Sending a confidential merger document to the wrong person in a Gmail contact list. Falling victim to a malware-ridden phishing email that opens up your organization’s entire IT network to hacking and vulnerability.
We all know the risks involved with email communications on-the-go. These are risks every Internet user has to navigate but the risk becomes direr for those transmitting sensitive information like a board member. In a survey by the Business Performance Innovation Network, nearly 6 out of 10 the respondents said they’ve made the misstep of sending a confidential email to the wrong party, or know someone who has. Becoming the unwitting victim of a cyberattack also is a valid concern. According to a June 2016 study by the Ponemon Institute, the average data breach costs an organization $7 million, including damage to a firm’s reputation and the loss of intellectual property and business.
In the words of Charles Beard, a principal in PricewaterhouseCooper’s forensics practice, “Senior officers are prime targets for cyberattacks such as spearphishing [fake e-mails with embedded malware] via LinkedIn or other social media. And board members are an especially target-rich environment — they have access to the company’s most valuable, most confidential, market-moving information.”
Secure electronic communication starts at the top
When it comes to risk across the enterprise, cybersecurity has been rising as a priority for corporate boards for a while. The National Association of Corporate Directors (NACD) wrote in a 2015 blog post that “Cybersecurity is no longer an IT issue, but a significant business risk as technology is now a critical component of most business processes.”
Yet in a 2017 Diligent survey of more than 350 directors of publically traded companies, 92 percent of respondents gave “personal email accounts” as a preferred method of communication. Nine out of 10 have used personal email accounts occasionally for board communications, and 59 percent use them regularly. Corporate email networks, preferred by 83 percent of respondents, aren’t exactly fail-safe, however, as high-profile hacks on companies like Sony have shown.
How can boards more securely exchange highly confidential information and mitigate the risk of data leaks, reputational loss, and personal liability? Making secure communications official policy – and enforcing it – is only half of the battle. The other half: implementing the right technology to take exchanges off email and sensitive data off of the hardware of corporate and personal devices.
What to look for in an email alternative: secure board portal technology and beyond
Any email alternative must “close the loop” so that files can only be sent to and received by authorized users (Ideally it would offer “undo” capabilities for erroneous sends as well). This alternative must seamlessly integrate with board software across all devices, managing all communications within a “security envelope.”
Because passwords alone are too easily hacked, it must have multiple layers of access control for users, like two-factor authentication that includes the request for a fingerprint ID. For system administrators, a solution must be enterprise-friendly and configurable so you have total control over access to information and can maintain clear records.
Above all, an email alternative must be intuitive and easy to use, as familiar in function as the texting tools and messaging apps that have become a regular part of everyday life. This decreases the appeal of reverting back to Gmail, Yahoo, Hotmail or AOL as workarounds.
(Learn more about how we developed Diligent Messenger to address these criteria and concerns.)
Encouraging use of secure messaging
Even the best technology solution is of little value if it’s not regularly used. Boards and their cybersecurity committees can encourage adoption of an email alternative through:
- Ample, ongoing education: Share knowledge with directors on a regular basis on the dangers of insecure communication methods. Here are some resources to get started.
- Buy-in from the beginning: Engaging directors before, during and after the rollout can get them more invested in its successful adoption. Involve colleagues in the selection process and solicit feedback throughout.
- Training, training, and more training: Take full advantage of training for end users. We make training for Diligent Messenger free and unlimited because we’ve found it ensures clients the fastest time to adoption and highest ROI.
- Clear direction—with no exceptions: Leadership should directly and unambiguously state that personal and corporate email are not permitted for board communications, and reinforce this message with their personal actions.
Directors have a fiduciary duty to keep sensitive material out of the wrong hands. They should also be able to “assert a ‘good corporate citizen’ framework of defense” should cyber-breach occur, according to NACD’s Risk Oversight Advisory Council. Messaging technology that “closes the loop,” thoughtfully and strategically deployed, can assist with both goals.