Cyberthreat and Securing the Board: Three Misconceptions That Undermine Board Security

Diligent Webinar: Good morning, everyone, and welcome to today’s webinar with Diligent. Today’s topic is Cyberthreat and Securing the Board: Three Misconceptions That Undermine Board Security. I’m the senior marketing manager here in the UK and Ireland. I’m joined by my colleague, Nathan Birtle, who’s the VP of sales and business development here in EMEA.

Before we get started today, I have a couple of housekeeping notes. This webinar will last approximately 30 minutes long. We will provide a copy of the recording of the webinar in the next 24 hours, and you can feel free to forward this along to any of your colleagues or board members who may not have been able to join us today. If you’d like to ask questions at any time during the webinar, you can do so via the ask a question pane on the right hand side of the screen. Any questions that we don’t have time for, we will come back to you over email afterwards.

We do also have a poll for everyone to participate in today, so that would be very helpful if you would participate in that for us. Finally, the topic of today’s webinar is cyber security, as I said. Along with the recording, I will share a copy of the white paper, from which today’s webinar is based on.

With that, I’m going to pass you over to Nathan who’s going to deliver today’s content.

Nathan: Thank you. I’ll show you now the topics for discussion over the next 25 minutes or so. Really, we’re going to cover 4 different areas. Firstly, an initial assessment of current technology, cyber security and impact that has when it comes to assessing your board and its requirements. Then, we’ll look at three security misconceptions that are common in the industry today, and really should be understood in greater detail to have a realistic assessment of the threats that they have around your security at the moment. Then, we’ll give some guidelines as to how you can evaluate board security, with again three simple questions, and a way to set a secure example so that board level communication is done in as effective and secure manner as possible.

However, before we do that, we’d like to conduct a quick poll. It will help position us for the remainder of the webinar to understand how you work with your documents and distribute them today. You’ll see there are 5 voting options for you, and if you could select one of these now according to how you prepare and distribute your material. They range from printing the documents and distributing via courier. Maybe you use formats such as PDF or Word, and are sending those documents out via email to the attendees of the meetings. Possibly, there’s a Dropbox, SharePoint or other file sharing solution in place that you’re using. You could be having your own in house custom development system, we see that sometimes. Or, maybe you’re using a board portal such as that provided by Diligent.

We’ll keep the poll open for a little bit longer, and we’ll display the results in a second to show how the people participating in the webinar today currently use that information.

It’s not uncommon in previous webinars in this series to see majority of people using printed documents or PDF. As we see the results now, similar pattern today, in fact, 27% are you printed and distributed by courier. 36%, is that? With PDF documents by email. Then, some are using Dropbox SharePoint, and a few using board portal. That’s not out of line with what we see in the industry in general, and hopefully some of the topics that we talk about in the remainder of this webinar will be helpful to evaluate how those people, especially printing using PDF or Dropbox SharePoint, those sorts of services, how they may possibly improve their security for boards in future.

Let’s carry on. By way of setting the scene: Cyber crime is on the rise, and cyber crime is clearly a great industry. I don’t think I’m telling anyone on the webinar anything they’re not aware of, in that respect. We see reports of breaches, and the impact those breaches have all across the press. A week doesn’t go by without another example occurring. Not only is it a technology issue, but it impacts the business severely. We’ll talk about a few examples as we go through the webinar where this has happened before.

What people may not be quite so aware of is that it’s common these days for hackers, organisations, to charge relatively low amounts of money, it was $500, to hack into specific, targeted accounts of high profile people, such as executives or board members. This happens in real life today. The high profile members of your organisation could well be targeted for whatever purpose. Sometimes, it’s cyber blackmail, sometimes it’s hacking into secrets of other organisations, but this stuff does go on.

Despite this, the third point here is it says that many boards ignore the threat that cyber crime poses. I think maybe that’s a little harsh. I think most boards are very aware of cyber crime. What I would argue is that some boards are not taking it on as a board level responsibility, and say there’s board ownership of this issue. Often, it’s delegated down as an [inaudible 00:05:34] item. A responsibility for the IT director or the CIO. We believe that this is an issue that should be taken seriously at the board level, ownership at the board level, such so that he receives the highest level of attention.

I guess the question on the right hand side: Can you afford to risk not strengthening your company’s defences? Many ways we see the answer being no to that. I was at a conference earlier this week in the far East, and one of the government ministers there stood up and said, if your organisation is not spending a minimum of 8% on it’s ICT or IS budget on cyber security, you should be asking why. In fact, there are other guidelines that we see in different parts of the world that go as far as 10, 15, even 20%, and some organisations, especially in the financial services industry are saying we can’t put a price on this, because the outcome for a breach is too devastating for our business that we need to devote highest levels of resources to that.

There was one example, and this may be a little unfair, because it’s a few years ago, but I think in 2007, the senior VP at Sony was talking about cyber breaches, and there was a comment made about, “I don’t want to spend $10,000,000 to save $1,000,000 of potential risk.” In fact, the risks for cyber breaches tend to be much higher than that, as we’ve seen from the recent case involving some emails that got hacked and distributed around Sony, Sony Pictures. The resulting [inaudible 00:07:06] around that. You probably recall the case in point. If not, we’d be happy to provide more details afterwards.

Cyber crime is on the increase, and as you look at boards and board structure, how are they positioned and ready to address those sorts of issues, or positioned such that cyber crime is minimised as a potential threat to the board. On the left hand side, you see the fact that the convergents of IT aspects of its various forms changes the way we do business. In fact, a year or two ago, people were talking about what is our digital strategy? More and more these days, people are just saying, “Well, what is our strategy, knowing that we’re operating in a digital world.” It’s very rare, if at all, that the use of technology and digital advancements doesn’t affect the way that organisations do business.

There’s lots of examples of the disruption caused by the digital world on traditional businesses, and also how traditional businesses can take advantage of that. You’ve only got to look at Uber, Airbnb, et cetera, et cetera to see that. That’s not the topic for this conversation, but it’s an interesting side, and it changes the way the businesses work. There was a study by [Deloitte 00:08:17] and Systemic that showed that 70% of IT decision makers lacked confidence in the company’s security policies to cater for the changes that we’re seeing in the way that we do business. You’ve got, immediately, tension between those two things.

Sometimes, the security team may not be even aware that board security falls within their remit. That’s partly because, often, the board is composed of a few members of the organisation, but many members who are outside the organisation. Whose responsibility is it to make sure that the board materials, the way they’re distributed, the way they’re protected is handled in the right way. Making sure that that’s clear is important. The fourth point there is that directors can sometimes contribute to security risks by choosing to distribute, move the data around, and store their materials in an insecure way.

Sometimes, us as organisations don’t help that, because if we only distribute information to directors in a printed format or as an attachment on an email, then it’s easy for those sorts of breaches to occur. There’s been some very high profile cases recently, typically in the US actually of senior politicians or senior directors in government agencies whose emails have been hacked, because they forwarded important confidential material outside of the company’s own infrastructure, or outside the protected infrastructure, into the world of their own, personal emails. That causes an issue.

As we move on from there, there are three security misconceptions that I think are important to discuss, because it impacts the way organisations do business. Typically, some of the reasons that people look to make their infrastructure for board meetings more secure. Those three misconceptions are; firstly, email is secure. Secondly, that if I put a password on a document such as a PDF file, that means it’s secure and safe. The third thing is if I keep the data in house, it’s bound to be more secure than if I trust someone else to manage that for me. Let’s address each of those three in turn.

Firstly, the concept that email is more secure than … Email is a secure form of transmission. I think once you look into this in a little bit more detail, it’s not so much the security of the data itself, but it’s just the lack of control you have over the information. Email is hugely convenient, obviously, in many aspects of our life. Once you forward an email, especially with an attachment on it, you’ve completely lost control of that content. That’s why more and more, not just for board meeting materials, but in general for important community organisation. Many organisations are saying now, don’t use attachments. Let’s find another way of communicating this information, because once I email an attachment, it’s gone forever, it can be forwarded elsewhere, et cetera, and I have no control within the organisation.

Secondly, I don’t know if you’re like me, but I have certainly, in my time, sent an email to the wrong person just because finger failure on the keyboard has meant I’ve typed the wrong thing in, and before I know what I’ve done, it’s been sent. If, like me, you’ve tried to get one of those messages back, you’ll appreciate it’s a devil’s own job to get the thing back. Often, you’ll fail to do so. It’s not necessarily any malevolent intent here, but once an email with an attachment has gone out, the control is completely gone. Add to that the fact that many directors accounts are external, outside the organisation’s boundaries, and typically they may well be not the most highly secure email environments, such as Gmail, Yahoo, et cetera, you’re adding further risk into the picture.

Once, as I say, you have an attachment in place, that can be forwarded, sent on, and you have no control whatsoever, or no audit trail of where that is gone. That’s the first misconception that email is secure. It’s not secure, and it’s certainly not controlled. The second misconception is around the fact that many people believe if I’ve got a PDF, then I can password protect that and it’s safe. I’ll send the password via some other method. Obviously, I don’t put it in the email that I’m sending the PDF in, but even in that case PDF files can be quite easily hacked. The underlying technology and the applications that access them are not built to the highest levels of security standards. In fact, many agencies, government agencies, do not allow PDF as a format to be used, because of inherent insecurities in that way.

In fact, if you do a Google search on PDF files, and being able to hack into password protected PDF files, you’ll find several million hits. In fact, this morning, just as a quick test before we came in to do this webinar, I did a quick Google search, quite a specific one, something like break PDF password protection. That string. I came up with half a million hits, and the first few pages were all services offering to hack into PDF files for me. It’s not a very hard thing to be able to take a file and break in and see the content of that if it’s only sent as a PDF. You should be aware of that, because today organisations are suffering as a result of those data breaches, as a result of insecure formats being used.

The third misconception is that I need to keep the data in house in order to make sure it’s protected. When, in fact, if you consider that up to 55% of attacks and breaches come out from insecurities by insiders working within an organisation, either malevolently or inadvertently, then you realise that anyone within that organisation who can access an application could potentially get a bad application and cause a breach. You’re opening up the possibilities for the data to be accessed by having a broader audience having sight of that application and the data itself.

The second thing is that in an IT organisation for a particular company, you’re probably running multiple applications. The more applications, the more API’s, more access points you have into a system, the greater the potential for cyber attack. In fact, the two most common causes of cyber attack are insider, either malevolent or inadvertent breach. Alternatively access via web apps. If your IT organisation’s supporting other web apps, then there’s a potential for a breach through that route. In that case, you’re opening up the board meeting data for potential access at that point.

The other thing is if you have a specialist provider, such as a board portal, such as, for example, what Diligent provides, then that provider is looking only after one particular application, and provides security and defences particularly for that application itself, and will often implement specific hardware of software to ensure that the system isn’t breached. For example, just to give you an example on the Diligent side, we have specialist hardware on our data sensors specifically for managing the encryption keys that we use to protect our clients’ data. Also, within the Diligent side, no one, other than the clients themselves and those people authorised by the clients, have any ability to access the information that’s being used. In many cases, hosting data with a specialist provider is going to be a more secure option.

The next thing to look at is how you can evaluate the board security itself. Having looked at three things that many organisations may be doing today is we saw on the survey at the beginning of the session, I think some of these concerns may well apply to organisations who are represented in the webinar today. How do you actually look at the level of security that you’re providing for your board at the moment. There are three simple questions that we can make available, that uncover the level of security that’s implemented today within the boards.

Firstly, how is that board data stored? Where is that data stored? How strong are the locks around that data, and who controls the keys to open up that data for review? If you just examine those three points, it would uncover maybe some concerns, or it maybe give you reassurance about the way that you work with that data today.

Where is the board data stored? Knowing exactly where it is, how it’s secured, should give a greater degree of assurance when it comes to working with that information. Clearly, as we’ve mentioned before, if you distribute information via email, or even if you send it in paper form, you can’t be sure where that data is at any particular point in time. Paper packs go astray, PDF’s can be forwarded, et cetera, et cetera. Knowing how that information and where it resides and how it is encrypted is very important. If you use a file sharing service, I noticed there was some respondents today who use file sharing systems, then often you don’t know where that data resides.

In some file sharing services, you can mandate that, I appreciate that, but often you don’t. That can have [inaudible 00:17:49] not just for the security, but also [inaudible 00:17:51] have implications. The reason for that is that some organisations wish to ensure their data resides within a certain jurisdiction to provide greater degrees of protection. The file sharing aspects can give concern because they’re not quite as secure as some people might wish them to be. In fact, there was a recent example in the press in the UK last week about a file sharing service where there had been a data breach. Actually, the first that many people heard about this was when they were advised to update their passwords as a security measure.

Where it’s stored is important, how it’s stored is important, and how strong are the locks. In other words, the encryption that you use when it comes to the data. Paper packs have no lock at all on them. If I get access to a pack, so long as I have the ability to read the language the pack is in, then I have access to the information. We’ve already mentioned how PDF’s can be vulnerable to attacks, especially when they’re password protected. Ensuring that you encrypt data, and encrypt that at the highest levels of encryption that are available, such as 256 bit encryption, give you the best protection against the information being read if it should be made available somehow to someone outside the organisation.

Ensuring that those locks are strong is incredibly important. The next point is it’s only good having [inaudible 00:19:21] if you know who controls the keys to that lock. As we mentioned before, a strong portal will never lose control of the documents. At any point in the process, you should have the ability to record, archive it and withdraw it from directors or executive access if you wish to do so. Many organisations have concerns about their ability to do that. How do I retire information? How can I ensure that there’s none of that information still out in cyber space anywhere, when I wish to archive and only have that available to current or future directors of the organisation.

In the best systems, administrators can also limit the access to specific documents or specific sections within board books. Again, only the people who need to see the information are actually allowed to see it. Controlling the access to the information, such as controlling by device, is all part of ensuring you have good, secure systems in place around the access to the content itself. Often, these days, that involves things such as two factor authentication. By that I mean I look at two factors around a user to ensure that that user is actually the right person who can access the data. Those two factors, typically, are two of these three items. Either something I know, such as a password. Something I own, such as the … That’s specifically assigned to me, and something about me that only I have around my person, such as my fingerprint, et cetera.

The best systems might have two factor authentication, taking two of those three items to ensure that only once they’re satisfied, you give access to the person who is requesting it.

The third thing is it’s also very important that an administrator can conduct a virtual purge, in other words, if I’m concerned that any data may be compromised, or have the possibility of compromise, I just wipe it from the device, such that the exposure is limited in that way. That’s something that you can’t easily do with attachments that are sent out or with paper documentation. Who controls the case and how strong that protection is is very important.

We believe that organisations can set a secure example, and should do so at the board level. Cyber security should be a board level concern, and there are various different ways in which companies go about addressing that. We have time limitation today, so I won’t go into details. But, if you’re interested in how organisations are structuring themselves, such as cyber security gets the right degree of ownership, and the right degree of inspection, then we would be happy to provide some more information.

If the board fails to do that, then it undermines the security of the whole organisation, and also potentially provides embarrassment, bad PR, and losses, stock price and drops. We’ve seen that happen in many cases previously. If it’s done in the right way, it increases the effectiveness of the organisation security, and also the effectiveness in which the way the board does business. For example, recently, there have been many cases where people organise board meetings at short notice. They may be to do with aspects of crisis management around external factors, for example.

The most obvious, recent example for those people in the UK or familiar with some of the things going on in the UK at the moment is the Brexit vote, which was largely a surprise to many organisations, and companies wanted to quickly evaluate what that meant for them, the position they were in, and how they’d best respond. Having emergency board meetings where the information is available to people, in a secure way, wherever they are in the world, and they can vote information in the right manner is hugely important. That brings up another aspect of why having a secure board portal is a good thing around crisis management in particular, and we have other webinars in this series that address that. If you’re interested in that, we’d happily point you to those, or have a conversation around that as well.

Understanding the reason for making sure you have secure implementation in place, and you’re setting the example from the funds is important. The ways you can actually do that, and use technology to support that, are illustrated here. Secure the company’s data, make sure it’s encrypted in the right way, and only access to those who are allowed to have it. Make sure you know where the content is located. That has all sorts of not just security, but legal implications that organisations should be aware of. Have a safe mobile strategy. More and more organisations are wanting to use tablets, various formats, or more laptop mobile devices, et cetera, to communicate and take votes, et cetera, on the information that’s going on. Make sure your mobile strategy is safe, and you’re including that in the overall security assessment.

Make sure you know where your data is located, and ensure that you can control the version of any data that’s sent out, and only that version is available to the people at the right time. Updates are hugely important, making sure they’re sent out in a secure way, and that directors are notified is a significant part of that strategy.

Hopefully, we’ve given you a few ideas there during the webinar as to the importance of the issues, some ways in which people are working, and questions that might provoke thoughts around how we can work in a more secure fashion. Some questions you can use to assess the security of boards today, and some examples of how you can advance the use of technology to ensure more secure communication in future.

Diligent is an organisation that’s been providing this sort of service for 15 years. The reason that we believe we have something relevant to say on this topic is we have over 140,000 board members and executives who use our service, and over 4,700 clients worldwide. We’re very proud of the fact that 99% of those clients choose to with us year upon year.

I think we have a few minutes left for questions; my details are up on the screen at the moment. I’d welcome any feedback, and if you have any specific questions, or any items you’d like to discuss, then by all means, please email me, and I would love to engage in further conversation around this topic. At that point, I’ll hand back to Diligent Webinar in case there are any questions that have come through during the session that we can address before we close.

Diligent Webinar: Thanks, Nathan. Yes, as you said, we’re obviously running a little bit short on time, but there is one question that is quite interesting, so I’ll go ahead with this one:

As mobile devices become more popular, what extra measures are being taken to ensure that data is protected?

Nathan: Yeah, thanks. That is an important concern for many organisations as directors wish to access information through a variety of mobile technologies. There are things that you can do that we covered briefly on the call today, such as ensuring that you have proper two factor authentication, such as ensuring that only a director is assigned to a particular device, or using biometric measures such as a fingerprint are taken into account. The other thing that we do, for example, within Diligent is we also invest in technology to ensure that the app itself is technology … Technological term called offscation is used. This means that sometimes hackers will try and access into a corporate site through the mobile app that the directors are using.

As a director on my iPad, if a hacker tried to get at the Diligent app, they wouldn’t find any meaningful code in there, because it’s all scrambled. Ensure you’ve got a good mobile device strategy, knowing what data you allow to go where, to which director or executive. Knowing what the policy is around that information, how it’s encrypted. Ensure it’s encrypted not just at rest, but in transit, and also making sure your app is highly secure are some of the things that you should consider.

Diligent Webinar: Great, thank you, Nathan. We have now come to the end of today’s presentation. I hope that what we’ve discussed today has opened up a few ideas as to how important it is to protect your board’s data. If you would like anymore information, obviously as Nathan said, his contact details were on the previous screen. If you would like a demonstration of a board portal, you can contact us at info@diligent.com. Alternatively, you are able to visit our website, www.diligent.com, and there you will find a whole host of resources such as white papers on board portal adoption, case studies from our existing customers, and of course there is a further option there to schedule a demonstration.

All that is left for me to say, on behalf of Nathan and I, is thank you very much for joining us today, and have a great day. Thank you, everyone.