Running a company requires fastidious oversight and quick communications, and digital tools like email, chat programs and board portal software have made that easier than ever. But at what cost?
“At most companies, board members are on the front lines of a pitched battle; directors are targeted for cyber attack precisely because they have access to the most sensitive information with the least amount of oversight,” according to a new report by the New York Stock Exchange’s Governance Services, in partnership with Diligent.
The report, titled “The Price of Convenience: Communications, Cyber Risk and Cybersecurity Practices Of Corporate Boards” (PDF here), examined how leaders of U.S. publicly traded companies felt about the relationship between convenience and risk, and whether greater access to board materials was worth a possible compromise to security.
The NYSE and Diligent polled 381 companies — 19 percent large cap, 40 percent mid cap and 41 percent small cap. Surprisingly few company leaders understood, or were acting proactively against, the kinds of risks associated with conducting board business via email. For instance, 62 percent of respondents said their organization’s board members didn’t have to undergo board cybersecurity training, and 92 percent of those polled said they used personal email for board-related purposes.
Here are four important board-management lessons that can be drawn from the NYSE/Diligent survey.
Principal findings unveil lax security
The study focused on identifying the online habits that put companies and their directors at risk, while also suggesting corrective courses of action to help mitigate those risks. The report’s key findings underlined the biggest problem areas when it comes to board security:
1. Company boards need stricter usage rules regarding email. While almost all directors polled chose face-to-face meetings as their preferred method of communication, the runner-up is indicative of a worrisome trend in a world where email hacks are now seemingly commonplace: 92 percent of respondents said they preferred using their personal email accounts over secured corporate accounts (83 percent).
“Directors should consider implementing a closed-loop, secured and controlled messaging system,” Dottie Schindlinger, a governance-technology evangelist at Diligent, said in the report.
2. Directors should avoid downloading and storing documents on personal devices. Sometimes, the airplane cabin is the only place a busy multi-board director can get any work done, but wireless connectivity is still not an across-the-board reality in today’s airline industry. These lapses in connectivity have encouraged a download-for-later behavior; 49 percent of respondents said that it is common practice at their firms to download board materials.
Unfortunately, it only takes an email password hack, a computer virus, or the loss or theft of a personal electronic device to endanger a company and its sensitive documents. “Having a simple way for directors to access board and committee documents materials — secure, digital, using any mobile device, offline or online — becomes critical to success,” the report read. Board-management software offers this kind of access, demands more complex authentication and often includes a way to wipe data from a lost device.
3. Companies need to better control how sensitive documents get distributed. Only 26 percent of those surveyed said they never downloaded board files to their personal devices — meaning that simply asking directors not to download sensitive materials to their personal devices is not a reliable security strategy. Additionally, only 8 percent said their company’s network security or IT teams have any role in authorising their boards’ means of communication.
As the NYSE/Diligent report pointed out, companies need to do a better job of consulting IT specialists and their own executives to develop data-protection procedures and policies. Using cloud-based storage systems and password-protected folders, and requiring in-app document saving, are options companies should consider using to boost security.
4. Electronic discovery laws can put all of a director’s communications and files on display. Although the NYSE/Diligent report did not collect specific data points on the subject of e-discovery, the report noted that board members should consider the larger ramifications of their online habits if they or the company they serve ever run into hot water.
Some states have laws that say all documents, texts, emails and other electronically stored information about a business, or obtained while conducting business, technically belong to the employer — which also means these files are considered discoverable by the courts. “In other words, directors who use personal email accounts, devices and computers to conduct business may subject themselves to searches of their private files, phones and emails if litigation erupts,” the NYSE/Diligent report said. If the threat of a cybersecurity breach isn’t enough to convince directors to adopt a strict communications regimen, having the courts go through all of their personal files may be.
Education is key
Knowing that so few companies’ board members are fully cognisant of the potential risks their online habits pose, the report concluded that organisations need to do a better job of educating boards.
Some 40 percent of respondents said they didn’t know if their firm had ever undergone a security audit. Meanwhile, half reported not knowing whether security teams checked to ensure their compliance with their companies’ communications policies. In this digital day and age, “I didn’t know” is simply not a good enough excuse for failing to secure sensitive data.
It’s also clear from the report that companies and their boards have a long way to go in adopting some essential digital-security best practices. This slowness — and, in some cases, complete failure — to take the necessary security steps may not be caused by willful ignorance. Rather, a simple lack of understanding of the issues, and the stakes at play, could be to blame. Some 62 percent of respondents said they weren’t required to undergo any kind of cybersecurity training.
Educating board directors on potential threats and risks, establishing a security team, creating a security protocol and giving directors step-by-step instructions on how to adhere to that protocol, are imperative to the overall health of a board and the organisation it serves. In addition, boards should perform regular cyber-risk audits to identify possible weak spots and work proactively to patch them before they become problems.
The NYSE/Diligent study, which can be viewed here, recommended a few exercises a board can employ to aid in the process, and in ensuring compliance. It also suggested that directors who choose not to follow clearly laid-out rules should be considered for removal from the board’s membership.
Fostering a security-minded culture — one that requires and rewards compliance — starts at the top. “Better-informed and educated board members set the tone for the entire organisation,” the report noted.