Cybersecurity: Is your board leading by example?
Diligent host: Good morning everyone. Thanks for taking the time to join today’s webinar with Diligent on the subject of cybersecurity. For some of you this is the third webinar you have attended in our series. We hope you found the first two useful. For those of you who are joining us for the first time today, welcome.
I’m joined today by my colleague Charlie Horrell who is the managing director for Diligent in the Europe, Middle East, and Africa region. Before we get started today I have a couple of housekeeping notes. This webinar will last about 30 minutes. We are recording it and a copy of the webinar will be sent to everybody that registered within the next 24 hours. If you’d like to ask any questions during today’s webinar you can do so by the ask a question pane on the right hand side of your screen. We’ll answer as many questions as we have time for. Anything that we don’t we’ll come back to you over email.
Finally, we have a couple of polls that we would very much like you all to participate in and you can do so using the voting buttons, again on the right hand side of your screen. With that I would like to hand you over to Charlie to go through the main part of today’s presentation.
Charlie : Welcome to you all. I’m delighted that you’re joining us this morning. This is the agenda we would like to go through with you. Firstly to look at the landscape of cybersecurity and the threats they represent and why they are important to all of us. Four myths concerning security and in particular the documents you may send to your board members and how to keep them secure. Lastly, a little bit about Diligent Board security features and how they can help you keep your information confidential and secure.
Before we get any further I’d like to ask you please to undertake this poll that we have here. How are your board materials currently distributed? We’ve provided five options for you here. Do you print them and distribute them by courier? Are they PDF documents that are sent by email? Do you use a file sharing solution such as dropbox or sharepoint? Perhaps you have a custom developed application that is built by your colleagues and used. Do you use a board portal, such as Diligent?
We’ll see the results are coming, just give it a second or two more. 70 percent of you have voted, 90. What we’ll do there, we have the results please? Thank you. 25 percent of you print documents and send it by courier. 45 percent send it in email. 5 percent use a file sharing solution, actually 5 percent of you have a custom developed application and then 20 percent of you use a board portal solution. That is pretty common responses and fine. Paints a picture for all of use.
What we have here are the results of a piece of research undertaken by the Ponemon institute who look at security on a world wide basis. This is what they do. They undertook this research in June of last year and they were asking the question whether the board of directors of organizations understood the security risks that these organizations faced. They asked on the left hand side, the board of directors and on the right hand side they asked, of the same companies, the IT security experts, the same questions.
With the board of directors, approximately a third strongly agreed with the statement that they themselves understood the security risks. 38 percent, just a bit more of a third, agreed with the statement and 30 percent disagreed. So 30 percent themselves recognized that they do not fully understand the risks that their organization faces in security matters.
However, if you look at the answers of the IT security team, it is different. Only 21 percent strongly agreed with that statement, 22 percent agreed, but fully 57 disagreed. More than one in two IT security experts believe that the board of directors of their company does not understand the security environment that they are working in or the risks it represents. If you think about it, that’s quite a remarkable statement. One in two, in their opinion don’t understand.
We’re going to ask our second and final poll here. Which is, in your organization the one you work for now, do you think your board members understand the security risks of your organization and in particular the cybersecurity threats. Do you think if you went to your board members now and asked them really do you understand the situation, you would be able to strongly agree they do, agree they do, or disagree similar to the IT security experts?
The results are coming in. We’ve had just over half of you voting. 60,70 percent. 90 percent, okay let’s close it there please. What have we got? Look at this, that’s interesting. 12 percent of you strongly agree with the statement. 28 percent of you agree. So 40 percent of you agree with the statement that your board understands security risks. 48 percent, so one in two of you believe that your board members do not understand the security risks and 12 percent don’t know. Honestly, that’s remarkable if you think about it. In this day and age that is truly remarkable that you and us believe that board members don’t understand security.
Why is security not on the boards agenda? I can tell you from personal experience that is rarely, in fact security all together, not only cybersecurity, is rarely on a boards agenda. I used to work for a very large French technology company. Great big thing, very valuable and we worked out of an office in the west of Paris. Beautiful art deco thing built in the 30s, renovated. It could only be in Paris. The canteen was fantastic it was wonderful. It was built on five floors and was in a square shape. To move around the floors and up and down the floors, you had to badge between them. You had to use your security pass to get between them.
Frankly, much in the same way as I have to do to come into my office here and I’m sure for most of you, going into your offices each day. The one place where this did not apply, the one part of the entire building where there was no security badging required, guess which it was. I think you probably can, it was the management floor. It was the floor where the CEO, the CFO, the general council, they worked. I.E. the people with all the juicy secrets were deemed to be not needing to badge in and out.
Frankly, if your going to steal the secrets of an organization, I think that’s the first place you’re going to look. In many cases, boards are not leading by example in this environment. Why is that?
The results of Ponemon here in their survey they undertook last year. 80 percent or so feel that security’s best handled by the company’s management. 50 percent are concerned about director liability. That’s an interesting concept, what the directors are saying there is, they are concerned that they may have potential liability if they get involved in looking at security of material and information and assets of the company. That’s remarkable when you think about it. 25 percent felt they lacked expertise and knowledge. 15 percent didn’t have resources.
Either way, when you look at it. It is clearly not a board item and in our opinion, it damn well should be. We disagree with this and we really feel that boards should be looking at security.
If we look at why, this is the results of a survey undertaken by PricewaterhouseCoopers, PWC. Last year, 2015 fully 90 percent of large companies had a data breach. Nine in ten. That was an increase from 81 percent the year before. What happens if I work for a small company? Surely I’m not of interest, no data breaches here. Actually, you’re wrong. 75 percent of UK companies had a data breach last year and that was an increase on the year before. Really, at least three in four of the companies you represent will be facing a data breach this year. It is not a theoretical problem. It is a real problem.
I can tell you from experience that our customers are worried about this. I went to see the company secretary of one of our large 4,100 customers about four years ago and I said is this a hypothetical problem or a real problem, data breaches? He said, looking me in the eye, I honestly tell you that each day, and this is four years ago, we get at least ten attempted hacks of our data servers, of our corporate servers, coming from China. It is not a trivial matter, it is really important.
If you look at cybersecurity in the news, it’s clearly becoming more important. We may all have a giggle at reading the emails of the head of Sony Pictures being rude about the talent or lack of Angelina Jolie, but if we are customers of Carphone Warehouse and our credit card details had been made available on the internet, I don’t think it’s any laughing matter at all.
What I’m going to show you now is a website, norsecorp, this is actually showing real cyber attacks, real threats going on right now. This is not something dreamt up by a 14 in his attic trying to imagine H.G. Wells War of the Worlds, this is real stuff going on. You see all the dots going across the map. If you look at the left hand side, attack origins. Right now 439 attacks are originating in China, remarkably 400 from the States. South Korea, Netherlands, Germany, and the UK with 51, even in the UK 51 cyber attacks right now have originated from us in this country.
If you look at the targets in the middle, the States is the largest target group. Then, remarkably, I find this incredible when I look each time, the UAE, so the middle east is a high risk environment. People are trying to attack companies there. This is just a visualization of what’s actually going on right now. Don’t think for one second it’s not a real problem. It is a real problem for each and every organization.
If we look at what actually constitutes as threats, what causes problems, guess what the answer is. It’s us, it’s humans. It’s you and me and all of us. We are the single biggest threat that organizations face. Rarely is it deliberate or malignant it’s normally just a mess up. It’s an error, it’s human beings being what they are. We constitute the biggest problem. 90 percent of of all security incidents start with humans, with us. Don’t ever think that we’re not infallible, we clearly are fallible.
What I’d like to look at here is four myths concerning documentation, the passing of documentation, not only for boards but in general cases, and the actual facts around it. The first myth is if I use my work email, not only is it quick and easy, but also it is secure. I can pass it securely within my domain, within my Diligent domain for me and in your corporate domains for you. However, the fact is once you send an email, you clearly lose control. You have no ability to pull it back or delete it. How many times have we had that fat finger problem where it’s gone to the wrong person, you think oops that shouldn’t have happened? We all know once it’s gone, it’s not coming back. Equally, you can’t stop someone sending it on if they’ve received it. This may be inadvertent, but it happens, it’s a real problem.
Myth two, I can password protect a PDF. Surely that makes it secure. The reality, I’m afraid, is this is not the case. If you do a very quick and simple search you will find there are more than 2 million links to how hack an Adobe PDF. Frankly, it’s trivial. If you were to send and Adobe PDF, it would be very easy for someone to get around any password protection you might put on top of it.
Myth three, if I provide electronic copy, it’s always going to stay electronic. The reality is if you send and email with attachments of Pdf of Word or Powerpoint, it’s hard for the recipient. It’s difficult for them to fit them on the screen, to get them to read. All they will they do, I’m afraid, is press control p and print it out. They will get multi page documents that will then simply be sitting on their desks and they will then easily lose or have them stolen. To send things electronically, doesn’t mean they stay electronically unless you have controls in place.
Myth four, data needs to be in house, stored in house to be secure. I’m afraid the facts don’t represent this. First of all, employees are the most common problem for data theft. This is not … This is just human nature. We all like to be curious, we all have a little look in the corporate secrets of our organizations to see what the boss is paid or what they think of this person. It’s how people are.
However, for third party providers, it’s what they do, they are secure. This is their day business, it’s all they do. Certainly in Diligent’s case, it’s all we do and we have the technology and the facilities and the testing to undertake it to make sure they stay secure. Indeed, we encourage our customers and prospects to do all the testing and penetration they wish to, to make sure that our storage is secure.
Lastly, with third party providers what you get is a support service. You get a 24 hour a day facility where if there are issues or incidents or threats, they can be reported. You can get help from us even on the most trivial things such as passwords being forgotten through to more serious incidences. Those are the four myths that we often see concerning board material and the facts around them.
What does a secure process actually look like? What happens is the document start with the administrator. They come in different formats of word or Pdf or Excel, whatever it is, and they’re encrypted at the point of the uploaded into our technology using something called 256 bit encryption. Which is extremely complex, very high powered and in essence is uncrackable. I’ve had our head of security explain to me how long it would take to crack a piece of documentation that was encoded at 256 bit encryption and frankly there is not the time in the world to ever get near it. It is hundreds of hundreds of years for anyone to even think about doing so.
It’s secure at the point of uploading. They’re then held in our data centers in a very secure way. There are physical guards, there are cameras, there’s technology, there’s all sorts of security monitoring to make sure that they are held in a secure way. Lastly, they are brought down to the board member via application in an encrypted format and are only unencrypted and read once that person has permission from the administrator, has the correct device, has correct user name and password, and only then do they become clear and readable.
Let’s look at some of the security features that Diligent provides. We have our over arching technology of encryption and all this 256 bit stuff but we also have a number of features which are configurable by the client to meet their individual needs. No two clients have exactly the same needs, so we’ve tried to be as flexible as possible here by providing greater depths of security to meet what you might you might like.
The first is very simple, a secure sign in. Every business would have that. We would give a username to each director, we would give them a password. You can see on here you have the help numbers beneath that, if you’re in a different part of the world this would show the help number in America or Canada or Japan or wherever. There’s a secure sign in. You’re given a dummy password which you’re then required to change when you first long it, it then becomes a password that you’ve entered and only you know.
You’re then asked to provide security questions. What we’ve tried to do here is ask you questions that can’t be found by Google search. We have ones around your sister or your dog and, I still find this quite unbelievable but it is true, we have in here a question which I have asked many of our customers and frankly I’ve yet to get an answer that I think works. But anyway, let me ask you the question, which is do you know the name of the first person you kissed and would you like to put that in here. If you feel confident you know that name of that person and you want to put it in, you can use that as your security question.
We have something called device authorization. This limits the access to our solution to specific devices. If you want to give corporate devices to your directors, we can then lock it down so it’s only those devices that can be used and if I was to steal the credentials of a human and use it on another device, it simply would not work. You can control the users roles and accesses, in this case Ben is given certain permissions. They’re given these permissions calmly on a Monday morning at 10 o clock, rather than panicking at seven o clock on a Friday night when documentation needs to be sent out. Because that is how problems start.
Here we have already decided that he can access to certain boards, certain committees, but not equally to other boards or other committees. It’s done in a calm way with us helping you. You can hide documents from certain users. Typically, all board matters would go to all board people but if you got rumination papers concerning a board member or the CEO, then typically these would be hidden and would not be accessible by this person.
You can define when someone can have access. If I join the board of a company on the 5th of April, I can only have access from that date going forward, so that’s there no issue of me reading previous documentation. Equally, on the other side, you can stop access point blank. We had a case about three years ago where the CEO of a very large Bank, probably one that a lot of us use, was fired. He was fired at 10 o’clock on a Sunday night, UK time. All problems seem to happen at 19 o’clock on a Sunday night, it’s one of the rules of life. He was fired and at two minutes past 10, and I promise you this is true, you were phoned and told to remove access to this person to the board papers of this bank. We did it and that person has never been able to access those papers since then. Having this ability to turn on or off control by date, immediately, is extremely important.
You can prevent further distribution. As I said earlier, there can be cases when people may wish to print additional pages, for example the budget or the financial results. You may consider that to be fine or you may consider it not to be fine, you do not allow this to happen. It’s entirely up to you. In this case, what we have is allow book to be printed. If you don’t allow it to be printed, the default is no it can’t be printed and it will stay electronically on the Ipad and will not come off it.
Here we have a screen showing other forms of distribution. This may look complicated to you, but what would happen is our account manager would sit down with you and go through each of these things and ask your opinion in common language, in easy English, to understand whether you wish for this person to have these roles and these permissions or not. Once it’s set into our system, it won’t be altered unless you alter it for them.
This is how Diligent boards can help you. You can control access to your date. It is encrypted in transit and on devices. This is an interesting thing, we don’t track electronic footprints. By that I mean when a director logs in or indeed doesn’t log it, it’s not recorded by us. Why, comes the question. The reality is that for a lot of companies there is the potential for it to be slightly embarrassing if it became clear that a director had not really read the papers very well and if there was audit and if a decision was taken and if it became clear that Charlie hadn’t really down their work, that would not be ideal. We deliberately do not track footprints.
However, we do deliberately do repeated regular audits of our solution and penetration testing. We encourage clients and prospects to do exactly the same. We have never said no to a penetration test and we never will. We have redundancy locally and data backup elsewhere. Our facilities in Germany are 120 kilometers apart. If there was to be a cataclysmic problem at one, the other one would boot up and be working in a matter of seconds and would be unaffected.
Just one slide and no more about Diligent. We were founded in 2001, we’re 15 years old, this year. We have 3,900 companies using us right now which us by par the largest provider of portals in the world. 120,000 board members and executives and administrators use this right now in 72 countries, I guess there aren’t many places left where we don’t have a human being who uses our solution. Lastly, on the right, you’ll see the number about which I think we’re collectively the most proud, which is the client retention. Fully 97 of our customers, once they’ve joined, they stay with us. The three percent who leave are typically the results of mergers and acquisitions often between clients of ours. Where client A buys client B, but then we remove access to client B because it no longer exists. That’s the one that makes us the most happy in this environment.
With that, have we had any questions?
Diligent host: Yes, thank you Charlie, we have a number of questions here. The first one which has been asked by several of you. We are using an in house solution to send out our board papers, what are the potential security risks in your opinion?
Charlie : I saw on the poll that actually quite a few were using in house. Frankly, we don’t see that very often so it’s interesting that we’ve got you folks on here today. In essence there are two problems from a security aspect. The first, I’m afraid to say, is that if there are going to be problems with this sort of solution it’s typically colleagues of ours who cause the problems, so your colleagues in your organization where it’s Friday night, the IT guy is sitting down in the bunker, he’s feeling a bit board and he taps into the solution and he brings up the, because they control it, if it’s IT internal they control it, and they bring up the CEOs rumination or the assessment of the CFO or were they going to fire this person or that person.
In large part, that’s due to the humans internally, but the other thing and this is more important and actually more relevant, is for organizations who build their own solutions, it’s not their day job, they do it on the side, it’s not what they’re typically very good at. In the same way that I wouldn’t build a lock to the front door to my house, I go and buy it from an expert. In this situation you’ve got amateurs trying to do something that business like Diligent do all the time and for something as important as this, that substantially increases the security risk. Any others?
Diligent host: Thanks, Charlie. Another interesting one that’s come through is our directors simply won’t switch from using paper. What would your recommendations be for building a business case from a security perspective?
Charlie : This is something we get relatively often. We have someone coming to us saying we’ve got members on our board who are happy with paper, they’re 75 years old, we don’t see them wanting to change. My response is always fine, absolutely do as you please, we’re not going to force it. Typically lead by example but actually you will often find that they will move over time once they see how easy it is for others.
That’s not the business case. The business case breaks down on two things, underpinned by two things. The first thing is if you’re printing and distributing books, typically multiple copies because there are late papers or amendments, that of itself has a cost. Far greater than that is the potential cost of a cyber attack. Both in terms of monetary lose but actually in this day and age more importantly, reputational loss. If you are hacked, and that becomes something that the rest of the world becomes aware of, your reputation will suffer.
All this Panama stuff we’re reading about in the last two days. My guess, somewhere in Panama right now there’s someone saying damn I wish we used Diligent Boards to send that information out, then it would have been secured and we wouldn’t find ourselves all over the front page of too many newspapers. Do you think that law firms got a future? I think it’s dead in the water. I have no knowledge by the way but my guess is it’s not a happy situation to be.
Security, reputation, it’s too important to put down to something that is amateur.
Diligent host: Another question, Charlie, is in your experience has the implementation of the Diligent service ever gone wrong?
Charlie : Ever gone wrong? We have about 750 customers here in our London office. I think no none of them have ever gone wrong. Once in awhile we have customers who say they want to be live on a timeframe that is too short. We need about four weeks to get a customer live and they say, we’re April the 5th today we want to be using it April the 10th and I just refuse. I say no that’s too quick, you’re going to get yourself into trouble.
If someone comes to me with deeply unreasonable time frame, I’ll say no and I will in fact take the service away rather than do that. Typically we have reasonable conversations with clients they have four weeks, we train them properly, their directors are trained. No I think hand on heart, we’ve never had an implementation that goes wrong and I clearly hope to keep it that way. Thank you, any more?
Diligent host: We’ve got time for just one more. This is a really interesting one. Is Dropbox more secure than sending PDFs via email?
Charlie : Is Dropbox more secure than sending PDFS via email? I think the honest answer to that is no. I think they’re both pretty insecure but Dropbox is certainly no more secure than PDFs. I think if you do another Google search on hacking Dropbox, you will find something about two million hacks of how to get into Dropbox. I think actually it has been proved to be … It’s an amateur solution. It’s what you and I should be using for sharing our holiday photographs with our nearest and dearest rather than sending out corporate information.
I think the honest answer is no, Dropbox is not anymore secure. At least to the best of my knowledge and both of them are pretty insecure, certainly for sending out corporate information.
Diligent host: Thank you Charlie, we do have a couple of other questions but they’re very specific to certain individuals and organizations. So we’ll come back to you over email on those. That does bring us to the end of today session. We hope that the webinar today has given you some food for thought around your own internal security processes and measures. What’s next? You can visit our website, www.diligent.com and there you will find a huge amount of resources. Not just on security but on board portal implementation, adoption in general, and there’s also a large number of success stories from our existing and very happy customers.
There is also the option of scheduling a demo. You would of seen Charlie’s contact details one the previous page. If you would like to get in touch with Charlie directly, please feel free to do so. I will also make sure that I send out contact details when I send around the recording in the next 24 hours. Thank you very much for joining everyone and have a great day.
Charlie : Thank you very much.
Diligent host: Bye bye.
Charlie : Bye bye.
Firstly to look at the landscape of cybersecurity and the threats they represent and why they are important to all of us. Four myths concerning security and in particular the documents you may send to your board members and how to keep them secure.
Managing Director EMEA
Lastly, a little bit about Diligent Board security features and how they can help you keep your information confidential and secure.