Board members play essential roles in organisations of all types: financial institutions, health care organisations, non-profits, and governmental bodies. The board of directors provide oversight and ensure the organisation remains focused on its mission and vision. Boards must entrust their members with sensitive data. But a data breach involving sensitive board information can result in costly litigation and devastate an organisation’s reputation, says Paul Stark, UK general manager, at tech firm OnBoard.
Risk of breaches
According to an annual IBM Security Report, the average data breach in the United States costs $8.64 million. The expense rises for organisations in highly regulated industries, such as health care organisations, which incur the highest average cost for a data breach. Boardroom breaches can tarnish an organisation’s reputation. Lost business costs — including customer turnover, revenue lost by system downtime, and efforts to gain new business with a diminished reputation — account for about 40% of the average total cost of a data breach.
Boardroom breaches can tarnish an organisation’s reputation. Lost business costs … account for about 40pc of the average total cost of a data breach.
When COVID-19 hit, our “new normal” turned into remote work, Zoom meetings and distributed IT. These measures bolstered health and safety, but also invited increased cybersecurity and identity-based attacks. In April 2020, the FBI’s Cyber Division reported receiving about 400pc more cybersecurity complaints daily.
While recent research shows all senior IT and IT security leaders say they’re more focused on security than in the past, OnBoard’s latest survey of board directors, administrators and staff members found only 57 per cent see cybersecurity as an important issue.
Sources of threats
A security threat can happen, whether your board meets in-person or virtually. But where do the threats originate? According to Verizon’s 2020 Data Breach Investigations Report, outsiders executed 70% of all breaches. Breaches take many forms, including malicious attacks, human error, or compromised credentials.
Cybercriminals often target executives and professionals who sit on boards, because of their access to a large amount of sensitive information. In 2020, IBM X-Force uncovered a global phishing campaign targeted at more than 100 high-ranking executives. Though less frequent, a board member may leak confidential data on social media, leverage insider information for personal gain, or feed information to the media.
Best practices to prevent board cybersecurity attacks
While boardroom cyber attacks always remain a threat, the recent increase in remote meetings and electronically shared information require organisations to take action to reduce risk.
1. Securely manage all board materials digitally
Many boards still rely heavily on printed board books, disclosures, and other important materials. But printed materials can easily get into the wrong hands, especially now as more boards meet virtually or send documents in the mail.
Some institutions choose cloud-based services like Google Drive and Dropbox to share materials. But these solutions offer inadequate security to prevent cybercriminals from stealing sensitive data, including personally identifiable information (PII).
A secure, digital solution prevents such attacks. It also gives board members access to relevant documents from a single portal. Security measures for a board portal include encryption, two-factor authentication, and biometric scanning devices. These include tools for voice, fingerprint, facial, or iris recognition.
In addition, tracking which documents each board member accesses and shares gives boards the power to thwart insider attacks — and more quickly contain them, if they happen.
2. Set appropriate permissions
Board members need access to the right information to fulfil their roles, but not all board members need the same level of access. Board members in many industries, for example, complete an annual questionnaire disclosing any personal conflicts of interest. A conflict of interest might limit a member’s access to information on certain topics. Assign appropriate positions to board members to give them access to what they need to succeed — no more and no less.
3. Protect meeting minutes
Meeting minutes represent the official record of a board meeting and offer protection against liability, provide evidence of decisions, and create a clear list of actions and next steps.
Board administrators often distribute meeting minutes via email or online. Minutes delivered this way can inadvertently expose confidential information, resulting in litigation, expense, and a damaged reputation. Make it a priority to protect meeting minutes. Prepare minutes quickly and destroy notes used to compile them. Make minutes available to board members in a read-only format. Consider limiting how long a member can access them digitally for best board cybersecurity practices.
4. Avoid using email as the channel for board discussions
Most email accounts lack adequate security for sensitive information. What’s more, using email to discuss sensitive board matters can create discoverability issues should legal challenges ever arise for your board.
Use a secure board portal as either the sole or primary means to communicate between the board and its members. From a defensive point of view, this makes sense. Board portals are better able to ensure privilege for directors’ communication.
Historically, there has been some resistance at first to moving communications to a board portal. This makes sense as most board directors have a tendency and comfortability with email. But when secure communication in a portal is built well, it offers a seamless user experience and frequently becomes the preferred method of all board communication.
5. Wipe vulnerable devices
Board members often access information on a number of electronic devices. While it’s important to ensure they can work while on the go, it’s also critical to insist board business be conducted only on safe, trusted devices.
Board members may lose or replace their personal device for whatever reason. According to Statista, consumers replace smartphones about every three years, and enterprise devices are replaced more frequently. So, consider wiping all locally stored information from devices that haven’t connected to the internet within an established period, such as 90 days.
Cyberattacks in the boardroom can lead to costly consequences. Take action now to mitigate board cybersecurity risk, while ensuring board members can access the information they need to be successful in their essential roles.
