Moving beyond the boardroom

Wednesday, 01 October 2014

Matthew Sainsbury photo
Matthew Sainsbury

    The evolution of cyber crime means criminals are now personally targeting executives and directors as well as businesses, writes Matthew Sainsbury. 

    Malware (short for malicious software), viruses and the physical security of the boardroom are the least of a company director’s security concerns in the modern world of corporate espionage. That is not to say they should be ignored, but the biggest threats to boardroom security are now, ironically, the most technologically simple.

    In May a report found that an Iranian hacking network (which was likely to be state sponsored) had embarked on a three-year campaign to use social networks to insert individuals into organisations and have them build friendships with US lawmakers, defence contractors and military generals in order to obtain critical information. China, and numerous other nations that compete with western interests, are under deep suspicion of using similar techniques and extending their reach beyond government targets to also gain corporate secrets to assist their business assets. Organised crime networks, from the drug cartels in Mexico through to the mafia and Japan’s yakuza, are increasingly involved in using the internet for their own businesses, and are well known for recruiting teams of hackers and online agents.

    These groups operate on the assumption that their targets will have powerful firewalls and regularly sweep the network for viruses, and so the better organised hacker groups are not even bothering to try to hack into networks in the traditional way. Instead, they are turning to much more subtle information-gathering strategies.

    “If hackers are going after your organisation, these days it is unlikely to be an accident, or done for fun as we have seen in the past,” says Rob McMillan, research director at technology research and advisory firm Gartner (Twitter @Gartner_Inc). “They are now well-organised and very well-resourced adversaries that target organisations for whatever reason, be it financial information, to cause brand damage or to access intellectual property. They don’t just stand hammering at the external firewalls of the company.

    “Instead of trying to code their way into an organisation, these hackers now research the senior executives that they’re about to target. They have the resources to spend a lot of time researching them, understanding their habits and interests and so forth, and then using that information in such a way that the executive wouldn’t even know they’re being targeted until it’s too late.

    “One of the most common things they’re doing at the moment is crafting very specific communications such as an email message based on the information they have about the executive’s interests that are designed to get them to click on a link and download malware that will then go unnoticed for a period of time.

    “Senior staff need to be cognisant that they can be individually targeted by hackers, rather than their organisation,” he says.

    Hackers have been seen to develop much more elaborate strategies to gain access to sensitive information. Consider the following scenario: a company director is named on the website for the company on whose board he or she sits. With nothing more than that name and brief biography, a hacker will be able to do some Google searching and turn up some additional information instantly, such as the executive’s LinkedIn profile and perhaps even Facebook and Twitter accounts.

    Now imagine that the director has a keen interest in running and has a fitness band that automatically uploads their morning run data to their phone and from there is posted to their Facebook or Twitter accounts. It might be hidden behind the security settings, so that only the individual’s friends can see it, but a little research into the family tree of this individual yields their mother’s maiden name, which is one of the most common security questions for a password reset.

    Getting the location data from the fitness band allows the hacker to work out where the director lives and by studying their movements from day to day it is also then possible to determine the optimal time to break in to the house (i.e. when no one is around). A little more research yields the date of birth, which in combination with the residential address is enough to commit identity fraud with everything from banks to government agencies, giving the hacker instant access to any amount of data on the individual that they might need.

    That scenario might sound fanciful, but the reality is that if a hacker has enough of a reason to get this information, they are now being provided the resources and time to make it happen from their sponsors.

    Many company directors are aware of the risks of having too much data on the internet and have shied away from social media profiles, but there is a lot of information that a hacker can obtain with something as simple as a name, and there are some public sources of information that individuals can do little to remove themselves from.

    “I know senior executives and some directors have been very conscious of not putting a lot of information about themselves online,” says Jan Begg FAICD, managing director at consulting firm Azulin. “It’s not necessarily enough of a safeguard. A director might avoid putting their home address on the internet in any fashion, but it will still be sitting on the electoral roll, for example. Once someone has a general idea of where you are they can get that information from the electoral roll.”

    “And, of course, there are many of us who are involved in consulting, or other public work, where we need to have our profiles on the internet in some form. These security challenges are a real dilemma for directors and we need to think more deeply about them,” she says.

    Even if a director shies away from social media completely, it is still possible for photos and enough usable information on the individual to show up on the internet to aid a hacker’s research. A son or daughter might post an innocent family photo on Facebook while on a holiday, for example, or a news website might have a photo of the individual attending a function for an interest outside of work.

    This kind of information is difficult to control, and is having serious ramifications in many fields. In 2011 former Australian Federal Police (AFP) commissioner, Mick Keelty, spoke at the Security 2011 Conference and highlighted how difficult it was becoming to insert undercover police into crime groups. Social networks, facial recognition software and similar tools were making it difficult to keep an individual anonymous enough that the criminals were not able to research who they were.

    While company directors do not need the same level of anonymity as an undercover policeman, the challenges facing the AFP highlight just how illusionary the concept of privacy really is in the modern world, and obvious targets for hackers, such as company directors, need to be aware that the challenges they face are more significant than a virus or spam email.

    The Urgent Need For Awareness

    Some recent findings from national computer response emergency team CERT Australia reveal just how far Australian organisations, executives and directors need to come with regards to security awareness. Sixty one per cent of organisations do not have cyber security incidents identified on the risk register. Only 27 per cent of organisations had increased expenditure on IT security in the previous 12 months, 16 per cent of organisations had no staff dedicated to IT security, and more than 60 per cent of respondents think that IT staff, the CEO and board of directors need to improve their IT security skills and/or practices.

    That is not to say there has not been any improvement to security practices over the years. Claire Filson MAICD, director of Moorebank Intermodal Terminal, Linking Melbourne Authority and the Port of Hastings Development Authority, says the physical boardroom itself has become far more secure.

    “When I started working 30 years ago you could walk into any office block and pick up anything off the desk and walk out. You may or may not have been challenged, but there was no security in terms of swipe cards, so people having the ability to just walk away with board papers is no longer a big issue,” she says.

    Instead, the security challenge that organisations face is typically the result of human error, Filson adds. Organisations should still be on the lookout for the occasional disgruntled employee leaking information, but with boardrooms increasingly locked out to any but the highest level of executives, this too is less of a concern than it once would have been.

    Equally, organisations need to be aware of potential leaks from outside an organisation. From payroll to cloud computing, disaster recovery and even security itself, organisations are increasingly relying on third party managed services providers to hold on to critical data. Even board papers are now being delivered electronically from a cloud, as organisations look to do away with paper trails and the security risks inherent with that approach.

    By itself the cloud is no less secure than conventional solutions. In fact, the ability to encrypt board papers on an iPad or other mobile device, and then remotely delete them if the device is left in a taxi or on an airplane, actually makes a well-managed cloud solution more secure than locked filing cabinets and shredders. But because many directors are not aware of the constant ebb and flow of security challenges facing organisations, they are reliant on their organisation’s management being aware of the issues and proactively managing them.

    This is especially the case when it comes to home networks and the bring-your-own-device (BYOD) trend. “There’s been such energy and interest in the idea of being connected 24/7 and allowing people to work at all hours because it’s flexible and enables greater productivity,” Filson says.

    “But I’m not seeing companies recognising the downside of that yet. Organisations and management cannot be sure how people will use their personal devices when not for work and that is a significant security risk. It’s an essential component in modern business, but they’re struggling with how to manage the security of it, and while some companies are recognising it’s an issue even if they don’t know how to deal with it, others are in denial.”

    There is no consensus with regards to the solution or even best practice to manage the risk. McMillan recommends that as best practice, executives should completely separate their devices for work and personal use, and ensure that if they have a personal email address or use Dropbox, Evernote, and other consumer applications, they do not use these for work purposes.

    “Executives need to separate their personal and professional lives electronically and go as far as to have a professional email and computer and personal email and computer,” he says. Some directors are proactively trying to do this, going as far as refusing to make use of WiFi because of the inherent security risks of such technology.

    However, Begg argues that trying to limit the functionality of technology may mean that people take risks in the interest of convenience. “If multiple boards issue separate devices so that you cannot use your own computer or iPad to access board papers, then you need to juggle the multiple devices and physically secure them,” she says.

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.