Cyberthreat and Securing the Board
Scott Reiman: Only a couple of weeks ago Yahoo announced that they’d fallen victim to the biggest data breach in history. The account information including names, email addresses, passwords, and phone numbers of at least 500 million user accounts were stolen in 2014. This incident serves as yet another reminder that cyber crime is widespread. It’s not going anywhere and education is needed to ensure that company data and Board security is safeguarded.
Good morning everyone. My name is Scott Reiman, Director of Sales for Diligent. I’m also joined today by Harold Cubillos, Information Security and Privacy Architect here at Diligent. Today we want to talk to you about cyber threat- the three misconceptions that undermine the security of the Board and the steps companies can take to strengthen the security of the Board. Two of the issues we will tackle today are the growing rate and impact of cyber attacks, three common Boardroom practices that are undermining Board security, how to assess Board security, and how to leverage technology for better security practices. If you have any questions throughout the webinar, please feel free to ask them using the questions pane on the right of your screen. If time permits, we will try to answer them at the end of the presentation.
Speaker 2One very quick word about Diligent as an organization. We’ve been providing Board portal technology for the last 15 or so years. We have offices worldwide, in 12 different locations. We have five data centers located all over the world, including the United States, Canada, and Germany. We are the world leader in the Board portal space. We have over 4,500 companies and over 140,000 Board members worldwide that are making the transition to digital communication and collaboration solutions. We have over a 50% market-share in the industry and a 99% retention rate, which is pretty remarkable in our space, but in business in general.
Before we start, I’d like to take a look at the agenda for this presentation. We will be covering how to assess your Board, the three misconceptions that undermine Board security, how to evaluate Board security, and how to set a secure example. Let’s get started.
At first, let’s have a quick glance at why cyber security is the number one topic in the Boardroom. A company that’s fallen victim to a successful cyber attack not only experiences financial losses, stolen data, and intellectual property, it can also damage trade and reputation for the company. Harold, do you have any comments on that?
Harold Cubillos: That’s right Scott. Unfortunately, there are many hacking tools available for free on the internet. Given that hackers will charge as little as $500 to hack the corporate email accounts of executives and Board members, I think it’s critical to ask, can you really afford to risk not strengthening your company’s defenses?
Scott Reiman: The first step in mitigating these threats is to assess your Board. As decision-makers for the organization, Boards need to understand the threats that their organization faces, but this can be difficult. Many directors may not realize just how digital the business has become. Directors may not appreciate how the convergence of IT enterprise technology and operations technology has shaped the business and led to an increase in opportunities for hackers to gain access. Hierarchical structures within the organization are also a consideration. The fact that the Board is positioned above the organization means that the employees responsible for the organization’s security may not feel confident enough to report back any misgivings that they may have about the firm’s security scheme. Research by Deloitte and Systemac suggest that in some regions, up to 70% of IT decision-makers lack confidence in their company’s security policies, and concludes that more than two-thirds of organizations lack the ability to protect themselves against an attack. Would you agree Harold?
Harold Cubillos: Yes. Some security teams actually are not aware of that the Board security falls within their role. In addition, security portals don’t follow the company’s, organization’s own security policies and practices. Directors in personnel need to remain Diligent in their approach to communication technology. The most secure working practices can still be undermined by the misconceptions associated with the technology and workflows in use.
Scott Reiman: To avoid directors working in a manner that can undermine your Board security, you need to consider the following misconceptions: email is secure, password protection equals security, and in-house data storage is more secure. Harold, are there any of these that pose more of a risk than others?
Harold Cubillos: Well, each one of these is a threat Scott. You definitely did present that by themselves a unique challenge for any organization to secure themselves against; however, combined together it makes it very hard for an organization to protect ourselves.
Scott Reiman: Why not start with misconception number one- email is secure? While email may be convenient, quick and easy as a means of communicating confidential information, email is simply not fit for that purpose. With email, you can’t restrict the forwarding of content. In addition, rescinding a sent message is difficult. As soon as an email is sent, you effectively lost control of the information.
Harold Cubillos: I would also add from a security perspective Scott, that free email servers are also insecure and vulnerable to phishing attacks, password hacks, and other exploits. As mentioned earlier, the Yahoo breach was the biggest in our history. Our internal data tells us that at least one in four [inaudible 00:05:39] the director with an active Yahoo email address. You cannot stress enough that using outdated, insecure tools, to manage intellectual property, finance, and strategic information material, puts that data at greater risk from a breach.
Scott Reiman: Harold, which are some of the most common tactics or techniques hackers use to infiltrate the corporate email accounts of the execs and Board members?
Harold Cubillos: Well, one of the most common methods for attacking these [inaudible 00:06:01] is phishing scams through email. Email is widely used, it’s convenient for contacting and sending information. 9 out of 10 times these messages are sometimes are sent in a hurry and we can’t really control who the destination is.
Scott Reiman: Okay, onto misconception number two- password protection equals security. While it’s not unreasonable to assume that adding a password to a PDF renders it inacceptable to unauthorized users, the rudimentary source across any popular search engine yields millions of results to show anyone how to bypass PDF security.
Harold Cubillos: Right. If you actually run a search on Google, you’ll find thousands of results documenting how frighteningly simple it is to breach [inaudible 00:06:42] apparently secure medium. The truth is that PDF technology is not secure and you should not just rely on that.
Scott Reiman: Harold, what are the security differences between paper, PDF, and low cost Board portals?
Harold Cubillos: Well, Scott the challenge with paper is it’s very convenient to share information; however, we have to also consider how we’re going to protect that data once it’s printed and this hard copy’s laying around. PDFs are great for sharing that information but they present their own unique challenges about trying to secure PDF. We now have to manage passwords and share those passwords. After sending a lot of that information, we really don’t know where that file PDF is resting. The challenge with low cost portals Scott is that they appeal because of their pricing or flexibility, but 9 out of 10 times they don’t meet an organization’s security control policies. They don’t provide the auditing and login that’s required. In the majority of the times, there’s just no way to provide the same level of control that an organization actually needs.
Scott Reiman: Okay, onto the final misconception- indoor data storage is more secure. Perhaps the most important misconception to consider relates to data storage. Specifically that data storage in-house, is more secure than at storage with a third party. In truth, the opposite often applies. For example, in house solutions rely on the organization’s own administrators to access and manage data, but with 55% of cyber attacks being carried out by insiders, this access can prove catastrophic. Also, technically and operationally, the organization’s own custom security program and infrastructure may not be sufficient to protect data from today’s threats. Harold, could you explain to us how data is stored at Diligent?
Harold Cubillos: Diligent restricts data access to authorizing client users only. Our team has zero access to client data. Furthermore, we have fully audited security policies and procedures, providing backup and data and disaster recovery functions, as well as securing monitoring above and beyond the capabilities of most other organizations. Our architecture provides an isolated and compartmentalized section for each of our customers. We elaborate multiple keys in the protection of the data. Our data is encrypted in flight and also at rest. As I mentioned before, the key is that we don’t provide access to that information, the customer protects their information.
Scott Reiman: Let’s talk about how to evaluate your Board’s security. Harold, I’ll hand this one over to you.
Harold Cubillos: Leaders who want success [inaudible 00:09:18] practices can do so by asking three simple questions- how is the Board data stored, how strong are the locks protecting that data, and who controls the keys? Any security evaluation should begin with a [inaudible 00:09:34] who controls that data? Not knowing where information is and having an inability to control where it goes means that the solution is highly insecure. This is why emailing Board documents as PDF files is not a secure solution. Files can be accidentally forwarded by directors to others outside the Board, or have personal email accounts with minimal consumer level security systems that the vendors themselves admit should not be regarded as secure. The same is true for cloud-based solutions where your files could be on any server in the filing sharing network, where you have no way of knowing exactly where they are. The success of cloud solutions is based upon the assumption that they are secure.
Whereas, in fact, high profile cases of hacking, such as revelations of password [inaudible 00:10:12], celebrity photos from cloud service providers, illustrates to how flawed [inaudible 00:10:16] security is. Can I just mention one last thing? The difference between a cloud-based solution and a hosted portal solution, because I think it’s very important that we distinguish the two. I would also [inaudible 00:10:27] and also what we refer to as cloud-based source. There are important differences. Hosting Board carefully control where their data is stored, you keep the information that we host those organizations segregated. I cannot emphasize enough that knowing where your data is, is one of the key assets in defining what security meets you and the protection of the organization’s data.
[inaudible 00:10:52] next simple question that we need to ask everybody when they’re assessing a whirlpool of security. How strong are the locks? Knowing the whereabouts of your data is actually crucial as I mentioned before. It’s true however, only authorized users can access, which can be accomplished by encrypted data, converting the data to meaningless zeros and ones, so only those with the correct digital key can decipher it. Paper Board backs have no digital key at all. Everyone who hold a copy can read the information. While it may be true that PDFs are emailed or stored on file-sharing systems can be encrypted and password protected, it puts the onus on the user or whoever is distributing and receiving the material to manage those password protocols. Even then, PDF documents are ranked vulnerable to brute force attacks and using readily available software.
Higher quality postage, Board portals typically use AES-256 encryption and since there are more possible combinations than stars in the universe, it’s safe to say that they would be almost [inaudible 00:11:56] for even the most determined hackers using the most advanced technology to crack the code.
Who controls the keys to your information? A strong portal provides a method to never lose control of those documents. Restricting access, knowing where that information is going, very important to securing your data.
Scott Reiman: Now that we’ve evaluated your security, let’s talk about some ways we can set an example of security for your organization.
Harold Cubillos: Absolutely. For security, particularly the security at the Boards, all the information data must be [inaudible 00:12:30] consideration. Having a secure, intuitive portal and knowing all the Board’s information, communication, and collaboration facilities, provides better security and a working practice switch. The Board’s failure to uphold high security standards can undermine the security scheme of the organization as a whole. Whereas, a Board that leads by example increases the effectiveness of the organization’s security and places it in a robust position in the face of increasing threats.
Scott Reiman: Thanks Harold. Let’s recap and quickly explain how you can leverage technology to minimize threats and secure the Board. By adapting Board portals such as Diligent, you can secure your company’s data, you can keep content within the group, you can get the mobility without the worry, you can choose your data hosting location, and you can control versions anywhere.
Let’s open this up to questions now. Do our attendees have any questions they’d like to ask? Sure, I see a question here about Diligent security across devices. With Diligent, do you have the ability to make it into a true closed loop system where you can go all the way down to the individual user in terms of who you allow to print and export, and who you wouldn’t. If you really did want to keep this portal as a true closed container, even that material that has been securely taken offline couldn’t be emailed, or open any other apps, or printed. You really would have no extraneous copies of this book and the publisher would remain in control at all times and be able to send that information out and pull it back as they please. That overriding theme of the ability to be a true closed loop system, especially across devices, is unique to Diligent in the Board portal world, and a lot of times why we’re chosen from a security perspective.
I’m happy to answer any other questions offline. I think we’re going to wrap up here. There are several ways to learn a little bit more about this topic and about Board portals in general. If you’d like to get a quick five minute demo of a Board portal to get an idea of what the solution looks like, please send me an email and I’m happy to set something up, or you can visit www.diligent.com to check out whitepapers, success stories, all sorts of companies, public, private, non-profit, small, big. I wanted to just finish by thanking you so much for attending and giving an extra special thanks to Harold for joining us today and sharing some of his expertise. Other than that, have a wonderful day everyone!
This incident serves as yet another reminder that cyber crime is widespread.
Regional Sales Director
It’s not going anywhere and education is needed to ensure that company data and Board security is safeguarded.