Directors operating in a secure environment
In an increasingly data-driven world, corporate leaders face challenges in protecting the information they process. Executive and non-executive directors, as key decision-makers within organisations, must navigate complex regulatory landscapes, information security risks, and ethical considerations surrounding data protection and privacy. As data leakages and privacy violations become more frequent, directors bear a dual responsibility: safeguarding the data their organisations handle while also protecting their own personal information from misuse.
This note explores the challenges executive and non-executive directors encounter in ensuring data security and privacy. Based on the analysis of the legal obligations, industry best practices, and potential vulnerabilities that directors face, both in their corporate roles and as individuals, insights are provided on how corporate leaders can balance operational efficiency, compliance, and personal privacy in an era of digital threats.
Challenges Directors are facing:
Executive Directors
- Being high-value targets - increased risk of phishing, social engineering, and identity theft
- Data exposure via public profiles - overexposure through social media, press releases, or company websites
- Travel and communication risks - using unsecured networks or devices while traveling or during remote work.
- Executive surveillance or tracking - monitoring by internal systems that may inadvertently infringe privacy.
- Unlawful processing of data – while combining Executive and Non-Executive role and using corporate device for data processing
Non-Executive Directors
- Limited IT support - often working independently without the same cybersecurity tools as executives
- Use of personal devices and e-mail - higher risk of using less secure systems for Board communications.
- Exposure through Board memberships - participation in multiple Boards increases personal data circulation and risk
- Data sharing with Third Parties - risks involved when interacting with advisory firms, legal teams, or consultants
To mitigate those risks following recommendation should be considered:
1. Do not use public Apps (e.g., WhatsApp) which are not authorised to exchange any corporate-related information since they do not provide necessary security and control over information exchanged via them
2. Do not discuss sensitive /confidential topics in public where an unauthorised person is present (including public transportation or taxi).
3. While traveling use secure trusted networks or connect via e-SIM.
4. When working in public places (airport, train ...) make sure that screens (laptop, tablet, mobile phone) have privacy protections (filters).
5. Secure personal network including Wi-Fi installation by e.g., changing default passwords.
6. If possible, use professional e-mail clients (e.g., Outlook instead of Mail).
7. Consider registration of your personal/professional domain to avoid e-mail exchange via end-user channels (gmail.com, hotmail.com, outlook.com ...)
8. If you are active at another company and using their equipment, make sure corporate data will not be transferred / stored in that environment (especially if there is no relationship between both companies – no legal ground to exchange (personal) data). Request that the company provides a secure solution for accessing and processing all relevant documents
9. Avoid downloading and printing sensitive Board documents. In case you do so, make sure they are appropriately protected and disposed of in a secure way.
10. Do not use the same password for multiple sites to connect to. Where possible, activate Multi-Factor Authentication (MFA) although presents on the social media is not always related to the Director mandates, yet identity should be protected
- LinkedIn: Turn two-step verification on and off | LinkedIn Help
- Instagram: Securing your Instagram account with two-factor authentication | Instagram Help Center
- Facebook: How two-factor authentication works on Facebook | Facebook Help Center
11. To manage different passwords, consider the use of a password vault (aca password manager)
12. To better protect the Password vault, consider usage of a hardware authentication device.
13. On a regular basis verify via Have I Been Pwned: Check if your email has been compromised in a data breach if your credentials were not compromised.
14. Consider cyber bodyguard service to protect Director’s against cyber threats and to help secure personal IT environment
Article authored by the GUBERNA Sounding Board Committee for Cybersecurity
For any comments, questions, queries on cybersecurity issues, you can get in touch with Sounding Board committee members here.