Board members must follow the same cybersecurity standards as employees.
Hackers are targeting organizations with increased frequency and boldness, forcing companies to defend against a near-constant barrage of cyber threats. Regardless of industry, sector or geographic location, these threats grow daily. A data breach involving confidential board information can devastate an organization’s reputation and cost millions in incident response, recovery, ransoms or litigation.
Any data breach is expensive. According to an annual IBM Security Report, the average data breach in the U.S. costs more than $9 million. The cost can be even higher for organizations in highly regulated industries.
Cybersecurity Standards for Board Members
Given the sensitivity and value of information about company strategies, which boards typically possess, the potential damage of a hack or intrusion into board deliberations is usually worse than a data breach by a low-level employee. And yet, for many companies, a board’s cybersecurity isn’t given nearly the same attention that employees of the same company are subject to.
This blind spot persists, despite a recent survey showing that 89 percent of board directors, administrators and staff members see cybersecurity as vital to their organizations’ success. According to a recent IDG Communications report, 57 percent of CIOs recognize a need for security improvements.
Breaches take many forms, including human error, compromised passwords, abuses of privilege and hacks on known vulnerabilities, such as those found in remote meeting tools. The perpetrator could be an outside hacker, a disgruntled employee or a former employee trying to disrupt the company.
Data breaches or cybersecurity attacks aren’t the only risks. Boards also face risks from unforeseen and accidental leaks. In one case, emails from then Salesforce Inc. board member and former Secretary of State Colin Powell revealed details about the San Francisco company’s merger and acquisition plans.
Also, it’s important to remember that board directors’ personal and board email accounts are subject to discovery in litigation. Board members sign a contract when they join a board. If they don’t abide by security standards, they open themselves to personal liability, even if they accidentally facilitated a leak or hack of board information.
So, what can be done? Here are some suggestions:
Board members should be required to comply with the same cybersecurity standards as employees of an organization. That means investing in a solid cybersecurity infrastructure and training board members in its use.
All board materials should be digitally managed via the same platform. No more sending spreadsheets around from personal email accounts. Google Drive and Dropbox are also not ideal since they are not easy to secure (in the case of Google Drive) or they require consistent management (a Dropbox trait).
Make sure directors have appropriate security permissions. Not all board members need the same level of access to materials. A conflict of interest — often a required disclosure in many industries and states — can and should limit some board members’ access to information.
Protect meeting minutes. Minutes are the official record of a board meeting. They also protect against liability, show how decisions are made and create a clear list of action items and next steps. These must be distributed to directors, but, again, Google Drive documents and links sent via personal emails are a significant security risk. If minutes fall into the wrong hands, confidential information can be exposed, destroying an organization’s competitive advantage. It could also cause legal and financial complications and damage a company’s reputation.
Require board members to communicate securely. Personal email is vulnerable to phishing attacks and other cyber threats. A secure board platform for communications is ideal, since such platforms often have notification systems that let directors know they have messages waiting without transmitting sensitive information.
Manage directors’ devices. Whether it’s a laptop, desktop or mobile phone, directors have lots of potentially sensitive information on these devices. A board portal can help manage devices for board members, ensuring they are secure and, if lost or stolen, can be quickly wiped so information doesn’t fall into the wrong hands.
Prepare for the inevitable. Because of the ongoing tsunami of cyberattacks, the odds are that, ultimately, there will be an incident with meaning to your board. Boards can prepare for this by empowering CIOs and IT teams with the resources and budgets necessary to meet or exceed cybersecurity best practices. This would include regular security training for employees and directors alike.
Look for cyber expertise when adding new board members. Boards have traditionally been composed of domain experts from various fields, but today, more boards are diversifying their members and looking for cybersecurity and cyber literacy in prospective directors. This can help a company comply with regulations and implement data protection best practices.
Mick Cobb is CTO of OnBoard, a secure board management firm.