When Directors Become a Digital Security Risk

When Directors Become a Digital Security Risk

As AI-powered scams become more convincing, boards are discovering that directors themselves can be a cybersecurity vulnerability.

Key takeaways:

  • Nearly one-third of deepfake scams targeting directors involved hackers posing as trusted advisers.
  • AI tools scan social media, public biographies, and other digital footprints, making impersonating others easier.
  • The trend is prompting more discussion about how directors’ public-facing activities can create cyber risks.

What Directors Need To Do in the Age of Mounting Cyberattacks

The text message seemed routine enough. It appeared to come from a company executive and referenced details about an upcoming board discussion. But just as the director was about to reply, she hesitated: Was the message a carefully crafted attempt to gain confidential information?

For years, boards have focused their cybersecurity oversight on protecting company systems and personnel. But as those attacks continue to spread, directors themselves are facing many of the same threats long directed at CEOs and other senior executives. Experts say that this includes everything from AI-generated voice and image impersonations to spear-phishing scams that build trust using publicly available information. A 2025 survey found that 62% of organizations had experienced a deepfake-driven attack in the previous year, while 42% said executives and board members had been targeted an average of three times—and that in those instances, the scam involved the impersonation of a trusted associate 28% of the time.

“These attacks are so common and so easy to miss that you can’t afford to let directors lose focus on this,” says Jamen Graves, global leader of CEO and enterprise leadership development at Korn Ferry. “There’s still a steep education curve.” The challenge is that many of the techniques now being used against directors rely less on technical sophistication than on human psychology. Rather than attempting to breach a company’s systems directly, attackers are frequently relying on social engineering—posing as trusted colleagues to coax information from directors.

As a result, companies are expanding cybersecurity education beyond traditional awareness training. Some are helping directors understand how attackers use personal details gathered online to craft convincing fraud attempts. AI tools can now scan social media, public biographies, and other digital footprints in seconds, making it easier to create messages that appear highly credible. Scott Atkinson, senior client partner in the Global CEO and Board, Technology, and Sustainability practices at Korn Ferry, says, “Some boards are now running formal testing procedures for fake executive communications—and more should be.”

The growing concern is that attackers won’t need to break into company systems if they can successfully impersonate a trusted colleague or executive. In many cases, a text message, email, or AI-generated voice clone may provide a simpler path to the same data. That reality is prompting some organizations to reexamine how board information is distributed in the first place. Many companies are pushing board communications onto secure platforms and establishing clearer rules around how sensitive details are accessed and exchanged. Craig Stephenson, senior client partner in the Tech, Ops, Data/AI and Infosec Officers practice at Korn Ferry, says, “Luckily, you’re starting to see directors being required to use portals with additional layers of security built in.”

Technology controls can only go so far, however. Because many attacks begin with information gathered from public sources, some boards are also paying closer attention to directors’ online presences. Discussions about directors’ social-media habits are taking place in the boardroom rather than being treated as a personal matter, and boards are encouraging directors to think more carefully about the information shared online by family members and close associates. “Directors are increasingly vulnerable through their families,” Graves says. “Small personal details on the social-media post of a relative can help someone trying to target them.”

Board & CEO Services

Better leaders for a better world

Learn more

To be sure, cybercriminals are not always looking for privileged information. In an era of heightened political polarization and online activism, directors may find themselves targeted because of what they say publicly or the positions they take on contentious issues. That trend is prompting more discussion about how directors’ public-facing activities can create cyber and reputational risks. Directors need to think deeply about their social media and online engagement practices, says Graves. “How are you making sure that what you’re putting out there is filtered appropriately?” he asks.

Learn more about Korn Ferry’s Cybersecurity capabilities.

Featured Topics
Leadership
Board & CEO Services
Technology
Board
CEO
Board & CEO Services
Cybersecurity