Sending a confidential merger document to the wrong person in a Gmail contact list. Falling victim to a malware-ridden phishing email that opens up your organisation’s entire IT network to hacking and vulnerability.
We all know the risks involved with email communications on-the-go. These are risks every Internet user has to navigate but the risk becomes direr for those transmitting sensitive information like a board member. In a survey by the Business Performance Innovation Network, nearly 6 out of 10 the respondents said they’ve made the misstep of sending a confidential email to the wrong party, or know someone who has. Becoming the unwitting victim of a cyberattack also is a valid concern. According to a June 2016 study by the Ponemon Institute, the average data breach costs an organization $7 million, including damage to a firm’s reputation and the loss of intellectual property and business.
In the words of Charles Beard, a principal in PricewaterhouseCooper’s forensics practice, “Senior officers are prime targets for cyberattacks such as spearphishing [fake e-mails with embedded malware] via LinkedIn or other social media. And board members are an especially target-rich environment — they have access to the company’s most valuable, most confidential, market-moving information.”
Secure electronic communication starts at the top
When it comes to risk across the enterprise, cybersecurity has been rising as a priority for corporate boards for a while. The National Association of Corporate Directors (NACD) wrote in a 2015 blog post that “Cybersecurity is no longer an IT issue, but a significant business risk as technology is now a critical component of most business processes.”
Yet in a 2017 Diligent survey of more than 350 directors of publically traded companies, 92 percent of respondents gave “personal email accounts” as a preferred method of communication. Nine out of 10 have used personal email accounts occasionally for board communications, and 59 percent use them regularly. Corporate email networks, preferred by 83 percent of respondents, aren’t exactly fail-safe, however, as high-profile hacks on companies like Sony have shown.
How can boards more securely exchange highly confidential information and mitigate the risk of data leaks, reputational loss, and personal liability? Making secure communications official policy – and enforcing it – is only half of the battle. The other half: implementing the right technology to take exchanges off email and sensitive data off of the hardware of corporate and personal devices.
What to look for in an email alternative: secure board portal technology and beyond
Any email alternative must “close the loop” so that files can only be sent to and received by authorised users (Ideally it would offer “undo” capabilities for erroneous sends as well). This alternative must seamlessly integrate with board software across all devices, managing all communications within a “security envelope.”
Because passwords alone are too easily hacked, it must have multiple layers of access control for users, like two-factor authentication that includes the request for a fingerprint ID. For system administrators, a solution must be enterprise-friendly and configurable so you have total control over access to information and can maintain clear records.
Above all, an email alternative must be intuitive and easy to use, as familiar in function as the texting tools and messaging apps that have become a regular part of everyday life. This decreases the appeal of reverting back to Gmail, Yahoo, Hotmail or AOL as workarounds.
(Learn more about how we developed Diligent Messenger to address these criteria and concerns.)
Encouraging use of secure messaging
Even the best technology solution is of little value if it’s not regularly used. Boards and their cybersecurity committees can encourage adoption of an email alternative through:
- Ample, ongoing education: Share knowledge with directors on a regular basis on the dangers of insecure communication methods. Here are some resources to get started.
- Buy-in from the beginning: Engaging directors before, during and after the rollout can get them more invested in its successful adoption. Involve colleagues in the selection process and solicit feedback throughout.
- Training, training, and more training: Take full advantage of training for end users. We make training for Diligent Messenger free and unlimited because we’ve found it ensures clients the fastest time to adoption and highest ROI.
- Clear direction—with no exceptions: Leadership should directly and unambiguously state that personal and corporate email are not permitted for board communications, and reinforce this message with their personal actions.
Directors have a fiduciary duty to keep sensitive material out of the wrong hands. They should also be able to “assert a ‘good corporate citizen’ framework of defense” should cyber-breach occur, according to NACD’s Risk Oversight Advisory Council. Messaging technology that “closes the loop,” thoughtfully and strategically deployed, can assist with both goals.
November 30, 2020
The Technological Revolution: How Technology Drives Innovation in the Boardroom
If the board is not examining its own practices and not looking for better, more efficient and more process-driven solutions to routine tasks, then there’s every chance that such a laissez-faire approach to innovation and forward-thinking will permeate the rest of the business too. As Board Agenda’s Managing Editor Gavin Hicks noted in the recent Diligent/Board Agenda webinar: “Companies that innovate succeed. Those that don't often fail.” So what practices should boards be evaluating to utilise the technological revolution and embrace innovation?
September 19, 2019
What is the Diligent Governance Cloud?
In the quest for good governance, companies have focused heavily on finding efficient, cost-effective solutions for risk and compliance issues. Even while the market has placed the importance of practising good corporate governance in the limelight, governance solutions have lagged behind risk and compliance solutions. Diligent designed the…
November 16, 2018
Cybersecurity – The Disconnect Between the Chief Information Security Officer and the Board
Chief Information Security Officers (CISOs) need to better communicate strategies and initiatives to board members. UK companies are under threat from cyberattacks, yet only about five per cent have a Chief Information Security Officer, either on the board or working with the board, a recent Deloitte poll shows.