BOARDROOM BEST PRACTICES

A Breach in Your Inbox: The Dangers of Unsecure Board Communications

Communication is what keeps companies in business. The ability to share, discuss and make decisions based on information is essential to corporate effectiveness; getting better information faster than the competition is an edge that has been exploited for centuries.

The Rothschild banking dynasty was one of the first businesses to see the competitive potential of telegraph technology to rapidly send and receive information from agents stationed throughout Europe. Acutely aware of the value of the information in their messages, the Rothschilds used telegraphic code to protect them, ensuring that only authorised company personnel could decipher their content.

Communications tools have evolved rapidly since the 1850s, but the principle recognised by the Rothschilds remains just as true today: Corporate communications are highly valuable, and protecting them from interception is critical. When it comes to the board, the stakes are at their highest and the dangers of unsecure communications are severe.

Highly sensitive: The board workflows and processes that need strong security

Board directors deal with an organisation’s most sensitive issues. Topics that relate to the company’s strategy, plans, market and regulatory position could cause material damage to the organisation if they became public. Confidential board workflows and processes include:

  • Executive compensation and performance data
  • Strategic growth and M&A plans
  • Financial data
  • HR planning information
  • Budgets
  • Strategic planning
  • Ad hoc director communications on confidential issues

Depending on the topic involved, a communication breach could not only weaken the company’s commercial position, but also constitute a compliance failure under the raft of regulations that have evolved in response to the explosion of digital data, such as GDPR, CCPA and specific industry and market regulations.

And it is not just immediate board director communications that are high risk; the entire board ecosystem including administrators, company secretaries and executives is involved in preparing, sharing and authorising critical information during the board cycle. A breach could take place at any point in that ecosystem.

But, despite the heightened risk, boards and corporate secretariat teams typically use the same vulnerable communications channels and collaboration tools as the rest of the business. Email, general-purpose collaboration platforms and messaging systems are all common components of corporate communications networks, and they are all vulnerable to breach by cyber criminals. Email accounts – not only corporate email but also personal accounts belonging to non-executive directors – are regular targets for hackers looking to extract valuable corporate data for sale.

External cyberthreats are not the only risk. Board communications are also vulnerable to the unintentional errors or quick but unsecure data-sharing workarounds that employees, and even directors, are prone to use. A misdirected email or the wrong file attached can quickly result in a material data loss incident.

Striking the balance between security and productivity

This problem of securing board communications and the platforms used for collaboration is being increasingly recognised, especially with the greater reliance on digital collaboration and sharing necessitated by the onset of COVID-19.

During our recent Modern Governance Summit 2020, Diligent’s Regional Vice –President of Sales, Helmut Poellinger, summed up the challenges many organisations are now facing as they pivot to virtual board operations: “The speed of business has accelerated. The frequency of meetings is much higher today and the number of people involved has grown, but at the same time there are fewer people available to support that meeting. So, it boils down to having to streamline processes and limiting manual elements, but I still see a lot of communications happening by email and sensitive data being sent as attachments. There is awareness of the security issues, but it is apparent that for many people the urgency of the situation means they take a risk and use unsecure channels when the pressure is on.”

Here Poellinger identifies one of the major blockers to securing any process – if the selected security solution impedes productivity it will be resisted by users. A solution must be intuitive and offer minimum friction for users, so using it becomes second nature for directors and administrators alike.

Securing board processes from end to end

Diligent client Tammy Wellcome, Corporate Governance Paralegal at American Water, explained why her organisation adopted a secure board director communication tool and collaboration platform and how this has been implemented during COVID-19, saying: “It was a twofold situation. One was the concern our general counsel had with sending [sensitive] information over personal email… [Two] directors are very busy and most of them are on more than one board… They may not check their email every day and you can’t possibly expect that. So, we wanted to find something better.”

By deploying Diligent Messenger, American Water solved two problems simultaneously. First, messages sent through the channel are fully encrypted in transit and at rest, making them ultra-secure. Secondly, by using a proprietary channel for board comms, American Water removes important communications from noisy email inboxes, so they are less likely to be overlooked by busy directors and administrative teams.

Another benefit of a secure board communications channel is that it protects directors and executives from the spear-phishing attacks often conducted via email. Messages received through the secure system can be trusted to have originated with a genuine colleague, not an imposter.

Pre-board meeting preparations are another area where security is essential. As teams prepare meeting materials and consult with colleagues, draft documents contain confidential data, meaning circulating them by email for comments is not advised. A secure collaboration and file-sharing platform solves this problem, meaning teams can work together on documents without exposing them to breach risk. These platforms have also become more critical as digital collaboration has taken the place of in-person meetings and at-desk discussions, due to remote working. Wellcome explained how her team’s meeting preparation had changed: “The nature of collaboration has unavoidably changed. We had a lot more touchpoints in the virtual collaboration platform than we did previously, to make sure that we were turning out a quality product for the board.”

The same level of protection should be applied to post-meeting activities such as drafting minutes and circulating them for approval. If this is done within a secure platform, the risk of them being compromised is considerably reduced.

Even within a secure platform there will be different levels of access permitted for different users. Controlling access to confidential files at a granular level and according to a security policy is an important aspect of security and internal compliance. The facility to set permissions at document level ensures that files can’t be copied, shared with unauthorised people or otherwise exposed. These steps prevent human errors from occurring when employees are unsure of how documents can be managed, and they block malicious exfiltration attempts.

Using unsecure board communications channels is not worth the serious risk it poses to the business. The active cyberthreat environment, coupled with the possibility of human error, means organisations should act to protect their most valuable corporate data. By adopting secure board communications channels and collaboration platforms that go far beyond the basics, organisations can make sure confidential information and company secrets stay that way.

 WANT TO LEARN MORE?

Learn how your board can improve their governance and rely on Diligent’s dedication to customer performance. Request a demo today

Featured Blog