Well-known CEOs and executives aren’t the only potential victims of hacks and threats from criminals. Board directors also have to be vigilant, according to Jason Lish, the global chief information security officer at Cisco.
“Often times they’re targets, especially for public companies, where their profiles are out there,” he said during a virtual conversation on Thursday hosted by Fortune in partnership with Diligent for The Modern Board series.
Lish added that he’s even seen an increase in the mailing of physical ransom letters to board directors and company executives. “How do they stay protected in their personal lives?” he said. “Because threat actors will try to do reconnaissance."
Lish’s warnings come as cybersecurity is top of mind for CEOs in the U.S. and abroad. Almost three out of four CEOs said they were worried about the ability of their companies to avoid or minimize damage to their businesses from a cyber attack, according to a 2023 report from Accenture. And about 70% of CEOs said in 2024 that they’re increasing investment in cybersecurity to protect their companies from a potential rise in AI-powered threats, according to a survey from KPMG.
'A big uptick'
CEOs and company executives are right to worry. In 2023, MGM Resorts, the hotel and casino conglomerate, was the victim of a ransomware attack that disabled its online reservation system, its slot machines, and other parts of its infrastructure. In 2024, cloud computing giant Snowflake disclosed a data breach that affected large clients like AT&T and Santander Bank. And in January, criminals kidnapped a crypto executive in France and tried to extort him and his company for Bitcoin.
Lisa O’Connor, a managing director at Accenture who specializes in cybersecurity, echoed Lish and said threats against boards and executives are growing. “Those directors are a target for attacks specifically because of their role, along with the C-level and others,” she said during the panel. “We've seen a big uptick in that.”
She urged boards to be aware of cybersecurity risks not only to their organizations but also themselves. “There's actually the personal awareness that needs to continue when we think about deepfakes or other things,” she added.
Board directors also need to make sure they’re being careful about where they’re receiving company information, according to Grant Schneider, president and CEO of FGS, an intelligence and cybersecurity firm. “Having a data sharing mechanism with board members that is not just sending them stuff to their Yahoo account, or whatever it is, I think is really important, because they receive lots of sensitive information about the organization,” he said during the panel.
Schneider was the chief information security officer in the White House’s Office of Management and Budget during the last half of Trump’s last administration. Increased wariness is especially important as hackers and criminals grow more sophisticated in their attacks, he said: “Non-nation-state actors have the same level of sophistication that nation-state actors certainly did a couple years ago.”
