast and Cyentia Institute report reveals that board members and executives, along with salespeople, carry the highest overall risk of successful phishing attacks.

This boardroom tool provides practical, actionable steps to minimize directors’ personal risk exposure, reduce corporate risk exposure, and strengthen resilience against sophisticated cyber threats. The relatively small investment required to implement these measures is far outweighed by the protection they provide to both the director community and the organizations they serve.

Taking a proactive approach to your personal cybersecurity can deliver significant advantages:

• Reduce corporate risk exposure: By securing your personal digital footprint, you mitigate potential risk exposure to the organizations you serve.
• Demonstrate leadership: Setting “the tone at the top” by modeling good security practices encourages a broader organizational security culture.
• Enhance decision-making confidence: Secure communications enable more transparent and thorough board-level discussions of sensitive matters.
• Protect personal assets: The same measures that protect corporate interests simultaneously safeguard directors’ personal financial and private information.
• Improve cybersecurity fluency: Directors with strong security practices improve their understanding and awareness of cyber risks and threats.

Understanding this elevated personal-risk profile and the common forms of malicious cyber activities employed in targeting high-risk individuals is the first step toward effective personal protection and corporate security.

Common Attacks Targeting Board Members

1. Spear Phishing and Whaling Attacks: These malicious cyber activities employ highly personalized, deceptive communications specifically crafted using publicly available information to target high-value, executive-level individuals in order to trick them into revealing credentials or installing malware. This publicly available information can be pulled from social media, public appearances, or speaking engagements.
2. Executive Impersonation and Deepfakes: Threat actors creating false personas mimicking company executives’ or fellow board members’ identities can trick directors, executives, or employees into authorizing financial transactions, granting access to sensitive information and accounts, or taking other actions on behalf of the threat actor. New AI technologies are improving the effectiveness of such techniques, driving the need for additional awareness and training.
3. Mobile Device Targeting: This malicious activity leverages specialized malware or device exploits to target smartphones and tablets, which can contain both corporate and personal sensitive data.
4. Home Network Infiltration: Gaining unauthorized access to vulnerable residential networks and connected devices can provide backdoor access to personal or corporate systems.

Potential Consequences of Compromised Systems and Devices

A director whose computer systems are compromised by a threat actor can be the entry point for a potentially wide-ranging compromise of the company's digital infrastructure, with consequences that extend far beyond personal inconvenience. The compromise of a corporate director can have consequences like these:

• Corporate Data Breaches: Directors' compromised credentials or devices can become the entry point for major corporate data breaches.
• Financial Losses: Both personal financial theft and corporate financial damage can result through fraudulent transactions or business-email compromise.
• Regulatory Penalties: Directors could be held personally liable under various data protection regulations for failures to implement reasonable security controls.
• Reputational Damage: Erosion of trust with shareholders, customers, and partners could significantly impact company valuation and future opportunities.
• Strategic Intelligence Loss: A compromised system or device could expose confidential corporate strategies, M&A plans, or intellectual property to competitors or market manipulators.

Personal Cybersecurity Protections

Passwords and Accounts

Why This Matters: Access credentials are the keys to corporate kingdoms and are how most hackers gain access to sensitive information and systems. For directors, compromised accounts can lead to unauthorized access to sensitive board materials, financial data, strategic plans, and other critical corporate information. Implementing strong authentication practices is a critical component of personal cybersecurity and includes the following best practices: 

• Use a password manager: Password managers enable the use of unique, complex passwords for each service without the cognitive burden of memorization, improving your overall security posture.
• Use strong passwords unique to each site/account: Password uniqueness ensures that the compromise of one service does not cascade to others, foiling potential breaches and containing the breach to a single point of failure.
• Minimize or prevent password reuse: Password reuse is the primary vector by which breaches of low-security services can escalate to a compromise of high-value corporate assets.
• Use phishing-resistant authentication when possible: Utilize options like FIDO passkeys or hardware-based security tokens. These methods provide cryptographic proof of possession that cannot be remotely intercepted or replicated. Directors should disable SMS, email, or phone onetime passwords (and similar authentication or account recovery options), when possible, in favor of these options. 

Operational Security

Why This Matters: Corporate directors’ positions give them access to valuable, proprietary information and access credentials that place them at high risk for social engineering, phishing, and advanced, persistent threats. Operational security practices help establish a multilayered approach that minimizes risk vectors and establishes protocols for responding to potential compromise attempts.

A starting point for directors includes assessing and understanding personal risk profiles and maintaining awareness and controls that effectively mitigate the most significant risks. The director onboarding process offers a natural opportunity to educate directors about these best practices and for directors to ask questions regarding their operational security and the board’s expectations for their personal security behavior. The “Guide to Inclusive Director Onboarding” in NACD’s 2023 Culture as the Foundation Blue Ribbon Commission report identifies opportunities in the pre-onboarding period and the first six months of board service where this education can be provided.

• Assess your personal risk profile: Understanding your specific risk profile based on your industry, company position, and geopolitical factors allows you to apply appropriate security measures proportionate to your actual risks.
  • Be aware of your social media presence: Social media presence creates an information footprint that adversaries can use to craft targeted malicious activities or conduct reconnaissance. Being aware of their digital footprint allows directors to identify and minimize sensitive information that could be exploited across common social media sites like LinkedIn, Facebook, Instagram, and TikTok and media outlets. To reduce risk exposure, directors should be mindful of, and inventory, what is shared online, personally or professionally, as it could be used by adversaries to tailor malicious activities against them.
• Backup critical personal information using the "3-2-1" rule: This approach ensures that attempts to impair the integrity or availability of information, like ransomware that could impact a target’s primary systems and connected backups, cannot lead to permanent data loss.
  • 3 copies, 2 different media types, and 1 offsite/alternate storage location
• Separate personal and business communications/accounts where possible: Segmentation reduces the likelihood that a compromise of personal accounts will affect corporate assets and vice versa.
  • Board portals contain valuable information, and many have secure communication and datasharing features. Directors should ensure they utilize security features like phishing-resistant multifactor authentication (MFA) and abide by the board’s policies for secure communication and data retention.
• Elevate your phishing awareness and responsiveness: Be hyperaware and establish processes and responses for phishing/vishing and smishing scams designed to steal confidential information, as these remain some of the most common compromises effected against executives.
• Establish secondary/backup communications processes to defend against deepfake voice impersonation: Executive voice deepfakes and impersonation utilizing AI-generated voice capabilities have become sophisticated enough to fool staff into taking action on fraudulent instructions. Secondary verification channels can reduce the risk sourcing from these schemes.
• Use reputable and secure sites for financial, email, and board portal services:
  • Financial accounts are high-value targets, and compromised shopping or banking sites can lead to credential theft.
  • Using trusted tools and services can reduce the risk of email-based compromise.

Antivirus and Patch Management

Why This Matters: Software vulnerabilities are constantly discovered and exploited. Unpatched systems represent an open door for malicious cyber threat actors. “Internet-of-Things” (IoT) devices that are embedded with sensors, software, and other technologies further elevate a director’s risk exposure, as these devices often have weak security configurations but significant access to computer networks and personal data. Regular updates and security monitoring can close these gaps and provide early warning of compromise attempts.

• Use reputable sources/vendors: Some vendors demonstrate a commitment to managing and updating their devices to protect against evolving threats, while other vendors have demonstrated a pattern of significant design flaws, unpatched vulnerabilities, enablement of malicious activity, or limited security passwords. During onboarding, directors can discuss with the company’s management what vendors they recommend. Special attention should be given to home network routers and similar equipment with privileged access to computer networks.
• Enable active monitoring/alerting: Real-time monitoring allows for rapid response to potential compromises, limiting the dwell time of malicious actors and reducing potential damage. During onboarding, directors can discuss with the company’s management what solutions they recommend for this capability.
• Enable automatic updates on personal computer, mobile, and home office devices when available: Manual update processes often lead to delays in patching critical vulnerabilities. Automatic updates provide more timely protection against known exploits.
  • Major computer operating-system and software vendors provide regular patches that generally should be applied immediately.
  • Ensure that you either update or set to automatically update firmware for your IoT devices within your home/office (e.g., routers, sensors, smart TVs, refrigerators, thermostats, household cameras, cars, etc.).

Mobile Security

Why This Matters: Many people store sensitive corporate information and communications on their mobile devices. These devices are particularly vulnerable due to their portability, connectivity to various networks, and the possibility of physical theft and loss. Steps directors can take to harden their mobile device's security include improving device authentication methods, such as alphanumeric or biometric authentication, and enabling remote tracking and wiping capabilities to protect against unauthorized access if their devices fall into the wrong hands.

Device Options

• Use an alphanumeric-based password containing numbers, letters, and special characters: Complex passwords significantly increase protection levels and the time required for brute force attacks compared to four- or six-digit PINs.
• Enable biometrics when possible: Biometric authentication, like Face ID or Touch ID, adds a layer of security that is difficult for attackers to replicate while maintaining convenience.
• Consider enabling iOS lockdown mode or Google's Advanced Protection option: For directors with elevated threat profiles, these modes provide maximum protection against sophisticated attacks at the cost of some device functionality.
• Enable "Stolen Device Protection" and "Find My iPhone": These features allow you to remotely track and lock your device if it's lost or stolen, preventing access to sensitive corporate information even if the device is compromised.
• Ensure remote wipe capability is available and active: The ability to remotely erase a device’s contents serves as a last line of defense when they are lost or stolen, preventing access to sensitive data in the event other security measures have been bypassed.
  • Users of iOS and Android devices can use the “Find Devices/Find My iPhone” and “Find My Device” feature respectively to remotely erase their mobile device’s contents.
• Only install applications from reputable sources: Applications downloaded from non-reputable sources can provide an attack vector for mobile device compromise. App stores, like the Google Play Store, Samsung Store, and Apple’s App Store, provide basic vetting that significantly reduces this risk compared to sideloaded applications.