Cyberthreats and Securing the Board

Board members and top company executives are responsible for ensuring the value of their brand— and today that value is closely tied to security, namely, cybersecurity.

But less than a quarter of board members are “quite confident” in management’s ability to respond to a cyber security threat according to a special report “Managing Cyber Risk: Are Companies Safeguarding their Assets?” by NYSE Governance Security magazine. And it’s not a conversation had in boardrooms often enough, experts say.

Not that the risks aren’t known: The cost of cybercrime to the global economy reached $455 billion per year in 2014, and is expected to grow, according to a MacAfee study, “Net Losses: Estimating the Global Cost of Cybercrime.” The true cost of failed cybersecurity, however, goes beyond direct financial losses: out of 189 firms that suffered a cyberattack, 79% of executives reported a drop in external reputation, 78% reported a drop in production and 75% reported loss of employee confidence, according to a 2015 survey by Deloitte and Symantec, “Winning the Cyberwar: Enabling UK Business Now and in the Future.”

“Every organisation, commercial or other, holds information that is valuable to an outside entity, whether it be a competitor or criminal organisation. And where there’s value, there’s an incentive for hackers to put their hands on your information. You need to assume that you are under constant attack,” said Ayal Vogel, president of AMID Strategies, a physical and cyber security consultancy. “And yet, if cybersecurity is ever discussed at a board level, it’s usually about securing customer information, not internal communications and intellectual property.”

The disconnect

According to NYSE special report, some 48 percent of board members “worry they don’t know enough to ask the right questions,

Publicity often focuses on the news, which often involves stories of credit card theft, exposed celebrity photos, or political leaks. More common are cases of product-related data theft and other intellectual property, employee and market data.

“Technology is changing at a faster and faster pace and companies are trying hard to keep up,” the NYSE report says. “Corporate directors may well feel as if bulletproof oversight of cyber risk is impossible.”

But according to NYSE, email creates security risks: there’s no control over the content of a sent email. Messages can be forwarded to the wrong person. Attachments can be duplicated. Users have no control over the servers where email is stored, or passes through.

Additionally, IT managers in charge of the company’s cybersecurity are often reluctant to share concerns about the company’s data security with the board. The Deloitte and Symantec report shows that in 70 percent of the firms surveyed, IT decision-makers did not feel comfortable with their firm’s data security plan.

But employees in charge of data security may not feel comfortable monitoring board members’ adherence to company guidelines — two-thirds told NYSE that their senior IT report to the board only “occasionally.” That’s why only a quarter of directors are “quite confident” in dealing with a cyber attack.

Securing board information

Board data should ideally be stored in a known location, segregated from the organisation’s other data. A hosted board portal may offer a better solution than a commercial cloud storage. Document sharing to a hosted board portal that can be accessed only by users authorised by the system administrator for different roles and rights (e.g. read-only, edit, share) can limit the risk of losing control of emailed attachments. Using a board portal with a strict authorisation scheme means the administrator won’t lose control over documents, even if a user’s access password has been stolen; in such a case the system administrator can simply deny access for that user.

The administrator can also block access to the portal or specific documents on an ad hoc basis, for example when an executive is travelling abroad and the administrator has reason to believe that the network connection to the portal, from that locale, might be compromised. Staff in charge of the board portal can halt the executive’s access to the portal awhile he is in that risky area.

The administrator can also block access to the portal or specific documents on an ad hoc basis. Say an executive is travelling abroad and the administrator has reason to believe that the network connection to the portal, from that locale, might be compromised. Staff in charge of the board portal can halt access while the board member is in that risky area.

“The tried-and-true methods of sharing sensitive documents may place your data at risk,” Vogel of AMID Strategies explains. “Even small- and medium-sized organisation need to rethink the way they store data, and how that data is shared internally and with external users. The board needs to lead the way.”