Lessons for Corporate Board Members from the Colin Powell E-mail Hack

Corporate Board Member Security

It’s every company’s worst nightmare: waking up to find your confidential company information plastered across The Wall Street Journal. Salesforce was a victim of just that when Colin Powell, a corporate board member, had his emails hacked and posted on DCleaks. One email contained a confidential slide deck detailing acquisition targets being considered by Salesforce. Although this information likely wasn’t what the hackers were looking for when they gained access to Powell’s private emails, Salesforce became the latest victim of this type of cybercrime.

There were 14 potential targets on the list that included Adobe, LinkedIn, Pegasystems, Box and Hubspot. Although several of these companies, such as LinkedIn and NetSuite, were already acquired this year, many others are still available and potentially in play. Powell has accidentally leaked some of Salesforce’s growth and innovation strategy, which Salesforce’s competitors are now privy to. It’s conceivable that a competitor could use the leaked information for their own benefit and swoop in to make a deal.

Many companies have strict internal information-sharing policies, but board members often are not required to follow the same rules, even though they have access to extremely sensitive information such as earnings reports, C-suite level communications and M&A target lists. Using email or consumer-grade file sharing apps to share sensitive corporate files exposes companies to a wide range of risks, and the consequences can be dire. Public embarrassment and damaged reputation aside, board members have been named in shareholder lawsuits as a result of data breaches, and activist investors have successfully removed board members after a breach.

board-business

Board members should be taking proactive steps to better protect their sensitive information and improve online security. However, it is important to remember that the ultimate responsibility for securing the board data lies with the company. The following tips aren’t groundbreaking, but they work, and are too often overlooked and forgotten:

  • Create strong, unique passwords for any site you access. Don’t reuse passwords, especially for important applications like online banking or file storage.
  • Only use file sharing services with two-factor authentication. This means, for example, that, when you log in from a new computer and enter your password, you’ll have to enter a code before you can access the account. This will rule out consumer-grade apps with a potentially lower security threshold than enterprise-level apps.
  • Separate business and personal files. It’s never a good idea to share personal information and business data through the same file sharing service or account. Many employers have rules against storing business information in consumer-grade file sharing tools, which is why they blacklist these types of applications.
  • Monitor your accounts regularly to catch theft or suspicious activity early on and reduce potential damage. In this case, Powell was a victim of a spear-phishing attack, where hackers target individuals with personally relevant information. Always assume you could be at risk.
  • Remember that email has been proven, time and again, unsafe for sharing confidential information. If a document needs to be shared externally, ensure you are using a secure file sharing system, not email, so that if the document falls into the wrong hands nobody else can open the file.
  • Consider applying expiration dates to files to time-bound documents.
  • Be extremely prudent about where you store your data.

Corporate board members ignore cybersecurity best practices at their own peril. This goes double for board members with a high profile like Colin Powell, who can be targeted by ‘hacktivists’ for a variety of reasons unrelated to their board positions. Don’t let you or your company become the next casualty in our cyber-insecure world.

By Daren Glenister

Juan Pablo Perez Etchegoyen

The S/4 HANA Decade is Here: Three Tips for a Successful Migration

Three Migration Tips For organizations using SAP, migrating to S/4 HANA is a project that’s either in the works or on the horizon as the 2027 deadline for completion looms. The new generation of SAP ...
Fernando Castanheira

How the Shift to Hybrid Work Will Impact Digital Transformations

The Shift to Hybrid Work Before COVID-19, most enterprises had a digital transformation in flight, but the pandemic threw those programs into hyperdrive. Scrambling to accommodate workforces that were suddenly working online and mostly from ...
Sangeeta Chhabra

Leverage DaaS To Solve Challenges of Remote Work

Solve Challenges of Remote Work In the past one year of Coronavirus (COVID-19), we have seen it all: An ailing world economy, dramatic changes in the political structure of many countries, and, most prominently, a ...
Automate Order Fallout Resolution Using Self-healing Framework

Automate Order Fallout Resolution Using Self-healing Framework

Automate Order Fallout Resolution Using Self-healing Framework to Accelerate Resolution Time by 98% Most Digital Service Providers (DSPs) face a common challenge of meeting due dates for their customer orders. The instability and delay in ...
Ronald van Loon

The Future of Work: Confronting One of the Biggest Challenges of the Next Decade

The Future of Work Technologies like artificial intelligence (AI), machine learning (ML), and automation in all of its forms can augment human workers and enable them to pivot to more valuable work, and perform their ...