For corporate secretaries and executives, the subject of secure file sharing is always top of mind. When protecting an organisation’s data and intellectual property, making sure it’s always secure isn’t just important — it’s imperative.
And yet, many companies find themselves tied to outdated processes or defaulting to the most convenient, though not the most effective, solutions. It doesn’t help that myths about cybersecurity abound. These can create false confidence and encourage decision-makers to rest on their laurels, when in fact the prudent course of action is to assess their existing strategy and look for every opportunity to strengthen it.
According to IBM Security’s 2016 Cyber Security Intelligence Index report, which is based on data from thousands of computer systems and corporate networks in more than 100 countries, security incidents increased by 64 percent from 2014 to 2015. The most common type of breach took the form of unauthorised access to data, followed by malicious code, a sustained probe, suspicious activity, and the abuse of access or credentials.
It’s clear that cybersecurity is a very real concern, and companies of all kinds are at risk. That necessitates taking a hard look at both the most damaging myths surrounding it, and what board executives can do to make sure their company’s board materials are secure.
Myth: Email Is a Safe Choice
Changing approaches to cybersecurity mean more senior leadership and boards have gotten involved in creating cybersecurity risk management strategies. As the National Law Review notes, “cybersecurity is no longer just an IT issue.” Adopting best practices and a new mindset to protect an organization, however, must extend to the way the board itself operates — especially when it comes to the distribution of board meeting books and materials.
By now, most companies recognise that paper board packs are no longer the optimal choice. With no digital key to speak of, anyone with a copy of the printed pack can read it, thus making it susceptible to both loss and even theft. When organizations switch to digital, they often rely on email for data sharing, for the simple reason that directors and management teams already employ this platform. The global management consulting firm Hay Group, which polled more than 100 organisations in Canada on their corporate governance practices and views, reports that 36 percent of companies still distribute board materials through secured email (surprisingly, 26 percent still send hard copies through the mail).
Unfortunately, it’s false to assume that a secure email server is safe for distributing board materials. Because administrative staff can’t control what happens to a message once it’s sent, there’s no guarantee that the contents will remain with the intended recipient. Emailing documents to board members opens up the possibility of their sharing them outside of the board, along with third-party access. If a director forwards a message to a personal account that features minimal, consumer-level security, any measures already taken to keep it safe — including educating directors about corporate cybersecurity policies — become ineffectual.
To maintain complete control over content, boards need to use a platform that puts that power in the board secretary’s hands — and keeps it there. With a board portal, administrators are able to deny access if a password is stolen, limit the ability to view documents and conduct a “virtual purge” that prevents users from seeing outdated materials no longer needed by the board. Board members receive materials in an encrypted format that can only be unencrypted once the director receives permission. Only if they’re using an approved device and have the correct user name and password can they read the file contents.
The ability to manage permissions for individual board members also protects corporations from liabilities stemming from board member and executive-level departures. Information technology company Computer Sciences Corporation (CSC) describes the importance of identity and access management — the process of providing the appropriate personnel with access to the appropriate materials — on its blog.
One of the biggest risks for organisations and their boards, the company writes, is that “Access rights for employees made redundant are not revoked quickly enough, incompletely or even not at all.” For this reason, organisations must always confirm that they have authority over who can access information, and when.
Myth: Passwords Keep Hackers Away
Many believe that password-protected data storage solutions, such as PDFs, secure message apps or a cloud-based storage system, are a safe option for storing and distributing sensitive corporate material. If it requires a password to access, the thinking goes, then the data must be secure. But such options can put board data at risk of being accessed by unauthorized users. Even password-protected PDFs have weaknesses, as hackers can bypass all manner of security measures, including data encryption. A quick Google search for “password protected PDF hack” reveals thousands of articles and videos guiding users through the process of cracking password-protected files.
And it isn’t enough to require that employees change their passwords on a regular basis. Lorrie Cranor, chief technologist with the Federal Trade Commission, explored this approach in an article last year. She concluded that mandated password changes can lead users to choose weaker passwords and write their passwords down, thus opening the door to password theft. Furthermore, changing those passwords might not prove effective anyway. An attacker who has already deciphered a user’s password once is “often able to guess the user’s next password fairly easily,” Cranor said.
The key to keeping files and documents safe isn’t to rely entirely on passwords, but instead to ensure that data is stored and shared through a wholly secure system. Board portals prioritise this type of cybersecurity. Confidential board materials remain secure from the moment that they’re uploaded to Diligent’s data centers. With high-security standards that include impenetrable 256-bit encryption, a board portal solution will keep the most valuable information out of a hacker’s hands.
Myth: In-House Data Storage Is Always Secure
In an effort to keep their data close, many companies turn to in-house storage solutions, thinking that by eliminating a third party from the equation they can gain and maintain control. But not all attacks are malicious efforts to interfere with an organization from the outside.
It’s easy to envision hackers as nefarious men in black who gleefully crack a company’s security measures from a dimly lit secret room. As IBM reports, however, 60 percent of all attacks in 2015 were the work of company insiders, comprised of both employees and third parties with company ties.
In some cases, these attacks were malicious and intentional, but according to IBM, about 30 percent of them were carried out by “well-meaning employees” who granted data access to an attacker by mistake, or because they failed to abide by their organisation’s cybersecurity policies. Because many existing security programs and communication protocols aren’t equipped to effectively safeguard digital information, defaulting to these could lead to an unintentional security breach. In other words, directors could make their company vulnerable to hackers without even knowing it.
Not only does this present a danger to the organisation, but it puts board members who are busy focusing on their director duties in a difficult position. If they should fail to manage password protocols and keep the documents they receive fully secure, they could be held responsible for a potentially devastating situation. Give them a secure file-sharing solution through a platform they can trust, and they don’t have to worry about cyber threats.
In a digital-forward world that becomes more sophisticated and complex with every passing day, it’s likely that cybersecurity myths will continue to make the rounds. Organizations can defend themselves against such damaging falsehoods by embracing a secure board portal platform, and taking comfort in the knowledge that their board materials will be well guarded in perpetuity.
November 30, 2020
The Technological Revolution: How Technology Drives Innovation in the Boardroom
If the board is not examining its own practices and not looking for better, more efficient and more process-driven solutions to routine tasks, then there’s every chance that such a laissez-faire approach to innovation and forward-thinking will permeate the rest of the business too. As Board Agenda’s Managing Editor Gavin Hicks noted in the recent Diligent/Board Agenda webinar: “Companies that innovate succeed. Those that don't often fail.” So what practices should boards be evaluating to utilise the technological revolution and embrace innovation?
September 19, 2019
What is the Diligent Governance Cloud?
In the quest for good governance, companies have focused heavily on finding efficient, cost-effective solutions for risk and compliance issues. Even while the market has placed the importance of practising good corporate governance in the limelight, governance solutions have lagged behind risk and compliance solutions. Diligent designed the…
November 16, 2018
Cybersecurity – The Disconnect Between the Chief Information Security Officer and the Board
Chief Information Security Officers (CISOs) need to better communicate strategies and initiatives to board members. UK companies are under threat from cyberattacks, yet only about five per cent have a Chief Information Security Officer, either on the board or working with the board, a recent Deloitte poll shows.