Cyber security at board level

Speaker 1: Good morning everyone and welcome to today’s Governance Institute and Diligent Webinar. Today we will be discussing cyber security at board level. My name is Vesna I’m an employee of Redback conferencing and I will be your facilitator for today’s session. I want to hand over to Kate Ellis from Diligent so we can all get started.

Speaker 2: Thanks Vesna and welcome everyone to Diligent first webinar with Governance Institute of Australia. I will be your joint host today, a little bit about me, I’m the marketing manager here at Diligent and we’ve designed a series of webinar topics over the coming months to cover areas to develop your professional learning. Now to kick off the series we’ve created material to help you navigate the complexities of cyber security at the board level. Next session, just so that you’re all aware, will run a live webcast scheduled for 5 July and we will be discussing how to build a stronger rapport with your chairperson.

Now our host today is Al Percival managing director here of Asia Pacific. Al has over twenty five years of experience in the IT industry. He has led the development of one of the largest retail solution implementations in Europe and pioneered the use of SASS. Throughout his career he has engaged to speak at numerous events talking about industry security issues. Now Al has being with Diligent for over twelve years now and during his initial engagement with us he was head of software development and then ran our operations out of our head office in New York before returning to this side of the world. Before I hand you over to Al just want to cover how we will be handling the webinar today. We’re running for a total of forty five minutes which will consist of a forty minute presentation with survey questions throughout and q,a at the end which you can ask through the chat box at the bottom left of your screen at any time. If you would like to receive a copy of the presentation we will ask you for your details at the end of the call. Now I would like to hand you over to Al.

Speaker 3: Thank you very Kate and welcome and good morning to everybody. So the topic for today’s call really is cyber security at the board level and we’re going to be dividing this up into three keys areas. Firstly we’re going to have a look at the update, the update on the cyber threat landscape as we call it, particularly how it affects Australia and Australian businesses and organisations. Then we’ve got a rather provocative question, is your board part of the problem or is it part of the solution? We’re going to be having a look at how the board is interacting with cyber security both on a personal individual level and also in their role as board members and from a governments perspective what questions might they be asking and how should they be considering cyber security in the context of general business risk.

Then finally we’ll have a look at some practical information, some tips and chat a little bit about where Diligent fits into this picture as well. Let’s kick in and have a look, well just before we go in, just a tiny bit more information about Diligent, so just, we will be providing more information at the end of the presentation. Diligent is the world’s largest provider of secure board communication systems, obviously a very international company over one hundred and twenty thousand users and obviously in a significant number of organisations using Diligent including some on our call today.

Let’s kick in and start talking about our main topic and we’ve got a quote to start with, this is a quote from the member of the Australian cyber security centre which is an organisation which was set up, as you’re probably aware, about three years ago under the Abbot government and the idea of the Australian cyber security centre is really to help ensure Australian networks are amongst the hardest in the world to compromise and they’re attempting to do that through a number of initiatives, awareness building, education, research and helping the organisation generally around cyber security issues. This quote really, it summaries what we’re talking about today, you know, cyber space as we all understand it I unrelenting, it’s never going to go away and really it’s a topic that not only concerns the IT team and the CIO but really is an organisation wide issue and particularly when you start looking at the governance at the broad level it’s a topic that boards need and should be considering and I think probably we all understand that sentiment, it’s certainly, that information is being distributed by almost every organisation in the government space in Australia today.

We’re going to start off with a poll and the question we’re going to ask you to start with is just on a personal level what is it you feel that you’ve got some level of responsibility for cyber security in your organisation? And really three topics, you know, is this something that’s really just an IT issue, is it something that you consider but no more than anyone else or is it actually at your, if you’re in the GRC space yourself, something that you really feel that you need to understand and be involved in, and I hope that this isn’t too much of a leading question but obviously we’re expecting a certain response so we’ll see whether the results actually play out. Looks like we’ve got loads of a consensus that, I think most people, [inaudible 00:05:23] people on this call see it as something that they do need to understand, something they need to be involved in, you know, hopefully in today’s call we’ll make some progress on that particular topic as well.

All right, so let’s move forward now and I want to start by having a look at what’s going on in the federal level and again a slightly provocative little chart we’ve got going on here, just showing how much Australia is spending on cyber security in relation to a couple of countries which we typically benchmark ourselves against, most notably the US and the UK and look, you can see immediately that Australia really is not spending that much relative to certain other countries and again to be fair if you were to match Australia against a number of countries across Asia Pacific we could probably say Australia is certainly spending more than a number of others. Certainly, against US and you can [inaudible 00:06:25] the US has got a big target on its back, its had a lot of high profile cyber attacks but I think it is a good question to be asked, you know, should Australia be spending more? Certainly there’s being an announcement of more money being spent on cyber security by the federal government in recent weeks but again I think a number of questions are being asked about whether that is enough.

This next slide is just raising a couple of questions, in fact, by a think tank which is organised by the university of New South Wales where they’ve done quite a lot of detailed analysis on Australian cyber security preparedness and really saying, despite the latest government take on the topic, which is setting out the government position, the spending, over the next three years, we, the general consensus seems to be that yes there’s a lot of great concepts and a lot of great ideas being put forward but there’s not actually the money or necessarily the resources to actually back these up and make sure that Australia is going to defend itself against, you know, the [inaudible 00:07:31] cyber threat landscape that’s out there today.

Yeah, so definitely going in the right direction but perhaps there’s a bit of a catch up required at the federal level at least to make sure that Australia is not going to be the weakest link in the chain when it comes to cyber security issues. Part of the paper, and this is really the start of the Segway into what we’re talking about today is a lot of the paper that’s just being released on the cyber security I looking at how the federal government should be working with the private sector and really government is looking for co-leadership from the business community to really help jump start this initiative and because at the end of the day the government can only do so much, Canberra has obviously got a lot of, I know we’ve got some people from Canberra joining us in the session today, you know, Canberra has obviously got a lot of responsibility and commitment but at the end of the day if we’re running for private business we cannot expect the government to do our handwork for us.

So every organisation needs to take responsibility for this and part of this initiative I looking for again that partnership and what the papers suggesting is starting with an annual summit between the public and the private sector, again just to do a stock check on where we’re at, where the potential threats are coming from and making sure that both the government and the private sector are putting the necessary resources in place to meet current and future potential threats. The other [inaudible 00:09:12] paper that’s being released quite recently was also by the cyber security centre and it was looking at the, just again a stock take of the current threats that are facing Australian businesses and we’re going to look at, just again a little bit later on about how some of the participants might have being impacted by these. We can see, again top level statistic that fifty percent of Australian businesses have had at least one cyber incident over the last year and again I suspect that’s under reported, I would be suspicious that probably more than fifty percent have but again this is obviously just what the survey is reporting and also if we break them down, fifty nine percent of that fifty percent, so thirty percent, that’s included targeted malicious emails which we normally refer to as spear phishing attacks or just generally phishing attacks.

Thirty percent through theft of mobile devices and laptops, and again [inaudible 00:10:13] our workers and there’s more and more devices containing data on them, be that phones, laptops, tablets etc, naturally that creates a potential target for someone to pick these devices up and potentially breach the data that is on them. Theft or breach of confidential information, you know, typically through perhaps some kind of, again, possibly through a malicious attack via email but perhaps just through actually a successful breach of the organisations primitive defences and actually managed to retrieve, extract information from the network and then unauthorised access to information from an outsider and this covers quite a wide range of scenarios, it may just be a contractor working in the offices who has access to something they shouldn’t have access to for example or again some kind of accidental disclosure perhaps through an email sent to the wrong person, again it’s a very easy thing to do I’m sure we’ve AL done it where you pick up a document put into the email address into Outlook and of course Outlook will auto complete the email for you and then you only realise ten seconds too late that the email has gone to the wrong person and then of course you’ve got to try and recover that document or that piece of information.

We can see there’s a wide range of threats that we’re facing and of course unfortunately these threats are getting worse not better. Let’s just have a look at some of the other reports that are coming in from the various Australian agencies who are responsible for cyber security at the federal level. Accorn which is an organisation which is definitely worth keeping tabs on just from your perspective, it’s the Australian Cyber crime reporting network and again I think it’s just accorn.gov.au. They do a quarterly report just with, again, a snapshot view of just how the threats are impacting Australia and Australian businesses and they reported nine thousand two hundred reports just in the last quarter of last year alone and there is a definite trend increasing there, but again I’m sure that’s a significant under reporting and just to reiterate the previous slide, the email and phishing attacks are virtually always one of the top three attacks vectors that organisations are experiencing. Their emails are being sent to, not necessarily the generic email where it’s just like, please enter your banking details, but targeted emails at targeted individuals asking for information or executing what is generally called a social engineering attack where you use information to try and get somebody to disclose information that they shouldn’t be disclosing.

A couple of particular attacks which I will just raise your attention to again just because you may have seen these or seen something similar to these. You’ve probably heard of ransom ware and ransom attacks which is where generally a third party, a malicious third party tried to hold you or your organisation to ransom perhaps by saying that they’re not going to release certain compromised information or perhaps they will release some information that they’ve managed to extract from your network unless you pay some kind of bribe to them and that’s the most recent one basically, it’s being highlighted by [inaudible 00:13:41] Australia and it’s basically pressing for a bit coin ransom or the organisation will execute what is referred to as a denial of service attack which is effectively where the organisation tries to take your network down by launching thousands and thousands of internet requests to your website or your network, basically trying to disable your business.

The advice from SERT is if you do receive a threat like this is to notify them, so again info@sert.gov.au and certainly it’s quite important if you do see these kinds of attack threats don’t ignore them, don’t just say, “Oh that’s something that’s not going to impact us”, it’s really important that we do keep the authorities notified because of course then it becomes easier to try and target the attackers and hopefully take them out. Another one which I will just raise as well where HR departments in particular are being targeted for employee details and typically what is happening I the HR department is receiving an email from usually what looks like a senior executive perhaps the CEO is asking for some information about one or more employees and effectively what they’re trying to do here is being able to launch a significant social engineering attack against those individuals and again it tends to be the senior people who are being asked about, that’s a common pattern as you will see in this presentation, because of course once you have that information it’s much easier to then, whether it’s getting the answer to security questions, breaching, their own personal defences and again stealing information and perhaps financial information as well from this specific individual.

Again make sure your HR department are, I’m sure they are, but always worth just making sure that they are aware of the potential threats that could be targeting them in particular. I will just briefly touch on this and I think probably we all understand what the threats are if something does happen and we are attacked, I mean there is a whole range of stuff, there could be loss of revenue if financial information is stolen and of course lot’s or reputational damage and this tends to target the big companies in particular. When there is a breach, Linked In obviously recently that’s just being bought by Microsoft but Linked In obviously had a massive breach of passwords and had a number of high profile organisations historically and certainly you don’t want to see your name in the headlines for having a cyber attack and a cyber breach and that also of course rolls down to the board members as well, is no board member wants to be associated with an organisation where there’s being a significant breach and again the company’s name has being dragged through the mud for perhaps not covering the cyber security threats sufficiently.

I think most of the rest are probably fairly straightforward and self explanatory. Yeah, just a comment coming through, we’ll make sure we pick up some of these questions at the end but thank you for that comment, that’s absolutely right, the CEO and the CFO there is often, basically an email, we’ve had this at Diligent ourselves funnily enough, when we had a new CEO join us just over a year ago where the CFO received an email supposedly from the new CEO saying, “Oh can you transfer some money because”, in our case it was because I want to go and travel around to the different Diligent regions, and of course it wasn’t from our CEO at all and that was quickly picked up and resolved but it’s quite common particularly when you have a new executive join the organisation that you can in fact have a clever attack and use that information to launch an attack through a phishing email and a social engineering attack.

Now just talking about how the board is getting involved in cyber security matters and we’ve got a couple of slides just covering what the trend line is here. We can see that overall boards are starting to get a little bit more involved in cyber security issues, you know, [inaudible 00:18:05] it’s obviously when it comes to finances that’s typically their first point of interest of course and looking at perhaps the overall strategy. I guess the bad news if you look at the slide is it’s still less than fifty percent across every single category but the good news is the trend is going the right way, we are starting to see more boards getting more involved in questions and issues around government and cyber security. Just another slide on that particular point again, slightly different data set and presentation here, but overall in this particular set, again it’s going back a year, we were seeing, again, over a fifty percent saying that the board is increasing their interest level in cyber security matters.

A quarter, just over a quarter at this point were saying, “No there’s not any real change”, but before we question this any more let’s actually ask a question to yourselves and let’s start by asking the question is, do you consider when you’re thinking about your own organisations that you’ve all had the necessary skills and knowledge to effectively assess the risk from cyber attacks and give the topic sufficient time and attention on the board agenda? Okay so again we’re seeing quite a strong consensus here, so we just wait for the final results to come through but so far the ‘no’ is certainly dominating the answer here, so about eighty five percent of everyone say that the board are not currently, they don’t have the necessary skills and they’re not given enough time on the agenda, to be fair we have got a couple of questions wrapped up in one there but certainly looks like, for the participants at least, we’re not quite doing enough.

Let’s just do a follow up question on that and hopefully again we’ll see some slightly more positive answers there, so thinking about that last question again is, do you think things are getting better or worse than they were a year ago? Or about the same. Okay so we’re about fifty fifty, again I will take the positive out of this, well no one is saying, sorry one person is saying worse, so we have three percent saying worse and about forty four percent just under majority, forty four percent say better and fifty percent saying about the same. I think, I will take the positive out of that is at least half the participants do feel that things are progressing in the right way but clearly not quite as fast as we perhaps might like.

Let’s just ask the question again, this is actually some research that was done last year looking at perhaps why is the board not considering this in perhaps the way they should do and some interesting responses here, you know, there is still perhaps a dominance that the board feels that this is an operational matter, that this is something that management and IT should be considering and not something worth raising attention to the board. The [inaudible 00:21:23] liabilities surprise me a little bit because you would think that from a liability point of view directors would want to be taking some level of responsibility for this and making sure the company is fulfilling, the board is fulfilling its duties to manage all potential risks to the organisation and I always give the analogy, when we look at why boards don’t get involved and so on, I always give the analogy of the situation where instead of thinking it’s a virtual attack where you’ve actually got almost a physical attack against the company’s premises and offices and if you were to look out the window and saw a bunch of guys hanging around the entrances to the building trying to break through the front door, trying to find windows, and if you knew that they managed to break in that they were basically going to ransack the organisations offices.

They’re going to steal financial information, they’re going to basically, potentially take the system down, take the whole organisation down in a matter of days or weeks, then we wouldn’t be saying, “Oh well that’s just a matter of the security guards”, we would be obviously making sure that the building and the organisation is protected in every potential way to protect against that particular threat eventuating. But when it comes to cyber issues and it comes to virtual issues then there’s always that perhaps a reluctance to engage and don’t see it at the same level of threat but in fact it’s actually greater because, of course these things are happening continuously, every single company is actually continuously under attack, whether you see it or not, you know, every single one of our networks is being continuing to be scanned for weak points. We can be sure that sooner or later a weak point is going to be found and it’s whether you’ve then got the defences to back that up so that that weak point doesn’t result in an actual cyber breach.

I will just pause with just another quote here, and again just to reiterate the point I was making at the beginning is that there really, you know, the board has to take some significant ownership of [inaudible 00:23:24] from a government structure point of view, you know, whether or not you give this to the main board or, for example, a lot of organisations typically will assign the responsibility to audit and risk, if you have an audit and risk committee, although Ernst,Young have actually suggested that for organisations where this a significant risk being a financial services for example, there maybe a goo argument in place to actually have an independent committee which is focused on nothing except cyber security and obviously that committee would have the CIO or if you have one, the CIFO which is the information security officer, chief information security officer, reporting into that committee and making sure that again this is being given the time and attention on the agenda that perhaps, you know, that it needs. So something to consider with your own organisation, you know, every organisation obviously has a different risk profile and the outcome of a cyber attack will differ by organisation but certainly when you’re looking at the government structure perhaps audit and risk or an independent committee may be the way to tackle it.

So next slide just on who is being targeted here, this is global data not Australian data in particular. The key message here is that there is no organisation which is immune from attack and we did this talk in the not for profit community quite a lot as well, and not for profit may feel they’ve got a very small target on their back because what’s, there’s not for profit from attacking a small not for profit regional organisation but the reality is that not for profits are often the most commonly breached because they often have the weakest cyber defences, if you’re in the not for profit sector you may well not have the resources to be able to devote to it, you’re probably relying perhaps on volunteer to manage your IT networks, your volunteer resources, so it’s often the not for profits who are most commonly attacked.

Government again, you know, US government of course has had a number of serious breaches which is why they’re spending so much money on cyber security but I think we can be sure from the statistics we’ve seen pretty much every organisation is potentially vulnerable to an attack. We asked the question at the beginning, is your board part of the problem or part of the solution? So we’ve identified that boards need to be taking some, quite a lot of ownership of the problem … I see some good questions coming in so we’ll make sure we pick these up at the end of the session, sorry unfortunately our labels here got a bit messed up on the slide but no matter, the key message here is that senior executives and board members are often one of the most targeted, so we talked about the fact that a lot of attacks these days are coming through spear phishing attacks and we talked about the fact that some of the attacks in place, for example, targeting the HR department, are looking for information perhaps about senior executives and that is because these are the people that the hold the key to the kingdom, they hold the keys to the castle and of course if I can do a successful social engineering attack or an attack against a senior executive or board member I’m going to get much richer pickings from that perhaps both financially and also with the amount of information and the sensitivity of the information that person has access to.

Why are the board and exec team vulnerable? And again there is really a couple of area where we need to be thinking about this when it comes to the board level, and obviously as we’ve said, you know, there’s a lot of sensitive information being handled by the board and senior executive team that could of course be very damaging if it’s leaked. Also what we do see at Diligent is a lot of organisations of course are sending information to board members through perhaps less than secure distribution channels and the classic ones of course are perhaps email or file sharing information which we’ll talk about a little bit later on, and of course the reason [inaudible 00:27:47] if you’re sending personal information through insecure channels then [inaudible 00:27:52] privacy principle eleven which covers security of personal data, you know, there’s always a possibility that something goes wrong that could be deemed to be a breach of APP eleven. There are a number of cases which have come out where, you know, as we saw in the earlier statistics where we saw the, a lot of information being accidentally disclosed through emails and so on.

We’re going to move fairly rapidly through these and again you may well be familiar with some of these, already we’ve kind of alluded to them already. Spear phishing attacks where we have the targeted emails that we talked about. The dark hotel is an interesting one that you may or may not have heard of before, this is an attack that came up a year or so ago and I got an update on this quite recently to confirm it’s still taking place, not so much in this country to be fair but certainly across Asia pacific and the way this works is very simple; we all know when we check into a hotel typically especially if you’ve being on a long flight the first thing you probably want to do is check your email and just get an update on what’s happened since you’ve being out of contact with the office.

The first thing that happens is you log onto the hotel wi-fi, now most hotels these days the wi-fi typically you enter in your last name and the room number you’re staying in and then you get online. Now that makes it very easy for someone spoof that wi-fi network, so I can set up a little, book a hotel room where I know somebody is going to be staying in a room nearby, set up a little fake wi-fi network and then when the person logs on they think they’re logging on to the hotel wi-fi in fact they’re logging onto my little private network and I can then use that network to intercept the communications and steal data. It’s certainly a genuine threat, certain countries in Asia pacific are more vulnerable, there’s being a number of reports on these, I will say that Korea, South Korea is actually one that is being reported most often for this [inaudible 00:29:49]. It’s certainly worth checking, making sure that when you log into the hotel network that you can check and you talk to the hotel reception, they can help you make sure you are logging onto the true network and not some spoof network.

So we’ll kick into our next question and again I will say, have you ever had a cyber attack such as a phishing attack against your organisation employees and executives? Now this is anonymous, we’re not recording the details of this, if you put yes in it’s not going to go back at all but I’m just curious to see what the, whether the statistics we see on this reflect what we’re seeing from the wider data collection, in fact wow that’s an amazing statistic, eighty eight percent of people saying that yes they’ve had some kind of cyber attack. I would love [inaudible 00:30:46] more information about that but I think that statistic speaks for itself. Thank you, so I would like to draw you to hopefully some practical advice. We’ve talked about the threats, we’ve talked about the fact that, you know, are the board potentially part of the problem? So now we would like to talk about, how the board can be part of the solution and there was a great question asked earlier on about how do we keep the board discussion at strategic level rather than getting down into details and no one wants to be talking about fire wall walls and so on in a board deliberation of course.

We’ve got a few principles here, again you will see these when we get the slide distributed at the end of the presentation, and the way that I position this is the board almost needs to see itself as part of the cyber defences, you know, obviously board members as we say cannot be involved in the details necessarily of the cyber defences but what they can do is look at this as a risk management point of view and also from a compliance point of view. Now we talked about APP eleven, we talked about there are particularly if you’re [inaudible 00:31:56] regulator then of course there are additional implications around cyber security and the responsibility of the organisation to manage risk. This is basically to understand some of the potential compliance risks facing the organisation and first point is, and this is a really important one, is they need to have access to expertise, so effectively if you’ve got a CIO or a CIFO who is responsible for cyber security in the organisation then my suggestion would be rather perhaps getting a, whether it’s a quarter report or six monthly report, in a brief presentation from the CIO to the board just outlining at a strategic level how the organisation is managing this and then we’ve got some questions which we can then help the board ask the right questions of management to make sure that resources are being sufficiently directed in the right location.

It is, as we said earlier, this is a risk management issue, so like any risk that the organisation faces the board needs to face that it need to consider it as risk management and again obviously it’s about ensuring that we’ve got both the plans and the resources in place to be able to manage this risk on an ongoing basis. Like any risk management there’s some risks that you may say, “Look the cost of mitigating this risk is too high so the reality is with some we may have to accept and of course there is also cyber insurance available now to help mitigate the risk as well, so you can at least transfer that risk, you know, again it’s very hard to insure against reputational damage for example but at least if it’s financial loss resulting from a cyber breach then at least some of that risk can be managed by insurance as well.

There are a number of questions which the board can be asked, unfortunately I don’t have time to delve into these in huge detail but I will take the first five and I think these are great questions when you do have that presentation from the CIO coming up, you known, in the board agenda pressing the board with some of these questions so that they know the areas they need to be focusing on as board members is a great place to start. Of course the first question, as we’ve being looking a little bit in this presentation already, is are things getting better or worse, you know, do we see there is a gap between our capability and the threat, is it increasing or is it decreasing? Are we closing the gap? Because threats are obviously evolving and of course we cannot be static in our cyber defence strategy so are we getting better or worse? Next question is how are we doing relative to our peers? Again there’s a lot of information sharing that is taking place around cyber security, do we feel that we are doing enough compared to others in our industry, in our sector?

Of course when it comes to risk management again are we comfortable with the decisions that management is making around security relative to the potential risk to the organisation? And again that will vary very much according to your sector and the size of your organisation. When we do have limited resources and this very much ties into the earlier comment about if you’re not for profit then how do we make sure that we’re, what resources we do have are being applied perhaps in the biggest holes or the biggest threat to the organisation and you know a classic example is your website, you know, if your website is being defaced, and this does happen, it is one of the most common cyber breaches, is that looks ugly but it can be used to be rectified quite quickly. Now of course if you’re a big high profile organisation reliant on your website then that obviously can be critically important because it is going to create a very bad impression on the market if your website and your main trading platform has being breached.

Is it just brochure ware and it’s just advertising your address and your company services, yeah maybe not so much and that’s not going to be such a big topic for you. Final bullet point, how we doing again, what’s our confidence level? How do we feel that we’re progressing on this journey? Few more questions again, just because we’re a little bit short of time we’re just going to move forward from these but hopefully nothing there that should too surprising for anyone. Just to come back to a little bit about some of these myths around cyber security, particularly when we are dealing with the board, I’ve just got three myths that we’ll touch on because these often come up as practical questions when we do these presentations and it’s usually around some of the tools that we’re often using in the GRC for communication and one of the most common is that email and file sharing tools like Dropbox are great tools and actually quite appropriate for when you come to board communication, board collaboration and from Diligents perspective and certainly what the research shows is that these tools are often part of the problem, certainly not part of the solution.

The reality is once you send information through email or Dropbox or any of these typical file collaboration tools is you’ve kind of lost control of them. Now Dropbox will tell you that the data is actually encrypted but the reality is that only the file contents are encrypted the file names are not and as soon as someone drags the file out of the Dropbox of course you lose all that encryption out of the system all together. From your point of view if you’re looking at using these tools then always be aware that they do have potential security vulnerabilities. PDF as well, the reality is that sending out password protected PDF is not a secure way to transfer information, there are a lot of tools available again you can see here two point three million results on Google for just the general, can I decrypt a PDF? Again encrypted PDF not a secure way to actually keep your data secure when you transfer into your board members and your executives.

Then finally this idea, and we hear this quite a bit, I want to keep my data secure I kind of need to keep it in house, again research has shown that actually we looked at those threats earlier, we saw that employees are one of the most common attack vectors either deliberately or accidentally. Employees are the most common source of compromise, security compromise and so third party providers, I will put Diligent name in here, like Diligent who focus on nothing except security are often a better way and a more secure way to actually look after confidential data such as board papers and so on. This just summaries and this paperless spectrum slide just summaries what we’re talking about here and we’re looking at the whole range of methods of transferring information going from the hard copies, you know, transferring data to board members from hard copy through to obviously something like Diligent which provides a secure board portal for keeping data secure, encrypted and captured end to end throughout the board communication process and so on.

This kind of brings us more or less to the end of the presentation. I’ve just got one question that I’m really fascinated to learn about for everyone participating here is how you’re currently distributing papers and documents to your board today. So who is using the file collaboration tool like Dropbox? Who is using email and who is still using the hard copy actually physically sending papers in hard copy form? Interesting mix coming out, so quite a few people sending PDF documents by email, a few people using the file collaboration like Dropbox, a small, about twenty five percent currently using a board solution, I know some of those are actually using Diligent board. Interesting cool, thank you to everyone for that information.

Just to wrap up here, so what Diligent boards is providing for you is really end to end security of everything that we’ve being talking about today, so when it comes to security information at the top level of the organisation Diligent boards is really providing that end to end solution where we’re keeping our data encrypted, we’re making sure that the data is kept secure at all points on mobile devices so if we do lose a mobile device for example we’re not risking compromise of the data and we’re making sure of course that you’re board members always have end to end access to the information at all points in time no matter what might be happening out there. I think we’re now at a point where we’re pretty much ready to take some questions here. We are happy to distribute the presentation, we will capture the results of this one, so if people would like a copy of the slides that we’ve being working through particularly with the questions in it we’ll be happy to send those through to everyone, so thank you and pretty much everyone would like a copy, that’s great we’ll make sure everyone get’s a copy of the presentation.

Really I think we’ve got a few questions, how are we doing for time Kate?

Speaker 2: We are running exactly on time so if people are willing to stay online we have a few questions here which we would love to cover. First one we have from David, has the use of the cloud increased the threat of attacks?

Speaker 3: I think that very much depends on which cloud providers you select. There are a lot of people out there offering cloud solutions and I think from the point of view of anyone selecting a cloud provider it’s about doing the due diligence on the provider, making sure that they’ve got the security credentials, you know, for example there are well known standards like ISO twenty seven thousand and one, any cloud provider who is offering services and claiming they’re secure should be able to point to credentials like that or regular audited and penetration testing, so there are, certainly if you use cloud providers judicially you can actually improve your security because these providers if they’re doing their job well will be putting the resources and effort into ensuring their data that their solution is properly secured, at the end of the day that’s their business but if you, again there’s lots of perhaps weaker providers out there that want to be avoided and again just by asking a few questions about their credentials and history you should be able to separate the weak from the [inaudible 00:42:43].

Speaker 2: Right thanks Al. Second question we have is from Stacey and her question is, how do you keep the board discussions at the strategic level rather than getting into too much [inaudible 00:42:56]?

Speaker 3: Yeah that was a great question and we sort of covered some of that already and I think it’s better to have a presentation, again it’s making sure that when the board is being presented with the data they’re being presented with the data that is strategic and not detail. So if you have a CIO or CISO in your organisation having them come and do a brief strategic presentation starting with the questions which we looked at in the presentation, you know, you can definitely keep the level and where things tend to fall down is you’ve got a techy on the board who loves talking about techy then sometimes a conversation can quickly delve into technology but really the rest of the board will probably make sure that the conversation style stays at more or less the right level.

Speaker 2: Right, thank you Al. Lots of questions coming through, we have another one here, Andre has asked; would you agree that the boards need to be trained in cyber security?

Speaker 3: Definitely and I think that’s a great question and when you come to the board cyber security is a journey you cannot expect, if your board has not being dealing with this issue then you can expect them to suddenly start really understanding how becoming [inaudible 00:44:04] issue straight away, so really what you start with is you start with a gentle introduction with something like that, you know, a fifteen presentation perhaps every six months, then we start to build up the expertise on the board by having more regular reports more regular detail without getting too much into the nuts and bolts and [inaudible 00:44:23] of cyber security but your board can certainly start by learning by educating themselves and being educated by the management around some of the questions that they should be asking but it is a journey and it’s a journey without end to be honest with you.

Speaker 2: Thank you Al. The next question is from Marina; how much does encryption lessen risk?

Speaker 3: Massively along as it’s well managed. Encryption of course, you know, if you’re encrypting your data which is scrambling it that does nothing to help security if the encryption key itself is not also well protected so encryption, you know, for example we take something like an encrypted PDF that is basically being protected with a password which can be what’s called group forced. If you’re using encryption very well and using strong encryption keys and you’re making sure the encryption keys are well protected that can make a big difference to helping security but again it’s a huge issue, we can talk about encryption for the next hour and a half alone, so you’ve got to make sure that your keys and your data are being well managed and kept separate.

Speaker 2: Now we are, obviously we’ve run over by nearly five minutes already, so we are aware we’ve got a couple more questions here, one from Carly and another one from Marina and another one has just come thought, I think it would be best if we can just hold those.

Speaker 3: Yeah we’ll respond, for all the questions that we didn’t get to and thank you everybody for your questions it’s really appreciated we will get responses back with full answers to those. That was great to see those questions come through.

Speaker 2: Thank you Al, really appreciate it, I hope everyone has enjoyed the webinar today. Just so you’re aware the presentation will be also available to you all if you’ve requested it and in addition the recording will be available on our website by Friday this week at Diligent.com. If you need any further information from Al or myself you can contact myself kellis@diligent.com. I believe we will be able to end the webinar. Thanks very much for joining.

Speaker 3: Thank you.