Personal Cybersecurity Protection Guide for Corporate Directors

This boardroom tool, featured in the fifth edition of the NACD-ISA Director's Handbook on Cyber-Risk Oversight, provides practical, actionable steps to minimize directors’ personal risk exposure, reduce corporate risk exposure, and strengthen resilience against sophisticated cyber threats.  

Common Attacks Targeting Board Members

Spear Phishing and Whaling Attacks

These malicious cyber activities employ highly personalized, deceptive communications specifically crafted using publicly available information to target high-value, executive-level individuals and trick them into revealing credentials or installing malware. This publicly available information can be pulled from social media, public appearances, or speaking engagements.

Executive Impersonation and Deepfakes

Threat actors creating false personas mimicking company executives’ or fellow board members’ identities can trick directors, executives, or employees into authorizing financial transactions, granting access to sensitive information and accounts, or taking other actions on behalf of the threat actor. New AI technologies are improving the effectiveness of such techniques, driving the need for additional awareness and training.

Mobile Device Targeting

This malicious activity leverages specialized malware or device exploits to target smartphones and tablets, which can contain both corporate and personal sensitive data.

Home Network Infiltration

Gaining unauthorized access to vulnerable residential networks and connected devices can provide backdoor access to personal or corporate systems.

Personal Cybersecurity Protections

Passwords and Accounts

• Use a password manager.
• Use strong passwords unique to each site/account.
• Minimize or prevent password reuse.
• Use phishing-resistant authentication when possible. Wherever possible, disable SMS, email, or phone one-time passwords (and similar authentication or account recovery options) to ensure effective protection using multifactor authentication.
• Ensure remote wipe capability (iOS/Android “Find My Device”) or corporate Mobile Device Management (MDM) solution capability.

Operational Security

• Assess your personal risk profile and be aware of your social media presence.
  • Understand and inventory the information you are sharing or providing a potential adversary.
  • Be mindful of what you share online personally or professionally; it could be used against you.
• Backup critical personal information using the “3-2-1” rule: 3 copies, 2 different media types, and 1 offsite/alternate storage location.
• Separate personal and business communications/accounts where possible.
• Elevate your phishing awareness and responsiveness. Be hyper-aware of phishing/vishing and smishing scams designed to steal confidential information.
• Establish secondary/backup communications processes to defend against deepfake voice impersonation.
• Use reputable and secure sites for financial, email, and board portal services with end-to-end encrypted communications where appropriate and permissible.

Antivirus and Path Management

• Use reputable software and hardware sources/vendors.
• Enable active monitoring/alerting to allow for more rapid response to potential compromises, limiting the dwell time of malicious actors, and reducing potential damage.
• Enable automatic updates on personal computer, mobile, home office, and internet of things (IoT) devices when available.

Mobile Security

• Use an alphanumeric-based password containing numbers, letters, and special characters.
• Enable biometrics when possible.
• Consider enabling iOS lockdown mode or Google’s Advanced Protection option.
• Enable “Stolen Device Protection” and “Find My iPhone”.
• Ensure remote wipe capability is available and active.
• Only install applications from reputable sources.

Further Reading

United States Secret Service

The USSS investigates a range of crimes against the US financial system committed by criminals around the world.

Cybersecurity and Infrastructure Security Agency

CISA leads the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.

Federal Trade Commission - IdentityTheft.gov

IdentityTheft.gov is the federal government’s one-stop resource for identity theft victims. The site provides streamlined checklists and sample letters to guide you through the recovery process.

Internet Crime Complaint Center (IC3)

The IC3 is the central hub for reporting cyber-enabled crime. It is run by the FBI, the lead federal agency for investigating crime.

Return: Toolkit For Action