Research consistently shows that more than 70% of cybercrimes are caused by human error or negligence – completely preventable. Yet too many board directors believe that regular cybersecurity training is just for their staff and volunteers.
That view, unfortunately, is adding risk to the organisation.
So, here are 3 reasons why board directors should do regular end-user cybersecurity training:
1) Board Directors are high-value targets for cybercriminals.
The names of Not for Profit board directors are generally public information. A quick search of the organisation’s website or the ACNC charity register will tell you who they are. With a little social media research on top of that, a sophisticated enough cybercriminal can effectively imitate any one of them.
So why would a cybercriminal want to target a director?
Because they often have financial authorisation and access to highly sensitive information – enough to potentially generate a monetary benefit either through fraud or ransom for the hacker.
A now famous deepfake scam earlier this year shows the extent to which cybercriminals might go for a payout.
While Not for Profits with smaller bank accounts may never witness something this sophisticated, I know too many charities and Associations that have been the victims of fraud.
2) Cybersecurity risks are constantly evolving.
Cybercriminals are constantly evolving, deploying new ways to trick potential victims into sharing login details and sensitive information or exposing them in other ways to attacks.
While directors are generally aware of their responsibilities regarding organisational risks, including those related to cybersecurity. They are often less aware of how their own actions can add to these risks.
End-user cybersecurity training is different from board training. It focuses on the actions of a user, which a Board director is as well.
When a director understands this, they can ask better questions and make better technology investments.
Examples of today’s emerging cyber risks that may not be on a director’s radar include:
- How fake IT help desk calls are being used to lodge social engineering attacks.
- How a hacker created free WiFi networks in airports to capture the personal data of travellers.
With criminal tactics changing all the time, end-user training helps directors stay up to date with these cyber risks so that they can better mitigate and manage them.
3) If cybersecurity is important, directors should lead by example.
I’ve had discussions with Board Directors who sometimes feel that cybersecurity policies might not apply to them because they are volunteers, and the policies can be inconvenient. As a result, they might hesitate when the organisation asks them to:
- Use an organisation email address (rather than their work or personal one).
- Use the Board portal or a confidential SharePoint folder instead of emailing board papers.
- Participate in end-user cybersecurity training.
Having served on six different Not for Profit boards or advisory committees as a volunteer, I understand that cybersecurity policies can sometimes feel burdensome.
However, for the organisation to strengthen its cybersecurity posture and effectively mitigate risks, it’s crucial for directors to lead by example and ensure they are not the weak link.
Final Thoughts
While Board Directors may understand their responsibilities and cybersecurity from an organisation risk point of view, they are still ultimately a user of the organisation’s data and the underlying technology that supports it.
And because directors are:
- High-value targets for cybercriminals
- Trying to mitigate evolving cybersecurity risks
- Organisation Leaders – trying to lead by example
…they should also participate in end-use cybersecurity training.
P.S. If you found this article helpful, you might want to read these too:
- Payment fraud: how your #1 cybercrime risk can be avoided
- Beware: Some IT Vendors are not meeting the most basic cybersecurity requirements
- Will your Not for Profit be denied cyber insurance?
Coming Soon!
Cybercrimes are constantly evolving. Roundbox Consulting will soon release a new annual online cybersecurity training program, specifically designed to help Not for Profits with the latest knowledge to mitigate these risks.
Let me know if you want to know more.
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today, she helps NFPs with strategic IT decisions, especially around investments.
