Locking up your files and throwing away the key might protect you from a burglar, but it’s unlikely to protect your board papers from a cyberattack.
Australia’s first major data security breach in 2018 is the kind of story you just can’t make up. A locked filing cabinet bought for $20 in a second-hand shop turned out to contain confidential cabinet documents from five different governments and both sides of the aisle politically. It found its way to the national broadcaster, which published a selection of the documents. Some were sufficiently contentious that a former prime minister scrambled to pursue legal action against the ABC.
Amidst a slew of finger pointing and cabinet-related puns, both major parties agreed that the breach was serious, embarrassing and easily preventable. The Prime Minister described it as “a shocking failure,” while Shadow Treasurer Chris Bowen said that it was “a blunder of massive proportions.”
The Cabinet Files debacle provides lessons for everybody who works with confidential information. We think the following are the top-five implications for boardroom security:
1. Paper Isn’t Safer
Cybersecurity has rightly become a hot topic with the proliferation of information stored and sent online. The risks are real, and while they can be mitigated, cyber incidents are increasingly inevitable. But sticking with printed paper isn’t practical, and it doesn’t take away the risks of a breach – as the Cabinet Files incident clearly demonstrates.
Paper board packs can be left behind accidentally in taxis, at airports, in cafés or at other businesses. They can go astray during delivery or even be tampered with. Once they’re gone, they can’t be wiped remotely like smartphones and tablets. When paper copies of sensitive documents are required, one should deliver them via registered mail, courier or in person, placed in an envelope or bag with a security seal, and check that the addressee received them safely.
2. Have Policies In Place
The Australian Government’s Information Security Management Guidelines describe in detail the different confidentiality classifications that can be applied to government records. Whether the same rigour is applied each time information is handled, such as when creating indexes, moving offices and archiving files offsite, is likely to come under the microscope in the months ahead.
Policy-making isn’t just for parliament – but strong internal policies and controls certainly would have helped keep the contents of the filing cabinet safe. Comprehensive policies for recording, storing and disposing of information are important at every organisation, especially if you’re subject to the new privacy breach legislation that takes effect in February 2018.
3. Apply Common Sense
Few, if any, internal control mechanisms are truly foolproof. Risk professionals call it the Swiss cheese model – a series of overlapping holes in control processes that enable an accident to occur. The last line of protection against failure is the organisational culture. And when nobody calls maintenance to drill open a locked cabinet – or notices that it’s too heavy to be empty before it is discarded – that points to a culture of complacency.
When people are encouraged to collaborate, to think before acting and to question things that don’t seem quite right, everybody becomes a risk manager.
4. Throw Away Documents Securely
Putting sensitive documents in the bin or in the recycling basket isn’t enough, either in the office or at home. Getting rid of the entire filing cabinet might be another extreme, though. Whether you shred them, put them in the fireplace or use outsourced document destruction services, the only secure way to get rid of private papers is to destroy them physically.
Board directors are notorious for having shelves of ancient board papers lying around at home. It’s important to clear them out regularly and to dispose of them securely.
5. Think Before You Write
Some information should always be kept confidential, but strong data protection is no guarantee against legal discovery, regulatory investigation or freedom of information requests. When preparing documents on sensitive topics, it’s useful to consider how they might be perceived through those lenses in the future.
‘If in doubt, leave it out’ can be a useful rule of thumb when writing board meeting minutes, especially when they concern lengthy debate rather than a specific decision or outcome. Reports could also benefit from internal review during drafting, such as by risk, governance or legal committees or management.