Directors’ E-Mail Could Pose Security Risk
By Tony Chapelle
After revelations that more than half a billion Yahoo e-mail accounts were breached, cyber-security experts are recommending that boards of directors get off of easily hacked platforms when conducting board-related conversations.
Directors should opt for board collaboration software if they’re off-site to chat into board meetings or use secure e-mail apps to communicate between board meetings, says one consultant.
Thirty percent of U.S. board members use free third-party e-mail service providers such as Google’s Gmail, Verizon Communications’ AOL or Yahoo Mail, among dozens of providers. Indeed, 9% of U.S. directors send personal and business messages through Yahoo. That’s according to a survey from Diligent, a technology company that produces electronic board books and meeting software.
Brian Stafford, CEO of Diligent, says, “E-mail is not a secure way for board members to communicate. No e-mail account is safe when confronted with phishing attacks and other forms of hacking.”
In addition, he points out that Gmail and other third parties scan e-mails and send ads to users targeted to what is in those messages, which is proof they aren’t being kept private or secure.
Corporate board directors can also be a weak link for hackers seeking unlawful insider information about upcoming mergers and acquisitions. In 2014, the Financial Times reported that a group known as FIN 4 had targeted board-level executives and corporate development teams at more than 100 companies — particularly in the pharmaceutical industry — while they conducted talks on mergers or clinical trials. For each deal, the hackers accumulated information from as many as five companies to better analyze mergers likely to be completed.
Yet there are fairly easy alternatives for board members to use for electronic messaging.
Stafford says that most Fortune 1000 companies have adopted dedicated board collaboration software, sometimes called a board portal, to ensure that board meeting materials will be shared securely. Diligent’s version is known as Diligent Boards.
Adam Levin, chairman and founder of identity-theft prevention company IDT911 and author of the book Swiped, advises using an e-mail encryption application such as Squirrel Mail or AppRiver, “or better yet, one that is built for businesses, like Citrix.” He says that sensitive files probably should not be e-mailed at all. Most organizations will make possible secure uploading on formats such as Microsoft’s SharePoint or even Google Docs, but these will need to be properly configured. These other formats are a more efficient and more secure way to transmit and receive documents.
Outside of the boardroom, Stafford says, directors are likely to use free apps such as iMessage or WhatsApp. While those are both safer than free e-mail, the business model is similar to that of Yahoo and other third-party e-mail. “When a product is free, you are the product,” Stafford explains, meaning the demographic and other information is being collected for commercial use.
Instead, use one of the growing number of secure enterprise messaging and e-mail apps, including Diligent Messenger, Yammer, Tiger Tech or Zinc, he advises.
Other than the obvious benefit of keeping messages secure and safe from hackers, this software can recall messages, similar to how an “undo” button works on a computer, or allow them to expire after a few minutes, hours or days. Directors and executives can speak without worrying that everything they say is being recorded forever.
The commercial apps such as Diligent Messenger allow company technicians to set options to screen which persons can and cannot communicate with the group.
By creating a closed group just for boards and executives in a company there’s now a separate, secure channel for conversations. One more advantage: Critical board-level communications go into a separate inbox. That means they won’t get buried under hundreds of other e-mails that board members receive every day.