With each passing month bringing new high-profile hacking cases, it might be no surprise to hear that boards and their directors are taking a long, hard look at how they keep their board and management information secure.
In June 2023, a vulnerability in a piece of software used by nearly half of FTSE 100 companies — from British Airways through to Boots and the BBC — led to tens of thousands of employees having their personal data compromised. A few weeks later, Calpers, the biggest public pension plan in the US, was hacked too — leaking data on 770,000 of its members. Then, in August of that year, the UK electoral register was hit, this time affecting an estimated 40 million individuals. The list goes on, and the numbers keep getting bigger.
Company directors increasingly care about cybersecurity…
All in all, at least a fifth of British organisations have had data stolen in the past year, according to cybersecurity firm Sophos. And the people sitting at the boardroom table have been taking notice: general counsels now list cyber security risks as one of their top concerns, and mitigation measures have gone from a page in the IT team’s annual report to a key item on most boards’ agenda.
“If you look at any survey of general counsel (or, indeed, you ask one), cyber security will always be one of the issues that keeps them awake at night.”
~ Lawson Caisley, Chair of the cyber risk committee, White & Case, via the FT
…yet most boards of directors lack the tools to secure their own data
But are these board members, in turn, taking steps to protect the highly confidential information they’re given? Far from always.
According to a survey we conducted with the Corporate Governance Institute, boards are split into two roughly even groups: those that use a board portal (43%) and those that don’t (57%). And the difference between the two is telling: amongst directors using a portal, four out of five (83%) are satisfied that their board information is safe; meanwhile, for those without a portal, only two out of five do (41%).
How satisfied are you that your board information is secure?
For more details on what a board portal is and can do, check our complete guide to board portals.
How do board portals protect sensitive information from data breaches?
So, what are board portals doing to generate such peace of mind amongst their users? Beyond the convenience and time gains, they bring two main security benefits:
- They unify the reporting process, thus reducing the number of attack points and simplifying the overall management of your security.
- They automate it, removing opportunities for manual, human mistakes.
Board portals’ security benefit #1: unifying the reporting process
When it comes to secure collaboration online, less is more. A board portal cuts down on the number of tools used to brief authors, collate reports, distribute packs, and approve board resolutions by replacing instant messaging apps, email, file-sharing or e-signature tools, and more.
Having all these different parts happen in one place not only makes the board reporting process more efficient and easier to use for everyone involved, but also reduces the number of potential entry points for attackers. Fewer tools equals fewer updates for your IT team to be aware of, deploy, and monitor, which in turn means fewer breaches for hackers to exploit.
Speaking of monitoring, portals give greater control over who can see what, when, and what they can do. An email with a board paper attached to it cannot be managed or overseen once it’s been sent — there’s no telling who’s read it or forwarded it on to whom, and there’s no recalling it. Whereas a board portal makes it possible to limit who has access to information (down to an individual board paper in an individual board pack), change things after publishing (e.g. remove users and wipe the data downloaded onto their devices), fix any mistake that slips through (e.g. delete a paper that shouldn’t be there), and get an audit log of who did what and at what time.
Control access down to an individual item.
Importantly, using a single platform doesn’t mean trusting a single line of defence. A good board portal will offer multiple, redundant protections against attack cyberattacks, from Two-Factor Authentication through to encryption, granular permissions, and audit logs (more on these below).
A unified solution protects against phishing attempts, too, because anything board-related coming from outside the portal can safely be considered malicious by default. For example, rather than wonder whether the Zoom link they’ve just received by email is genuine, directors can simply use the meeting link shared through their board portal and rest assured that it’s safe.
Integrate remote meeting links.
Board portals’ security benefit #2: automating the reporting process
Each action performed manually leaves room for human error, with every email and message running the risk of attaching the wrong file or CC-ing the wrong person. And even a minuscule chance to get it wrong becomes statistically likely when compounded over the dozens of messages going back and forth for each paper, the dozens of papers going back and forth for each pack, and the dozen of packs going back and forth each year.
By automating each stage of the reporting process and keeping everything in a secure space with clear restrictions on who can access what, board portals protect against slip-ups — whether when asking the chair for what should be on the agenda, sending briefs to report authors, responding to demands for clarification, receiving the latest update to a paper, or sending directors the final version of the pack.
Automate your process from briefing to distribution.
How to choose a secure board portal provider
Check for key features that improve behaviours
One golden rule of cybersecurity: make it easy for users to do the right thing. So, rather than constantly relying on training and reminders to keep board papers secure, look for features that will help create a safe environment by default — even for the less tech-savvy users. For example:
- Two-Factor Authentication (“2FA”) — so that attackers who have guessed or stolen a director’s password cannot log in without a second, secret code only accessible on said director’s cell phone.
- Integration with video conference apps — so that board members cannot be fooled by fake remote meeting links.
- Note and comment sharing directly within the board portal — so that neither directors nor management share confidential information by emailing the wrong person by mistake when asking for clarification.
- Granular permissions — so that the people who only need to see one part of the board pack can be given access to that specific paper rather than to the whole thing.
Secure access with Two-Factor Authentication.
Check the board portal’s cybersecurity certifications
So, if you’re looking for a board portal to increase the security of your board information, where do you begin?
As with every other piece of software, a good place to start is simply to ask for credentials. Not all certifications are equal, so know the key ones that guarantee that the software provider follows a set of best practices — such as ISO 27001 and Cyber Essentials Plus. And make sure to check that these apply to their business and the services they provide you, not just to the data centre provider they use.
These certifications aren’t the be-all and end-all of security. But their absence is a sign the provider hasn’t been properly audited or isn’t focused enough on security to go through the process — so it’s an effective way to curate your shortlist.
Check cybersecurity-related public information
Publicly available information can also be a useful indicator. For example, search for the board portals you’ve shortlisted in your device’s app store. When was the last time they received an update? If the latest version is older than a few months, it likely indicates suboptimal proactiveness and reactivity.
You can also check whether they’re available on governmental procurement platforms — like G-Cloud in the UK. Their presence on such marketplaces is a guarantee that the solution has been vetted for government use.
Ask your cybersecurity questions directly to the board portal provider
Finally, ask the board portal providers directly. Typical questions to ask about their product’s security would include:
- Where are their servers located (and are you fine with your data being stored there)?
- Are they encrypting all data — both in storage and in transit?
- How resilient is their infrastructure? What happens if one of their servers breaks? How is the physical infrastructure protected? How do they mitigate DDoS attacks?
- Do they train and screen their employees? Who amongst their staff will have access to your data?
- Are they running regular “pentests”, where they hire professional hackers to try to break into their systems? Do they pentest their apps as well as their servers? And are they happy to share recent results?
- What third parties have access to information, what information do they have access to, and how do they use it?
- Have they experienced any significant security breaches in the past?
- Is there a way to obtain an audit trail?
- How often are information security policies reviewed?
Besides the content of their answers, their openness to reply will usually tell you a lot, too.
Get enterprise-grade cybersecurity with Board Intelligence
Board Intelligence is the only UK-headquartered, UK-hosted board portal. It offers the highest-quality data centres (ISO 27001 & 9001-certified), approved for hosting UK Government data, as well as all the cybersecurity features needed to keep your information safe — which is why it’s trusted by the boards of international banks, government bodies, healthcare providers, corporate service providers, and many more security-conscious organisations.
To see for yourself why 40,000+ board members and executives are using our platform to run their businesses efficiently and securely, book a demo of the platform.