What are the risks of using personal email for board business?
Despite everything going on in the world, there’s been no slowdown in cyberattacks. The increase in the complexity and sophistication of cyberattacks continues to plague cybersecurity experts. If your company hasn’t been victimized by a data breach, it could be that it’s only a matter of time before you will be.
Cybercriminals have found many different ways to enter your system. One of their biggest targets is board directors and executives and one of their easiest ways to gain entrance is through their emails.
Unfortunately, some board directors and executives haven’t gotten the word that they’re putting the company’s information at risk every time they use their personal email accounts for company business and some of them are aware and choose to be careless. Some directors believe that it’s just easier and more convenient to use a personal email account. The reality is that when you have the right tools, it’s just as convenient and easy to log into a secure corporate email platform as it is to go into your personal email account. The risks of allowing a cybercriminal to gain access to sensitive and confidential information aren’t worth any amount of ease or convenience.
Getting Acquainted with Email Attack Strategies
You may have heard the terms phishing or spear phishing, but do you understand what they mean? Both terms refer to an attack that opens the door to cybercrime by getting someone to perform a certain action—this usually comes in the form of tempting someone to click on a malicious link or attachment.
In a phishing attack, criminals send emails to a vast number of random recipients in the hope that some unsuspecting soul will be tempted to click on the link. The link may take you to another site that asks you to input your name, address, and social security number or the link itself may be malicious. Once this happens, a criminal has your information and will sell it on the black market or use it to commit fraud.
Spear phishing works much the same way, but it’s targeted to one individual. Essentially, criminals are looking to spear one fish. By gathering information from the internet, spear phishers tailor an email to a specific individual using their name and other information they found out about you that you may have posted on a social media account or somewhere else on the web. Often, they ask you to transfer or wire large sums of money.
In the context of governance, board directors and executives are the new targets of choice. In a practice that’s known as “whaling,” cybercriminals figure they have more to gain by going after the big fish. The consequences and fallout can be quite severe when a hacker hooks a “big catch.”
Cybercriminals count on some number of people using non-secure email accounts or making human errors as a weak link to your company’s information.
Assessing Your Communications Risks
If you knew someone was a cybercriminal, you wouldn’t think for a moment to hand him or her an email that contains sensitive or confidential board information. Yet, that’s exactly what you’re doing when you don’t take the right precautions to protect your board email account.
According to Forrester Consulting’s April 2018 study, commissioned by Diligent Corporation, 56% of board members continue to use their personal email addresses rather than business-regulated email accounts to communicate with their peers, executives, and others that are within or in relation to the company. The survey contains responses from 411 governance professionals across 11 countries in North America, Europe, and the Asia Pacific.
The study showed that around half of the corporate leaders using their personal email accounts for their organizations even when they have access to a more secure organizational email account. While the percentage is high considering what is at stake, the percentage of personal email users was consistent across boards of all company sizes and regions. The percentage in North America was 53% which was the highest percentage in the study. European boards were slightly lower at 41% and the Asia Pacific was 48%. Across every region, even directors that had access to board portal software admitted occasionally using their personal email accounts.
The Dangers of Using Personal Email Accounts for Board Business
The dangers of using personal emails are numerous and serious. Have you considered the consequences if a board director or any employee used a personal email address to set up any number of functions that are critical to your company’s operations such as a web hosting account or purchasing domain? The personal email address the owns the account. If the board director or employee leaves the company, it would be very difficult to retake ownership of the accounts that actually belong to the company.
There could also be the consequence of IP theft, loss of company privacy or the loss of customer privacy. It’s also crucial to consider that whenever an employee uses a personal email account to conduct business, your business information is being stored on servers that are under someone else’s control. There would be no way to know of the many places your company information could be stored or where it’s being sent from there.
Gmail is one of the more popular email accounts. Google scans its users’ emails and the attachments destroying privacy. When you allow company information to be transmitted using personal email accounts, you also have no control over the recipients. An unhappy former employee could hurt your business and create legal liability if they choose to retaliate by transmitting sensitive company information that they saved in their email to someone outside of the company.
Preparation and Prevention
Secure email software solutions like Messenger integrate with BoardEffect’s secure board portal system. By having a company policy whereby no one should be sending emails outside the portal, you can rest assured that your company information remains safe. Secure email systems are necessary for good corporate governance. Messenger provides the capacity for real-time communications for groups or individuals so there is no plausible reason to resort to using personal emails.
Finally, make sure that your organization takes the time to develop a response plan in the event that a criminal invades your computer system. Decide ahead of time whether you will ever pay a ransom, and if so, under what circumstances. The consequences of an email attack may affect your insurance and compliance. Don’t allow an unsuspecting email attack to ruin your finances or your reputation.