A Board Full of Prey: Your Digital Private Life as a Business Risk

A Board Full of Prey: Your Digital Private Life as a Business Risk
The digital private lives of directors and Supervisory Board members pose a cybersecurity risk. Although cybercrime is high on the agenda of virtually every Board of Directors and Supervisory Board these days, it is often the Executives and Non-Executives themselves who do not have their digital hygiene in order. The boardroom is therefore a cyber risk to its own organization.

Let's start with a compliment: most companies in the Netherlands and Belgium have their own cybersecurity pretty much in order. The Chief Information Officer (CIO) or Chief Information Security Officer (CISO) have usually secured their digital business environments accurately with watertight networks and strict policies for users. Security is so good that an intelligent cybercriminal would not consider storming the digital corporate walls as it poses a tough challenge. This all is commendable. However, there is a ‘but’. The less good news is that the hacker does not back down easily. A highly creative problem solver, he or she is always looking for the weakest spot within an organization. And that weak link today lies not so much within the digital company walls, but often in the private environment of Executives themselves.

Why the members of the Board are at risk
Directors are ‘just people’ – and cybercriminals know that all too well. Directors also choose a password that still looks like a variation of Welcome123. For their convenience, directors also choose the same password for their e-mail account as for a hotel booking site. Directors also sometimes forget to update an application to the very latest version. Moreover, corporate applications can be found everywhere on mobile devices these days:  we all, today, work ‘on the go’.
Hackers focus on that. Using bots, they continuously scan thousands of Executives and Non-Executives worldwide for a possible entry. Only when he or she has a ‘bite’ in the ocean of cyber information (a leaked password on an online site, for example), the hacker would focus on a specific Executive. Cyber criminals also have the luxury of time, they wait for the next window to open. They could spend months co-reading the Executive’s mail, with no one being aware of it.

Extra attention for the supervisor
Although cybercriminals find all Executives of large companies interesting, the Non-Executive may still be the most attractive target. Members of a Supervisory Board have access to all of a company's confidential documents. Even better: often from multiple companies; after all, they often hold multiple Supervisory Directorships. Usually, those Supervisory Board members do not fall under the strict digital rules of the Chief Information (Security) Officer. The CI(S)O can often only hope that the Supervisory Board members have their own digital hygiene in order and handle confidential documents carefully. For hackers, a non-executive is interesting prey.

The examples: from reputation damage to bankruptcy
That the above is no fiction is demonstrated by research by the British fraud prevention organization Cifas. They recently published data showing that executives are twice as often targeted by hackers as ordinary citizens. Examples of executives affected by cybercrime are increasingly surfacing in the media. In Sweden, the identity details of the CEO of security company Securitas were misused to apply for a loan in his name, resulting in bankruptcy. In the United States, cybercriminals extorted the CEO of energy company Invenergy with ‘personal and spicy information’. In Belgium, an Executive became discredited after he failed to inform his company of a personal hack. These public examples are undoubtedly only the tip of the iceberg. Many incidents remain under the radar. For fear of reputational damage, companies or executives are far from always reporting when they have been attacked by hackers.

Financial and emotional damage
Speaking of that damage: the consequences of a hack through the private domain can be enormous. Not only for a company, but certainly for the Executive himself. When it comes to the financial risks: insurers are less and less likely to offer comprehensive policies for cyber insurance. The risks are simply too great (and therefore unpayable). Companies will therefore put the bill on the executives who are at fault. They will be held personally liable. Unfortunately, there is more than the financial loss: a hack often means the end of an Executive’s career in the Boardroom. And equally unpleasant: it often also does irreparable damage to the person's reputation in family - or friend circles, especially if extortion with ‘spicy information’ is involved.

Time for action
Anyone seeking a boardroom position today must exhibit minimal digital hygiene. Gone are the days when digital sloppiness was covered with the cloak of affection. No one can any longer hide behind ‘digital complexity’. Executives will have to ask themselves not only how well their company is secured, but precisely how well they themselves are secured. And one step further: they will have to ask themselves how well their fellow Executives are secured. Can they be trusted in the area of general digital hygiene?
It must, in short, be improved. Fortunately, there is an upside: it is not that complicated. There are plenty of ways to better protect the private digital domain. It requires a solid dose of common sense, dedicated digital hygiene and support from an expert. The first step anyone can take today is to put this on the agenda for discussion in a meeting with the Chief Information Officer or Chief Information Security Officer. Executives will need to engage with them further to address digital vulnerabilities especially among themselves, to turn the private digital domain into an impregnable fortress.

The author of this article is managing director at Cyberwolf.io, a company that focuses on personal cybersecurity of executives and non-executives. The author chooses to remain anonymous. His identity is known to the chief editor of Management Scope. This essay was published in Management Scope 01 2023.