June 28, 2016

Culture of security at board level

Data security is, or should be, at the heart of everything a modern business does. It’s not just a matter of getting the right software in place, or having a good IT team. These days, corporate data security needs to start in the board room, writes Michael Charalambous, Marketing Director, EMEA, Diligent, a provider of secure corporate governance products.

Target’s CEO, Gregg Steinhafel resigned in 2014 after what was, at the time, the biggest data breach in history. Avid Life Media lost its CEO in 2015 after its dating website, Ashley Madison, fell victim to data theft. In the UK, TalkTalk lost 100,000 customers as a result of its 2015 data breach, but managed to hang on to its CEO. Information security is a board level issue. When security processes fail it affects the reputation of the business and impacts its continued growth. In fact, cyber security has been designated a board level responsibility by the UK government. Businesses need to engender a culture of security throughout the company and the board if data security is to be a true priority of the company.

Creating a culture of confidentiality

PwC’s recent survey of CEOs in America found that one of their biggest expectations for 2016 was that “over-regulation would continue to pose a threat to their business growth”. It’s not too surprising to discover that business leaders placed a high value on growth, and saw compliance and oversight as a burden on business. Yet if a business is to take information security seriously, the board needs to see the value of compliance, information security and regulation.

The entire company plays a part in keeping corporate data secure. Every piece of software designed, and each database built should be created with security in mind. The board needs to lead the way in shaping a culture of confidentiality and strong information security by following security best practices in their own work.

Out of everyone in the company, it’s board members who spend the most time handling highly confidential documents. This information needs not only to be stored securely, but have secure access control. Businesses need to know who can access these documents, which often contain information that can affect the company’s reputation and – in the case of public companies – share price.

When the board starts taking its own information security seriously, it sends the message that security is highly valued and should be a high priority – both for fellow board members, and the company as a whole.

Board members are time poor, and people usually choose the path of least resistance. It’s common for businesses to send confidential documents via unsecured email. It’s easy for people to download these files onto USB sticks and carry them around in their pockets. Many board members still have paper packs sent to them ahead of board meetings – and of course there is no way to adequately secure printed board packs.

Information viewed by the board is some of the most sensitive data in the company, and needs the most rigorous security. For example, solutions such as digital board portals let companies distribute information to executives securely, and set access rights to ensure only those who should be able to access the information, can do so. Data should be encrypted when it’s stored and in transit. However, the process of using a portal also needs to be simple and efficient to encourage adoption, if board members are to embrace a more secure way of working.

Training and education

Security should be a major consideration for board members, but it’s just one of many important issues an executive has to deal with on any given day. Continued training, education and information provision is vital if a culture of security is to be maintained and not remain an abstract ideal. Anyone with access to corporate information represents a risk to the security of that information. By adding a security expert to the board, the business not only demonstrates that it takes security seriously, but it ensures that the issue of information security remains an active issue. Security processes and procedures need to be continually updated to meet new threats, and the board needs to understand these threats and what risk they pose to the company.

Information security remains a key issue for businesses to tackle. Those that get it wrong risk not only reputational and financial damage to the business, but to customers. It’s only by giving information security a seat at the table, that a culture of security is something that’s practised, rather than a goal.