The 4 Myths of Board Material Data Security

Danielle: Please, feel free to share the replay with your colleagues or board members. Also, please, feel free to ask questions at any time. You can do this in the question pane at the right side of your screen. Now, before I hand things over to Richard for us to get started, we’re going to just run a quick poll here for you all. Do you trust the security of your current solution? I’m just going to give you all a few seconds to answer. So, it actually looks like half of you have actually never even thought about it, only a few people said yes, and a little half of your said no. Very interesting. Okay. Now we’re going to hand it over to Richard for us to get started.

Richard: Thanks, Danielle. Hi, everyone. Thanks for taking the time today to go through the four security myths. The first one I just want to talk to you about was reidentify, and this was really through conversations with many of our clients who approached us or we approached in terms of improving coverage. The first we reidentified was my email accounts are a quick and easy and a secure way to share materials.

Now, from our perspective, it’s not as secure as people think, purely because as an organization, as soon as you send that email with any of your sensitive data in there, you lose control of it. It’s out there, you cannot pull it back. The control goes to your users, so your board members. They’re going to be opening that wherever they’re going to receive it, at home, while they’re travelling, at a hotel. There’s no encryption, it’s easily intercepted and opened, and it’s just not something you’re going to be able to keep in control of throughout that process of delivery.

So, one thing that we see – board members are a little guilty of this, or even executives – they get that email, they’re replying back, it goes to everyone, and then suddenly people who shouldn’t have access to that data do, whether it’s all the information that you’re sending or a particular document.

The second myth that we wanted to talk to you about was partial protected PDFs adequately secure my sensitive materials. I thought this was interesting. I just did this search a couple days ago, and you can see that you’ve got a significant number of results there, of three ways to unlock a password protected PDF. We often find many people in department, president’s office, corporate secretary departments feel that that is sufficient way to protect the sensitive data that they’re sending out, but, as you can see here, Adobe’s a common software program, it’s got know vulnerabilities. The mentality that we find companies have is they think it’s adequate because we’re not Google, we’re not Target, we’re not Sony, we don’t have anything that hackers would want, and it’s really kind of a mantra that we come across is we’re secure because we’re obscure. In fact, we found that the opposite is often the case.

On thing that I’ve just dug up that I think will be of interest to all of you is this is a media statement released I think earlier this year by a company in Alaska. What happened was the CEO email was spoofed by a cyber criminal, which, long story short, ended in the comptroller of the company wiring over 3.8 million dollars to an account operated by this cyber criminal, and it was just by impersonating the CEO of the company. That could have been the CEO asking you to resend the board materials, and that would really be a lot easier for them to obtain, because you wouldn’t think twice about that.

A report by PWC last year concluded that cyber criminals are increasingly targeting mid-market companies, because they’re seen as easier access. And they conduct this survey with TIO Magazine showed the number of attacks reported by mid-size, so we’re saying 100 million and 1 billion, has jumped 64% since last year. Really, the reasoning for this that we’re seeing as well is a mid-market company can actually be an ideal backdoor entrance to a larger company, particularly if down the road you’re acquired. Your networks are going to be synced up with their networks, and these cyber criminals are increasingly more patient.

Myth number three. I provide an electronic copy; this means it’s always an electronic copy. Now, whether you email, you got an in-house solution, you use some kind of share point solution, the board members are receiving or downloading the files as PDFs. You’re providing them as PDFs because they’re read-only, they cannot change the content, as if it was a Word or Excel spreadsheet. Now, if you every tried to read a PDF on an iPad, in particular, or on any other tablet, it just doesn’t fit that well, you know, it doesn’t render itself well on the screen. For example, it doesn’t actually fill the entire screen. And if you can think of your more mature board members, they need it to look like paper. So part of the reason that you may well be distributing it to them electronically and you find they’re still printing, or their assistant is still printing it, is because it doesn’t have the same reading experience that they used to. If you take that PDF, you have trouble reading it, and then you think, well, they’re getting possibly a 300-page board book like that, you know, it makes sense.

You know, these systems can be pretty cumbersome and clunky, and that’s kind of a reason for it. Often, with many of them, there’s no way for them to make notes electronically either. That’s a reason we see board members often resisting, as well, and sticking with paper, they want to be able to make notes. So, if they’re resorting back to paper, that’s the very delivery system you obviously tried to replace in the first place. So there’s definitely a lot of challenges to that, and a secrete to kind of making the transition, we found, is you need a system that your least tech-savvy board member is going to be comfortable using. The secret there is replicating that paper feel. If they’re assistant is printing it as well, it’s not going to happen tabs like they probably used to get with you, with the hard copies that you provider. At the end of the day, they’re actually worst off. It’s not as easy to navigate and it’s often not unreasonable to think that page 12 of the financials could be left on the printer in their office or at the hotel.

Okay, last myth. Data needs to always be store in-house to be secure. So what we were thinking about this myth was … and really we found that this kind of view point has been changing significantly over the probably last three years or so. But there are a couple of reasons we find that it really still exists. I’ll reference another survey here that was sponsored by IBM. It included 314 companies in ten regions that admitted to suffering a data breach, and they calculated that the average cost of a data breach last year was over 3.5 million. That’s 3.5 million per single data breach, with records lost between 2400 and 100,000. And that’s up 16% from 2013. Not to mention the financial, you’re got the damage to corporate reputation, sensitive information about corporate strategy could be stolen. But really we find that almost all the companies and organizations we talked to really don’t have the budget or the personnel to constantly monitor the security of their most sensitive data.

So, when you’re considering whether to keep it in-house or to outsource it to a third-party provider, what you absolutely need disaster recover of the data. There should be ethical hacking that takes place, regular penetration testing, network scanning. You need to feel like the physical security around your most sensitive data is like Fort Knox. If you don’t think that’s something that your company can do, for those reason or any others, that’s when it’s time to evaluate third-party providers. And they’re certainly not all created equal, so a thorough risk assessment of those provider is something that you should absolutely be doing.

What I’ve got up on the screen, that you’re looking at now, is actually an infographic, just board infrastructure and how we protect our clients’ data. If we just go through this quickly, the documents are starting with the administrators, so that’s someone in the president’s office, corporate secretary office, usually. Those files have come from different department. It’s your job to assemble them. Now, we can upload an entire folder of files. As soon as you do that, they’re encrypted at the server level. They’re encrypted at the data center as well. The servers at our data centers literally have impenetrable physical security. You can see a few things that we have in place here. And then when you board members are trying to access the material, they’re downloading it or taking it from the server down into their application, whether they’re on an iPad or using any other device.

In order for that document to be encrypted, so they can actually view it, there’s a few things that must be in place. The permissions set by the administrator, the need to be a person that’s been provided with access, their username and password also needs to be correct. But you can also set it so that particular device is the only one that they can use to access your sensitive data, meaning, if someone gets ahold of their username and password and tries to log in on another device, they won’t be able to. We can make that available after the webinar as well.

One thing that particularly our financial clients, any publicly-listed companies that we work with, we’re seeing this increasingly with middle market private companies as well – and this is really coming from the board – they want to know no one’s able to track what they’re doing, there’s no audit trail. And particularly more and more people are becoming aware of the fact that PDFs do this. If you open any Adobe PDFs on any device, it caches a local copy. So, if you end up, heaven forbid, in some kind of Forensic Discovery litigation, that’s something that could be opened, and it can identify when a board member opened it and when they closed it as well. That’s something that could land them in hot water. So it’s a big reason we have companies approach. They want a system that does not track their board member’s activity.

Okay, so we’re just going to do one more quick poll for you, and then I’ll be walk you through a quick demo of Diligent Boardroom. I’m just going to address, really, some of the myth that we’ve just gone through.

Danielle: Okay, so to end, before we start on this demo and the Q&A, we’re actually curious to know which myth do you think your organization believes in the most. Okay. So it looks like half of you believe that password protected PDFs actually adequately secure material. Yeah, it’s a pretty good mixture in what you guys believed in the most. Mine is the electronic copies always remain electronic. Richard, the floor’s all yours again.

Richard: Okay. I am logged in as an administrator user within Diligent Board. This is the home screen. It’s customized on the left-hand side, logo, things like that. We’ve got a dummy book here. We really find that it’s an acknowledgement internally at companies that their corporate governance practices could be improved. It’s really often a key reason why they approach Diligent. On thing I addressed at the beginning was restricting access to users, controlling document management, version control, ensuring that only the people that should have access to that data should, and the problems around that with PDFs and password protected PDFs. Management shouldn’t see the minutes or there’s a conflict of interest [inaudible 00:13:10] a PDF copy and you end up creating another version of the book if it’s a paper copy.

So I’ll just go into this book. It’s already being created and published. I’m going to edit it. Okay. I just mentioned minutes. What we’re seeing here is the edit book window. These are the tabs and sub-tabs that create the pull out agenda for board members. The white box is the empty placeholders that the document will be uploaded into. As you can see, we have a document in each of them. If we go to the minutes and click on the button that says more, this brings up a button called hide, and this is where you’re able to restrict access to certain people. So if we hide the minutes from Jim 10, over here it gives you a clear indicator that it’s hidden, and then you can see from who it’s hidden over here as we. So it save you having to create another version of the same book. It’s only every one version.

If we upload a document here … So I’ve got I’ll just pull up. This is a folder on my shared network. I’m the administrator here. I’ve got some files. You can see Word, Excel, PowerPoint, PDFs. So let’s say that the … I got financials here somewhere. That’s always the document that changes most often at the last minute. I’m sure most of you will agree. So let’s say I got my updated financial here. If I just drag and drop this over the top of the existing one, it will replace it. Now it’s uploading during this process of conversion. It’s converting the original document – so Word, Excel, PowerPoint, or PDF – into a Diligent PDF. So this is a Diligent propriety fact file. All the formatting’s the same. It looks just like the original does in print preview, so you never need to worry about that. But during that conversion process, that document had just been encrypted at the highest level, which is AES 256bit encryption. So there’s no scanning to PDF you need to do. You upload the originals, they’re converted, and they’re encrypted. We got our own built-in propriety document viewer, which is why you don’t need Adobe to view that document.

Now, if we go back to the home screen, at the meeting, what our clients will do is archive the meeting book. So it’s really like shredding hardcopies. If I show you how to do that in the system, we’re going to edit the book properties. We find most clients choose to do this after the minutes are approved at the following meeting, that way everyone’s going to have their notes from the previous one, because as soon as you archive that book the notes are shredded so they’re not discoverable back to the point of ensuring there’s no audit trail that exist of your board members activity. If we go to book options here, you’ll see we’ve got current … We’ve changed from hidden to current to publish this book originally. Archived. I click okay. That’s going to wipe the book, everyone’s downloaded book from their device. That’s me pulling the data back from the device and maintaining the control within the organization.

That’s what I wanted to cover regarding specifically the four myths we just tackled. If you take away from what we just covered, learn where you blind spots are, what is your most sensitive data, know we it resides, we is it going, how’s it getting there. You need to know who can see it and you need to know who’s got control of it. And when it comes to your board material, really the advice you will give is blunt, but stop emailing. If your sensitive board data is not encrypted, it’s not as secure as it could be, and that means it’s vulnerable. And you have to be paranoid. Don’t bury your head in the sand. Have a cyber security strategy that protects your most sensitive data and encompasses your board of directors and senior leadership team.

Certainly we’re finding this with all the companies that approach us, that, compared to maybe four or five years ago, it’s no longer seen as discretionary spending. Spending and investing on cyber security is now really cost of doing business. Customers and I’m sure your business partners are looking for evidence that their data is protected, and you ought to know that yours is as well.

A lot of companies that talk to us and trying make your business case internally to the senior leadership team often are asking me for a ROY, how do we calculate that. What I would say is look at the cost that you’re spending on printing, shipping, carrier particularly if it’s overnighted, you have any board members that are not located in the country. But there’s also the unquantifiable cost. And I also point out there’s the cost of not defending yourself. But the good news is this technology is affordable, particularly with those whose board are concerned. And we’re asked this question on the previous demo. It’s an annual subscription. It’s driven by the number of user licenses that you have. There’s a few factors that go into it, but it’s about a thousand dollars per user annually. So if you got a board of eight, two executive, and an administrator, you’re look at probably around 11 to 12,000 annually.

And that’s what we wanted to cover today during our second webinar in our summer series.

Danielle: Great. Thank you, Richard. If you have any questions, now is the time to ask us, using the question pane on the right side of your screen. And we’ve already had a few questions come in from our audience. Richard, we actually had a few questions about the director’s view and how board members can add comments or highlight info. Would you be able to show us that quickly?

Richard: I can. So, what I’ve just put on the screen here is the board member space on a computer. I’m using the Diligent Board’s Windows app. This is my home screen. You can see I’ve got access to the board book and the audit committee book. I can see that there’s a vote in progress. You can see I’ve got some sticky notes here. This shows me a list of all my annotations in the book and where they are. I actually did these ones earlier. Here’s my list, on the left-hand side, of all the annotations in the book, and you can see some examples here on the right-hand side. So I hand wrote this on the screen. It looks just like that on an iPad as well. Highlighting. And if we go where we got sticky notes. These can be shared, so you can end up with a conversation thread actually on the page.

Not really related to today, but certainly something that we have been finding a lot of requests for, is really in vogue at the moment, is you’re trying to foster more collaboration on the board. So you can end up with a conversation thread actually on the page around that content.

One thing, just to really come full circle here, is the ability … rather on the left-hand side here, this navigation pad, this is what I was referring to. And what we could see was built. When we edited the permissions in the book, the tabs on the side of the book, a lot of people call this the fold out agenda, and you can see it stays on the side as you navigate. That’s particularly popular with board members. They always like the have that available, again, just as a hard copy.

Danielle: Great. Someone else also asked that they want to keep at least one master copy of the materials from each board member. Is that possible?

Richard: Yes. The master copy is actually what I was referring to as the archive book. When that book was wiped, it would go into this section, archive book up here. This is just a clean copy, sitting on the server, on your Diligent site. And really our clients use that as kind of the official archives. It’s unlimited storage, so you can have years and years of books there. We actually recommend for best practices that you keep a copy of that on your internal network. It’s very easy to export the book as a PDF with bookmarks, headers, footers, page numbers, and keep that as a master copy internally as well.

Danielle: An attendee asked, “A number of our board members are federal government employees? Have you experienced issues specifying a government-issued laptop as a device that must be use?”

Richard: No, that’s not uncommon certainly with our government clients. We see a mixture. Often … and this really applies more to the public and private companies we work with, but board members bought particularly iPad or they got one already, and it’s usually they’re allowed to use their personal device. But for any clients that issue devices, it’s really not something that we see a problem with board members adopting. I would say, that’s really a best practice for our government clients.

Danielle: Great. Where are the Diligent data centers located?

Richard: That depends on where you’re located. So, for our US based customers, we will host their data at our primary data center in Sea Caucus, New Jersey and then back up their data at our disaster recovery facility in Toronto. For our Canadian clients, the primary data center for them is in Montreal. We also have servers in other parts of the world. Some of our European clients have their data hosted at our facility in Frankfurt. We have a couple others as well.

Danielle: I think the last question we have time for today is, “Richard, can you actually talk a little bit about the training for board members, and what will be their time commitment.”

Richard: Yeah. We just had a tiny look at the interface there. Certainly join us for the third webinar. We’ll go into more detail on the board member side. It’s extremely simple, but of course you’ve got a mix of ages, you’ve got a mix of comfort levels, as well, with technology. The training that we provide is individual for everyone, and it’s unlimited. We recommend against training, generally speaking, the board as a group. The primary reasons for that are they stood up into two groups pretty quickly. Someone asks how can I make notes on page 12 within 30 seconds of the training, and then five minutes later you’ve got a group that’s still trying to find that page, and they’re not saying anything, they’re too embarrassed to point that out or ask the questions they’ve got.

So, by training everyone individually, it really does two things. It’s going to help them learn at their own speed and ask all the questions that they got. For someone that’s not particularly tech savvy, maybe just got a new device like an iPad, we train them on the device first, then we train them on Diligent Boards. That could take 45 minutes. It could possibly be an hour, but usually 45 minutes. Someone who’s quite tech-savvy, it’s often 15 minutes. We’ve got user guides that we make available as well.

Danielle: Great. So thank you so much for joining us this afternoon. A replay will be sent on later today, along with a link to register for the webinar in our content series, “Working Hard or Hardly Working: Is it Time to Upgrade Your Board Portal?” And we are also giving a bonus complimentary white paper download in the followup email, “Cyber Security and the Evolving Roles of Boards.” If you have any questions or would like to see a full demonstration of Diligent Board, please let me or Richard know. His contact information is currently available on the screen. And thanks again, everyone, for joining me today. Have a great day.

  • A report by PWC last year concluded that cyber criminals are increasingly targeting
  • Richard Harrison

    Regional Sales Director, Sales

    mid-market companies, because they're seen as easier access.