Every day, a large number of sensitive documents are distributed: confidential strategy documents, M&A materials, discussions on litigation, executive compensation and more.
One leak, hack or accidental user error can affect stock and share prices, reputation and send revenues plummeting, not to mention the legal repercussions for organisations and directors alike.
The Need: safeguards that keep up with the times
Cyber-threats are intensifying in size, scope and sophistication – from the phishing scam that led Gmail users to a fake log-in screen to the WannaCry ransomware that infected hundreds of thousands of computers across the globe. People are paying attention, including regulators.
The State of New York, for instance, now requires that all financial services firms doing business in the state (and all companies doing business with them) have cybersecurity plans covering everything from audit trails to access to customer data, with board sign-off.
Boards are looking at cybersecurity threats with a new level of scrutiny and applying that scrutiny to their own operations. Are their agendas, minutes, reports and supporting documents safe against escalating online threats?
The Answer: Protection against cyber-attack for you most important documents
From a governance standpoint, a secure board portal relies on the right people (and only the right people) accessing the right information at the right times, with no exceptions. Permissions to access data must be fine-tuned to a user and document level. Safeguards must prevent unauthorised sharing.
If a a device containing sensitive information does fall in the wrong hands, encryption offers another layer of protection. Here, data is encoded in such a way that only authorised parties can access it. For sensitive board information, encryption needs to follow industry best practices, which evolve as threats do.
Does the board portal operate on smartphones, laptops and tablets? Make sure there’s remote “wiping” capability built in, in case a device gets lost or compromised. If board security involves a cloud solution, don’t forget to look at the physical location where the data is housed. This, too, needs to be secure and run by vetted and cleared employees.
The word “vetting” is key here – particularly when an organisation is evaluating potential technology partners. Any vendor can claim secure board software or a secure board portal. But is it ISO-27001 certified? Is it subject to rigorous third-party testing?