Jonathan Knight, Chris Hall, and Stephen Grant are respectively MD, CTO, and Head of Security Operations at Board Intelligence. Together, they have over 70 years of experience in IT and cybersecurity, and worked for organisations ranging from Bloomberg to the UK Ministry of Defence.
“Never let a good crisis go to waste,” or so the saying goes.
Many of us are taking this maxim at heart, as the ongoing pandemic gives us a chance to rethink how we work and spend our time. Unfortunately, criminals are familiar with the adage too, and the upheaval is proving to be an opportunity for them to exploit the change in our habits. So much so, in fact, that the US and UK governments issued a joint warning last week about the “growing use of COVID-19-related” hacks.
“Criminals are actively manipulating the COVID-19 pandemic to their advantage.”
~ Calvin A. Shivers, Assistant Director, FBI
As evildoers “without conscience” target even healthcare providers, we’ve asked our resident experts to share their tips. Between them, they have over 70 years of experience in IT and cybersecurity, and worked for the likes of Bloomberg, the UK Ministry of Defence, and the Royal Navy. Here are their thoughts on how you can keep your board and leadership team meetings secure now they’ve gone virtual.
What’s behind the rise in attacks, and who’s being targeted?
Steve. To break into companies, hackers usually rely less on technical prowess than on psychological levers, such as curiosity or fear. Understandably, there’s a lot of health-related worries at the moment, so malicious hackers are redoubling their efforts to capitalise on the crisis.
Chris. Additionally, with a large number of employees stuck home working on their personal devices, there’s little that IT teams can do to properly secure every system, making them easy targets. And, to top it all, emergency response plans that rely on staff being on site are mostly void during the lockdown, thereby amplifying the damage — and pay-off — a successful breach could cause. This is a very tempting situation for attackers, who are targeting organisations indiscriminately.
“Even organisations who have planned their ransomware response, have planned it under day-to-day regular operations in the world.”
~ Sherrod DeGrippo, Senior Director in Threat Research and Detection, Proofpoint
How can directors working from home keep their meetings secure?
Jonny. If you’ve been following the news, you’ve probably read articles about the security flaws of various videoconferencing tools, such as Zoom temporarily routing its traffic through China. While I can’t vouch for the security of these solutions, in most cases the problems stemmed from bad configurations, not bad tools.
There’s often a trade-off between making something easy to use and it being secure. So, the most popular products are rarely the most secure out of the box. I’d recommend taking a look at the preferences of the videoconferencing system you’ve chosen, agreeing on a given set of security settings, and having every board member stick to these. Does the solution you’re using offer registration, password, and lobby options? If so, turn these on.
“Cybersecurity researchers have warned that security loopholes in [Zoom] could allow hackers to eavesdrop on meetings or commandeer machines to access secure files.”
Steve. Keep in mind the majority of cyber-attacks happen through human negligence, not because of technical hacks. So, it’s not enough to configure things properly: board members also need to be mindful of their own actions. For example, how do they share the link to the meeting? And how do they receive it?
You might have heard of “Zoombombing” — when outsiders join video calls to wreak havoc — and most directors know better than to make board meeting links public. But there’s another, less obvious, danger: being sent a “decoy” link that takes you to a similar-looking meeting that’s actually administered by an attacker, who can record and leak it. So, make sure you both send and receive all meeting-related information in a secure manner.
How do you share board information securely?
Chris. I cannot emphasise this enough: don’t use emails! It comes from a simpler time, before the web was even a thing, and was never designed with security in mind.
Anyone can “spoof” emails, making them appear to come from someone else — which is why it’s so easy for thieves to send legitimate-looking emails “from you” to, for example, your HR department. It shouldn’t be trusted with strategic information.
“The criminals read through the contact’s historical correspondence with an employee at the studio, learnt the typical tone and style of their conversations, and sent a plausible reply to the employee’s latest email.”
Jonny. There are better ways to collate and share management information, using a central system. Most directors are familiar with board portals or board management software, and the convenience they bring. But, beyond the time gains, they also come with security benefits:
- Firstly, having it all in one place reduces the “attack surface.” Fewer tools mean fewer entry points. And it protects you from phishing attempts: if something is coming from outside the portal, you know it’s malicious.
- Secondly, automated processes mean fewer slip-ups. Even a minuscule chance to email a confidential attachment to the wrong person becomes statistically likely when you manually send hundreds of messages to prepare each pack. Portals give greater control over who can see what, when, and what they can do. They also include secure collaboration tools.
- And finally, they let you fix the mistakes that slip through. With a portal, you can change things after the fact (e.g. remove data that shouldn’t be there), and get a log of who saw what. Whereas, once an email is sent, you have no control anymore, and there’s no telling who’s read it or transferred it to whom.
You might think a shared drive, set up by your IT team, will work just as well — and it’s better than emails, of course! But, while it may do the trick within your team, it won’t work with a board that, by definition, partially consists of outsiders to the business.
How to choose secure board technology providers?
Steve. No matter if you’re looking for a portal, a videoconferencing solution, or collaboration tools, a good place to begin is simply to ask for credentials. Not all are equal, so know the key certifications to look for, that, in essence, guarantee a set of best practices — such as ISO 27001 (with a scope that covers their business and the services they provide you, not that of the data centre provider they use), ISO 9001, and Cyber Essentials Plus.
They shouldn’t be seen as a panacea, but their absence is often a sign the provider hasn’t been properly audited or isn’t focused enough on security to go through the process — so it’s an effective way to weed out your short-list.
Chris. Publicly available information can also be a useful indicator. For example, search for their software in your device’s app store. When was the last update? If it’s more than a few months ago, it could indicate less-than-ideal proactiveness. You can also check if they’re available on governmental procurement platforms — such as G-Cloud in the UK. If so, it’s a guarantee that the solution has been vetted for government use.
Finally, ask the provider directly. Typical questions would include:
- Where are their servers located (and are you fine with your data being stored there)? And do they own the physical machines, or are they using shared cloud services, such as Amazon or Azure?
- Are they encrypting everything — both in storage and in transit?
- How resilient is their infrastructure? What happens if one of their servers breaks?
- Do they train and screen their employees? Who amongst their staff will have access to your data?
- Are they running regular “pentests”, where they hire professional hackers to try to break into their systems? Do they pentest their apps as well as their servers? And are they happy to share recent results with you?
Whether you’re technically savvy or not, their openness to answer these questions will usually tell you a lot.