Addressing Insider Threats

Sponsored by OnBoard

As credit union executives, directors and board administrators adopt digital board management processes, cybersecurity risks associated with digital adoption leave them more vulnerable to cyberthreats.

Board members play essential roles in organizations of all types, and credit unions are no exception. Your credit union’s board of directors provides oversight and ensures the credit union remains focused on its mission and vision.

Boards must entrust their members with sensitive data to ensure they effectively fulfill their roles. But a data breach involving sensitive board information can result in costly litigation and devastate your credit union’s reputation.

The Costly Risk of Board Cybersecurity Breaches

According to an annual IBM Security Report, the average data breach in the United States costs $8.64 million. The expense rises for organizations in highly regulated industries such as credit unions.

Boardroom breaches can tarnish an organization’s reputation. Lost business costs—including customer turnover, revenue lost by system downtime, and efforts to gain new business with a diminished reputation—account for about 40% of the average total cost of a data breach.

Zoom meetings and distributed IT have also invited increased cybersecurity attacks. In April 2020, the FBI’s Cyber Division reported receiving about 400% more cybersecurity complaints daily.

While recent research shows 100% of IT security leaders say they’re more focused on security than in the past, OnBoard’s latest survey of board directors, administrators, and staff members found only 57% see cybersecurity as an important issue.

The Sources of Cybersecurity Threats in The Boardroom

According to Verizon’s 2020 Data Breach Investigations Report, outsiders committed 70% of all breaches. These include malicious attacks, human error and compromised credentials.

Cybercriminals often target board members because they have access to lots of sensitive information. IBM X-Force recently uncovered a global phishing campaign that targeted more than 100 executives.

A board member could also leak confidential data on social media, leverage insider information for personal gain, or feed information to the media.

Best Practices to Prevent Board Cybersecurity Attacks

While boardroom cyberattacks always remain a threat, the recent increase in remote meetings and electronically shared information require organizations to reduce risk. Consider these five tips to keep your credit union’s board information secure:

1. Securely manage all board materials digitally. Many boards still rely on printed board books, disclosures and other important materials. But printed materials can easily get into the wrong hands, especially now as more boards meet virtually or send documents in the mail.

Some organizations choose to use cloud-based storage solutions such as Dropbox, Box or Google Drive to share board materials. But since these solutions’ security profile typically involves just a username and password, they may not offer enough security to prevent cybercriminals from stealing sensitive data.

A purpose-built digital board management solution such as OnBoard can create an enhanced security profile to prevent such attacks. Security measures for a board portal include encryption, two-factor authentication, single sign-on authentication, biometric user identification, granular user permissions, remote device wipe capabilities and biometric identification. It also gives credit union board members access to relevant documents from a single system of record, making finding, sharing and collaborating much easier.

2. Set appropriate permissions. Board members in many industries, including credit unions, often complete a questionnaire disclosing any personal conflicts of interest. A conflict of interest might limit a member’s access to information on certain topics.

Give board members access to what they need to succeed—no more and no less.

3. Protect meeting minutes. Board administrators often distribute meeting minutes via email or online, but this can expose confidential information and could result in litigation, expense and a damaged reputation.

Prepare minutes quickly and destroy notes used to compile them. Make minutes available to board members in a read-only format.

4. Avoid using email for board discussions. Most email accounts don’t have adequate security. Using email to discuss sensitive board matters can also create discoverability issues if your board ever faces legal challenges, especially if your board members sit on multiple organizations’ boards.

Utilize a secure board portal to communicate between your board and its members. Board portals that feature granular user permissions and compartmentalized access based on each director’s role, responsibility and committee assignment can help ensure directors’ communications remain secure and limited in scope.   

5. Wipe vulnerable devices. Board members often access information on their personal electronic devices. While it’s important to ensure directors can work while on the go, it’s also critical to conduct board business on safe, trusted devices. Consumers replace smartphones about every three years, so consider wiping all locally stored information from devices that haven’t connected to the internet within an established period.

Adarsh Mantravadi is general counsel and director of government strategy for CUES Supplier member OnBoard, Indianapolis. He brings more than 10 years of public sector experience at both the state and federal level. Most recently, he served as a senior director of policy and research for Indiana Governor Eric J. Holcomb, where he spearheaded the creation of the Next Level Fund, the state’s $250 million private equity and venture capital investment vehicle. Mantravadi holds a J.D. and a master’s of public affairs from Indiana University-Bloomington, has served the community in numerous board and volunteer roles, and is a two-time recipient of the Sagamore of the Wabash.