Few people would dispute the mystique that surrounds the boardroom. This allure has been around for some time, but it was recently heightened by the popular TV series “The Apprentice” with business icon Donald Trump. Boards of directors deal with sensitive issues and handle privileged information, and board meetings themselves call to mind strategy discussion, stock discussions and major contracts.
Taking advantaged of privileged information is illegal. As you can imagine, access to privileged financial and stock information could easily be used for insider trading. The sensitive information and financial data must be controlled in order to comply with Securities and Exchange Commission disclosure requirements.
What you may not think of are the discussions around information security, which has become a board-level issue. Cyber-attacks and corporate espionage are growing significantly year-over-year. In a training program developed by Spy-Ops, the company notes that corporate espionage worldwide is now more than a trillion-dollar problem annually and growing. Data breaches, theft of intellectual property, insider trading and other criminal acts now demand the attention of the board of directors.
“Enterprise risk management discussions and strategies have moved into the executive suites and boardrooms. This is due primarily to the significant implications associated with security breaches,” said Paula Cordaro of Spy-Ops.
The following is a recount of an actual occurrence that took place in a boardroom in September 2007. The names of the company and board members have been changed for obvious reasons. This summary should bring to the front of everyone’s minds how simple events can create huge security and compliance issues.
In the early afternoon one day, I placed a call to a high-tech software company’s chief executive officer, who I was consulting. We discussed the status of a project I was working on for the organization. After about 45 minutes, the CEO concluded the call, saying, “I have to get my notes ready for the board meeting.” We hung up, and I moved on to some other work. At about 4:30 p.m., my cell phone rang. I recognized the number as that of the CEO I had talked to earlier. I answered the phone but the CEO did not acknowledge me. I could clearly hear the conversations that were taking place, which included a discussion of a stock split.
I continued to listen, thinking the CEO did this to have a third party as a witness to something going on in the board meeting. After more than a half hour, the meeting began wrapping up and I heard another board member remind the CEO he owed US$60 for the skins golf match they played the day before. I hung up the phone and sent the CEO a text message, reading, “Will you please pay Tim the $60 you own him, I am tired of hearing him cry.” Within one minute my phone rang and it was the CEO, saying: “You son of a b*tch, you hacked my computer and listened in.”
This was a technique we had showcased more than five years earlier in a hacking demonstration. He was convinced I was eavesdropping. When I told him to look at his cell phone, he noticed he had unknowingly re-called me. At that point, he said, “You son of a b*tch, you listened for over 37 minutes.” At which point I said, “Yes, I did, and I am not in favor of the proposed stock split.” At that point he laughed. The gadget-loving CEO had just bought an iPhone, and he accidentally hit redial on the phone’s touch screen.
There wasn’t any bugging or hacking involved or a software vulnerability exploited — it was just good old human error. How many people would have even considered a cell phone or a copier as potential security threats? Not very many. Some organizations have policies that require cell phones to be turned off during meetings. However, there have been some phones we have seen modified to appear off even when they are transmitting.
Data Leakage Risks
In a recent classified meeting I attended, we were required to place our cell phones on the table in front of us with the batteries removed. Also, at one Fortune 500 company, they developed and implemented a process that requires weekly cleaning of all files stored on multifunction copy centers throughout their facilities. This substantially reduces the risk of data leakage.
Despite popular belief, the loss of corporate secrets doesn’t only take place in the research and design labs, commented Randy Favero, a former executive at IBM, Netscape and Novell and now executive vice president at National TeleConsultants. “IBM has historically been ultra-sensitive to threats of eavesdropping from external sources and has protected their key facilities with counter eavesdropping measures. When a listening device was found inside a Netscape executive conference room, a new realization of security threat levels was exposed. With the myriad of new devices now available on the commercial market, company secrets are less safe than ever. Corporate executives are becoming aware that even the boardroom isn’t intrusion-proof anymore.”
In another event, external security consultants discovered a security breach had occurred and a software bot had been installed to extract products pricing and manufacturing data from the Oracle database. The external security consultants immediately disclosed the issue to the CIO and CTO of the organization. An investigation began and — due to the potential negative impact on the company’s competitive position — they advised the CIO that this had to be disclosed to inside legal council and the CFO. After nothing happened, the outside consultants pushed the issue again with the CIO. Shortly after that, the consultants’ contracts were terminated. There is no evidence the CIO was ever informed or that this was ever disclosed publicly.
It is the duty of corporate executives to ensure communication and information are secure and guarded, said professor Edward Maggio of the New York Institute of Technology. “The failure to protect communication and information in the corporate world is source of liability to the existence of a business as well to others who may seek civil litigation for damages. In light of recent events, the need for corporate investment for the training and education of corporate personnel is highly necessary. The need to protect communication and data is reaching a critical stage for companies who wish to avoid or mitigate liabilities.”
Corporate information leaks into areas not thought of in most security strategies and plans. From the boardroom to the cleaning closet in the basement, executives are now involved in information and physical security of their enterprise.
Kevin Coleman is a strategic management consultant with Technolytics and specializes in security and compliance. He is a former chief strategist for Netscape and a Kellogg School of Management executive scholar with more than 15 years of experience.