May 24, 2017

Boards Still Lack Basic Security & Risk Practices

5 Key Problem Areas

Diligent, a leading expert in corporate compliance and board governance, has recently released a report examining boardroom communications and the dangers posed by a glaring gap in directors’ digital diligence and their understanding of cybersecurity. Without an understanding of just how dangerous their online communications practices can be, the risk will persist.

I’ve said it before, and I’ll say it again: All companies, no matter the size or the industry, will eventually be targeted by hackers, cybercriminals and other bad actors. At the same time, more and more instances of cyberattacks are being carried out against high-ranking executives, many of them C-level executives and directors. Not only do these individuals have access to a company’s most sensitive and confidential information, but often, they have the least amount of oversight and the worst cybersecurity habits.

For a corporation, falling victim to such attacks is damaging enough for obvious reasons (just ask Yahoo!), but for a high-ranking business leader, the fallout is particularly embarrassing, as it signals a clear lack of awareness about basic security precautions. Further, leadership is being held increasingly accountable for a wide swath of security missteps, a narrative that all too frequently plays out in news headlines and almost always ends in the loss of a job, an investigation or legal action.

With all of these consequences considered, one would hope that leadership is scrambling to close critical security gaps. But new research from Diligent and the New York Stock Exchange’s Governance Services paints a starker picture.

Surveying leaders at 381 large-, mid- and small-cap companies, “The Price of Convenience: Communications, Cyber Risk and Cybersecurity Practices of Corporate Boards” report (access here) found that few companies are taking enough steps to reduce or mitigate basic risks when it comes to boardroom security and communication.

The five biggest problem areas identified in the report are:

Personal Email Usage

Free email service providers (ESPs) have been at the heart of many of this year’s biggest data breaches and hacking incidents, and yet this has done little to deter directors from using their personal email accounts to conduct board business. According to the report, 92 percent of respondents said they prefer using personal accounts to secure corporate accounts to communicate with fellow board members. Popular email services are never a secure way to communicate, and board members who use them are putting themselves and their companies at risk.

Security Audits

The report also showed a lack of checks and balances in the boardroom when it comes to proper adherence to security procedures. In this case, 40 percent of those surveyed were unaware of whether the board had ever conducted a security audit of its communications practices. Further, while half were unaware if their security teams monitored their adherence to corporate communications practices, nearly 25 percent reported that security teams were not involved in active monitoring.

Training & Development

Cybersecurity threats can change at a moment’s notice, and thus, it’s important for board members to receive regular training and ongoing education about evolving risks they and the business may face. While the survey showed that some companies are taking a proactive approach to training and development, a majority of those polled—62 percent—reported that their board is not required to undergo cybersecurity training at all.

Document Handling & Storage

Hectic travel schedules, unreliable Wi-Fi and the need to do work on the go continue to fuel bad behavior among directors. For example, 64 percent admitted to downloading board books or company documents on personal devices to allow for easier access in transit. Further, 22 percent reported storing digital board meeting materials on personal devices and external drives. These two behaviors can introduce an incredible amount of risk into the business, particularly if said devices are lost, stolen or even hit with malware or a virus.

Risk of e-Discovery

Although the report did not collect specific data in this area, based on the above findings, board members are strongly advised to consider the larger ramifications of their online habits. In some states, those using personal email accounts and devices for work purposes may find that their private emails, texts and files are deemed discoverable during litigation. Further, directors may be held accountable for neglecting their fiduciary duty of care by putting confidential information at risk by using unsecured platforms, particularly if more secure means for conducting business were available.

It’s clear that companies and their boards still have a long way to go in adopting today’s digital security best practices. By educating board directors on potential threats and risks, creating and enforcing essential security protocols and adopting technology solutions that offer both convenience and protection for board-level communication, companies can begin to close those gaps. With cybersecurity showing no signs of leaving the board agenda, directors must walk the walk and talk the talk in order to fully protect their organizations and to ensure effective corporate governance.