Protecting the Boardroom: Improving the Cybersecurity Practices of the Board

  • Carissa Duenas
  • Published: July 8, 2021
Protecting the Boardroom: Improving the Cybersecurity Practices of the Board

Cybercriminals continue to target boards today. From complex phishing attacks (e.g. whaling) to information theft over unsecure connections, boards need to exercise vigilance as they go about executing their governance duties. There is much at stake when it comes to board security, especially since they handle such sensitive and confidential information. 

Below are some items for the boards to consider to limit the possibility of falling victim to cyberthreats and crimes. 

Manage assets via the ‘principle of minimisation’ 

Board members should be made aware of the principle of minimisation, as applied against a cybersecurity context. This excerpt describes the principle succinctly:

Minimisation improves security by reducing the number of things that can go wrong, the number of points open to attack, the duration of high-risk exposure, the value of the assets you have to protect, and the consequences of failures. Every piece of information you store and every bit of complexity you add comes with a cost, and those costs must be weighed against the benefit that the addition provides.

Minimisation can be applied to the management of assets. For instance, as an individual reduces the number of assets on their network (home or otherwise), along with the applications or services that run on them, the more difficult it will be for cybercriminals to access the network and compromise systems. This is what’s called “reducing one’s attack surface.

How might this apply to boards? Directors and other board members are better-off security-wise if they minimise the number of devices that they use. It would be prudent as well to make an inventory of essential applications on those assets and uninstall those that are not utilised. The objective is to limit the opportunity for exploits.

The risks of email

From a security and technical standpoint, the use of email is often problematic when dealing with sensitive information. Apart from it being unsecure by design, there is the factor of human error associated with its use. 

Directors can inadvertently send emails to unintended recipients. It’s not uncommon as one might think. A recent Egress report stated that eighty percent (80%) of organizations reported sensitive data being put at risk due to the wrong recipient being added on an outbound email. This can be potentially damaging to an organisation. 

In addition, board members have long been targets of whaling scams. Whaling is a type of phishing scam that targets C-suite and board level individuals—typically the “big fish” of organisations. Falling for such scams is enough to disrupt and jeopardise an entire company’s operations. (For more information on the risks of email use for board members, download our email security ebook here.)

This is where the use of a highly-secure, centralised, board-specific platform can be of value. 

A board portal, or board management software, is a centralised, online hub designed for board secretaries and directors to organise and manage meetings, access documents, and communicate with each other in a highly-secure environment.

Most board portals have their own messaging functionalities. Boardlogic, for example, allows directors to communicate with each other from within the platform. In addition, important files and meeting records—for example, the agenda, meeting minutes, board pack—are located in the board portal itself. Such features greatly reduce the reliance on email as a communication channel for board-related activities. Since board portals are a secure, closed system with access confined to directors, company secretaries and senior executives, data breaches and leakages are minimised.

Transition to secure, paperless board packs

Paper-based or printed board packs are a security liability in more ways than one. They can land in the wrong hands if they get lost or stolen. Some companies do resort to electronic versions of board packs, but place them on cloud storage services such as Google Drive as an alternative. Unfortunately, this still makes them susceptible to cybercriminals who target those types of platforms.

It is much easier to securely manage digital board packs from within a board portal solution. The most secure board board portals encrypt data in transit and at rest. In the unlikely event of a board portal data breach, information remains “unreadable” to third parties without unique decryption keys—rendering it useless to hackers and unauthorised individuals.

It is also worth mentioning that if a board member’s device is lost or stolen, some board portal platforms (like Boardlogic) can remotely disable the device’s access to the application. This provides some level of assurance that board information still remains safe even in such scenarios.

Train the board

Employees of many organisations typically undergo security training to introduce and establish the cyberrisk culture of the company. They are also given an in-depth understanding of the technology protocols needed to keep the business safe. A security training process tailored for the board can be beneficial as well. This ensures all directors are on the same page. Training can help establish baseline security practices expected from the board.

Conclusion

Most boards understand the need to establish a proactive, defensive cybersecurity framework for the organisations they lead. This is important. But it is also necessary to pull back the reins and determine whether the board itself does what it can to protect the organisation through its own security practices. It merits a hard-look at members’ digital hygiene, and an honest assessment of any gaps or lapses that need to be addressed. Security always begins at the top and given what’s at stake at the board level, the rest of the organisation—along with its stakeholders—cannot be faulted for expecting anything less.