Board members must be able to communicate regularly and securely. As individuals, and as a group, a board needs to educate itself about its organization’s communication risks. And the most potent risk of all human behavior.
An organization’s biggest cybersecurity risks is its people. The need to mate in an understanding of cybersecurity into the cultural norms and practices of an organization can not be understated. When an organization’s employees are not adequately trained and regularly tested, vulnerabilities arise. Even the most sophisticated security measures can not protect against human errors and frailties.
“Human beings make mistakes,” said Steven Bowman, Managing Director, Conscious Governance. “And they are big targets for hackers. Even though many people believe they can detect a poisonous email or a threat-load attachment, such scams are more sophisticated. Human error can pass information networks, especially the networks of large enterprises or high-volume businesses. This can lead to illegal access of systems by people inside or outside the organization. “
Nearly 60% of directors report they regularly use personal email to communicate with fellow directors. More than 90% use this method to communicate about board business at least some of the time. 1
There is no control over the content of a sent or received email. Messages can be easily forwarded to the wrong person. Attachments can be duplicated and users may click on links from unknown senders. There is no control over the servers where the email is stored or passes through.
The security risks associated with unsecured personal email accounts search as Gmail and Yahoo! Mail are well-established. Like any other unencrypted, or poorly encrypted, digital gateway may be used as an entry point into a person’s computer, tablet, or device. If this point of entry is compromised, it will endanger all stored materials, regardless of the channel through which these materials were originally received.
Personnel emails live outside the corporate firewall where they can not be managed or archived by an organization in accordance with the company’s record retention policy. Personal email is not a “closed-loop” system. Using this channel for board communications opens up the risk of being a director of accidentally sending sensitive information to unintended recipients.
75% of respondents download board materials on personal devices such as PCs, laptops, tablets or smartphones. Close to half say they download that information “always” or “most of the time.” 2
Many directors not only download board documents to personal devices, cloud storage drives and USBs, but also store files there, long term. This practice may have borne out of necessity due to directors’ hectic diaries and the need to have offline, non-accessible documents while in transit. Yet, this reality increases the risk associated with a personal device being lost, left on board in an airline seat pocket, or even left on the X-ray belt at a security checkpoint.
If these devices are not protected by mobile device management, there may be no way to remotely wipe the contents from the lost device. The loss of the information could then be considered as a “reportable incident”.
A 2017 survey by the Cyber Security Agency of Singapore (CSA) showed one in three respondents to their passwords in their computer; write them down; and use the same password for work and personal accounts.
Many people believe that password-protected solutions, such as PDFs, secure message apps, or a cloud-based storage system, are a safe option for storing and distributing sensitive corporate material passwords. However, weak password management – sharing passwords, writing them down, mandated changes leading users to choose weaker passwords – leaves password protected solutions open to cyber risk.
In a 2017 Ovum survey across Asia-Pac 3, 64% of IT execs rely on employee password to ensure password strength. 16% of employees admitted to sharing passwords with their co-workers; This equates to potentially 800 employees, in a 5,000-user organization, sharing passwords with co-workers, and 350 with partners, suppliers, or customers.
50% of respondents said “100% of our paper receives printed paper materials at some point” and only 25% surveyed identified themselves as truly “paperless.”
Printed board papers are not always practical – or popular. Papers can be misplaced or not stored securely. Papers are often not stored correctly, are shredded or improperly. Paper board packs are therefore susceptible to loss and even theft. With no digital key, anyone with a copy of the printed pack can read it.
Most companies now recognize that paper board packs are no longer the optimal choice. Locking up your files and throwing away the key may protect you from a burglar, but it does not secure your data – the possibility of a cyberattack remains.
Boards expose companies to cyberattack by exchanging messages via messenger groups search as Facebook and WhatsApp.
Board members must exchange sensitive information. Corporate governance watchdogs refer to this as “unpublished price-sensitive information”; that is, information about the company and its securities that is not available to the general public. “Price-sensitive” refers to data that could cause the company’s stock to rise or fall.
Too many companies worldwide ask board members to exchange search data via traditional means of communication, like Facebook or WhatsApp.
The dangers of directors using traditional search Means of communication were highlighted in India on 22 December 2017. The Securities and Exchange Board of India (SEBI) raided banks, brokerages and offices of traders, seizing computers and mobile phones. Thirty offices were targeted, including that of the Mumbai-based Housing Development Finance Corporation Limited (HDFC).
After the raids, it became clear that HDFC Bank had leaked price-sensitive information via WhatsApp. The leak has not been published yet, only to management and the board. SEBI found that “inadequate controls” were the cause of the leak.
Board members must adhere to the same IT security protocols that apply to regular employees, including undergoing regular cyber security training, testing and audits.
Organizations can reduce risk by giving their directors practical tools and support to make it easy for them to embrace strong digital security habits. Boards and executive teams need to make sure they have enough time and resources. This must be secure and convenient ways of communicating.
1 Diligent and CSIS (Chartered Secretaries Institute of Singapore)
2 The Silent Cyber Risk in the Boardroom 2017: Governance Institute of Australia, Conscious Governance Diligent Corporation
3 Close The Password Security Gap: Convenience For Asia-Pacific Employees And Control For IT, Ovum 2017