Human behaviour: The weakest link in cybersecurity for boards

Board members must be able to communicate regularly and securely. As individuals, and as a group, a board needs to educate itself about their organisation’s communication risks.  And an organisation’s weakest link in cybersecurity is its people.

The need to incorporate an understanding of cybersecurity into the cultural norms and practices of an organisation cannot be understated. When an organisation’s employees are not adequately trained and regularly tested, the organisation is vulnerable to attack. Even the most sophisticated security measures can’t protect an organisation from human errors and frailties.

“Human beings make mistakes,” says Steven Bowman, Managing Director, Conscious Governance. “And they are big targets for hackers. Even though many people believe they can detect a poisonous email or a threat-laden attachment, such scams are becoming more sophisticated. Human error can leave information networks exposed through poor password protection, especially the networks of large enterprises or high-volume businesses. This can lead to illegal access of systems by people inside or outside the organisation.”

 

According to a recent Diligent survey1 of board members across Australia, the majority of respondents (81%) use their personal email accounts to communicate with fellow directors and management “at least occasionally”. Half of respondents (49%) “regularly” use personal email accounts for board business, and personal email ranks on par with corporate email (82%).

 

 

There is no control over the content of a sent or received email. Messages can easily be forwarded to the wrong person and attachments can be duplicated. Users click on links from unknown senders. There is also no control over the servers where emails are stored, or pass through.

 

The security risks associated with unsecured personal email accounts such as Gmail and Yahoo! Mail are well-established. Like any other unencrypted, or poorly-encrypted, digital gateway, these emails can be used as a point of entry into a person’s computer, tablet, or device. If this point of entry is compromised, it endangers all stored materials, regardless of the channel through which these materials were originally received.

 

Personal emails live outside the corporate firewall where they cannot be managed or archived by an organisation in accordance with the company’s record retention policy. Personal email is not a “closed-loop” system. Using this channel for board communications opens up the risk of a director accidentally sending sensitive information to unintended recipients.

 

75% of respondents download board materials onto personal devices such as PCs, laptops, tablets or smartphones. Close to half say they download that information “always” or “most of the time”.1

 

Many directors download board documents to personal devices, cloud storage drives and USBs, and store files there long term. This practice may have been born out of necessity due to directors’ hectic diaries and travel schedules and the need to have offline, readily-accessible documents while in transit. Yet, this practice increases the risk associated with a personal device being lost, left on board in an airline seat pocket, stolen from a restaurant table, or even left on the X-ray belt at a security checkpoint.

See how Diligent’s Board Meeting Software drives good governance. Want to see how you can manage agendas, annotations, documents, discussions of board meetings and minutes quickly and securely?

If these devices are not protected with mobile device management, there might be no way to remotely wipe the contents from the lost device. This event could then be considered a reportable incident, triggering the requirement to disclose the data breach to any potentially affected parties.

 

According to Verizon’s 2017 Data Breach Investigations Report, 81% of hacking incidents leveraged weak and/or stolen passwords.

 

Many people believe that password-protected solutions, such as PDFs, secure message apps or a cloud-based storage system, are safe options for storing and distributing sensitive corporate material, especially if board members are required to regularly change their passwords. Lorrie Cranor, chief technologist with the Federal Trade Commission, explored this approach and concluded that mandated password changes can lead users to choose weaker passwords, write down their passwords and share passwords with administrators. This opens the door to password theft. Changing passwords may not be effective, as an attacker who has already deciphered a user’s password once, is often able to guess the user’s next password fairly easily.

 

Print is far from finished, with almost half of respondents (47%) needing paper copies of board information more often than not, even when it has already been provided electronically. Fewer than one in five people (17%) never need printed information.1

 

Printed board packs is not a practical, or popular, alternative.  Nor does it alleviate the risk of data security. Rather than being promptly shredded, printed board papers often accumulate, or are disposed of improperly. With no digital key, anyone with a copy of the printed pack can read it, making it susceptible to both loss and even theft. Papers can also be misplaced or not stored securely.

In 2018 Australia experienced its first major data security breach when the Australian Government inadvertently sold a locked filing cabinet for $20 containing confidential Cabinet documents from five different governments. The documents found their way to the national broadcaster, which published a selection of the documents. Some were sufficiently contentious that a former prime minister took legal action against the ABC. Both major political parties agreed that the breach was serious, embarrassing and easily preventable.

Organisations can reduce risk by giving their directors practical tools and support to make it easy for them to embrace strong digital security habits. Boards and executive teams need to work together to ensure that enough time and resources are devoted to selecting, implementing and monitoring a company cybersecurity policy. Board members must adhere to the same IT security protocols that apply to regular employees, including undergoing regular cybersecurity training, testing and audits. Directors too must be given practical tools and support to make it easy for them to embrace strong digital security habits. This needs to be supported with infrastructure that features secure and convenient ways for the board to communicate.

Reference
1 The Silent CyberRisk in the Boardroom 2017: Governance Institute of Australia, Conscious Governance Diligent Corporation

 

Featured Blog