It’s every company’s worst nightmare: waking up to find your confidential company information plastered across The Wall Street Journal. Salesforce was a victim of just that when Colin Powell, a corporate board member, had his emails hacked and posted on DCleaks. One email contained a confidential slide deck detailing acquisition targets being considered by Salesforce. Although this information likely wasn’t what the hackers were looking for when they gained access to Powell’s private emails, Salesforce became the latest victim of this type of cybercrime.
There were 14 potential targets on the list that included Adobe, LinkedIn, Pegasystems, Box and Hubspot. Although several of these companies, such as LinkedIn and NetSuite, were already acquired this year, many others are still available and potentially in play. Powell has accidentally leaked some of Salesforce’s growth and innovation strategy, which Salesforce’s competitors are now privy to. It’s conceivable that a competitor could use the leaked information for their own benefit and swoop in to make a deal.
Many companies have strict internal information-sharing policies, but board members often are not required to follow the same rules, even though they have access to extremely sensitive information such as earnings reports, C-suite level communications and M&A target lists. Using email or consumer-grade file sharing apps to share sensitive corporate files exposes companies to a wide range of risks, and the consequences can be dire. Public embarrassment and damaged reputation aside, board members have been named in shareholder lawsuits as a result of data breaches, and activist investors have successfully removed board members after a breach.
Board members should be taking proactive steps to better protect their sensitive information and improve online security. However, it is important to remember that the ultimate responsibility for securing the board data lies with the company. The following tips aren’t groundbreaking, but they work, and are too often overlooked and forgotten:
Corporate board members ignore cybersecurity best practices at their own peril. This goes double for board members with a high profile like Colin Powell, who can be targeted by ‘hacktivists’ for a variety of reasons unrelated to their board positions. Don’t let you or your company become the next casualty in our cyber-insecure world.
By Daren Glenister