Latest Board Reporting & Governance News

Five cybersecurity mistakes in the virtual boardroom

Written by Maximilien van Gaver | 28 April 2020

Maximilien is a member of our Information Security committee.

One small consolation of the Covid-19 pandemic is that, at last, board papers aren’t board papers anymore. As board meetings go digital, “One director left the board pack in a cab” should finally become a phrase of the past. But the move from cellulose to silicone doesn’t make everything magically secure; it merely moves the risk to another, digital, area.

“Want inside information about a company . . . ? Tap into an online board meeting.”

James Stavridis, retired U.S. Navy Admiral and former Supreme Allied Commander of NATO

Hackers spying on your directors is the last thing you want to worry about in these difficult-enough times. So, to give you peace of mind that your sensitive information is protected, here are five common cybersecurity mistakes every virtual board should be aware of.

Mistake 1: Using one company-wide system

The sudden switch to mass remote working caught many organisations off-guard, leaving them scrambling for solutions. Now that the dust has settled, and most have found collaboration tools that suit their needs, it can be tempting to move the boardroom to the same platform used by the rest of the business — such as Slack or Microsoft Teams. After all, why not keep things simple?

But this presents a few dangers.

Firstly, using a single company-wide system muddles the distinction between the virtual business space and the virtual board space. When both are hosted under one roof, directors are one bad click away from sharing confidential information with the wrong audience. Whereas distinct tools create delineated, error-proof processes — even for the less tech-savvy board members.

Secondly,  the more users, the larger the attack surface. Human errors, such as employees sharing their passwords are the main factor behind hacks — “over 95% of all incidents”, according to an IBM report. So, limit the risk by separating the system used by directors. Just like access to information must be granted on a “need-to-know” basis, access to tools where that information is stored should be determined based on “need to use” — and few employees need the features that board members require.

“A practical start for a medium-sized business . . . might be to create a two-level system for information: Much day-to-day work could be allowed on less-secure systems that are easier to use, while highly sensitive dealings would be transmitted on more protected circuits.”

James Stavridis, retired U.S. Navy Admiral and former Supreme Allied Commander of NATO

Mistake 2: Mixing and matching solutions

Don’t let point 1 lead you to the wrong conclusion. You want to split systems by use cases, not split use cases between systems. In other words: if your directors get their own dedicated tool, every single thing they do should happen through said tool. Conversely, this means the solution you choose needs to contain all the features they rely on — from report sharing to commenting.

Otherwise, asking your board members to use several solutions defeats the purpose of having restricted tools in the first place. Not only does it add confusion around where board information can be safely shared, it also lowers the security of the whole chain to that of its weakest link. State-of-the-art servers, for example, are irrelevant if board papers get shared via unencrypted emails from directors’ Gmail accounts.

Mistake 3: Leaving best practices to luck

One golden rule of behavioural sciences is: if you want people to do something a certain way, make it stupidly easy to do it right, but darn hard to do it wrong. And this applies to cybersecurity too.

“Attackers didn’t need to break down a wall of 1s and 0s, or sabotage a piece of sophisticated hardware; instead they simply needed to take advantage of predictably poor user behavior.”

Harvard Business Review

Rather than relying on each and every board member to make the right choices, set things up so that defaults are sensibly secure and mistakes won’t have catastrophic consequences. For example:

  • You cannot prevent board members from divulging their password if they enter it on a malicious site. But you can turn on Two-Factor Authentication (“2FA”) to block hackers from logging in without a second code sent to the director’s cell phone.
  • You cannot secure a private computer unmanaged by your IT team. But you can block board members from downloading PDFs that can be stolen, and restrict viewing board packs to a “sandboxed” dedicated application.

The key is in making it simple for the user, and in being seen as a partner, not a policeman. So, instead of sending board members guidelines and hoping for the best, choose a system that can be securely configured centrally. And, rather than monitoring and enforcing processes, offer directors an intuitive application that will make their lives easier while nudging them towards secure habits.

Mistake 4: Building what you need in-house

The “Not Invented Here” syndrome can be a powerful force, especially when sensitive documents are involved. To keep expenses down and get things up quickly, many teams try to put together their homemade solutions — often by combining different systems, or by bending tools intended for other uses (think agendas created in Excel, or Word documents containing a list of links to online files).

More often than not, this is both a false economy and a security risk. So much so, that, according to McKinsey, companies moving to SaaS applications benefit “from faster innovation, reduced complexity, lower operating costs, and massively reduced management spending on obsolete technologies,” while Deloitte finds organisations “are limiting themselves by trying to build cyber capabilities in-house.” So, look for a specialised provider with adequate certifications (such as ISO 27001) to guarantee not just lower costs, but also best-practice security, thorough audits, and regular updates that keep up with new threats.

“Because CISOs are often uncomfortable having data outside ‘the four walls’ of the enterprise, it’s not surprising to see respondents choosing on-premise implementation. But the reality is, with the changing threat surface, a well-thought-out cloud solution with a quality provider may be able to provide a better cybersecurity posture than those created in-house.”

Deloitte

Mistake 5: Considering the matter closed

Cybersecurity is often the board’s forgotten topic, with “half of boards . . . not discussing cyber as often as they likely should be,” according to Deloitte. And another McKinsey report notes that “cybersecurity professionals are at least two layers from the CEO in the corporate hierarchy, with few opportunities for direct discussion” in large companies — when they’re not absent at all in smaller organisations.

But cyberthreats are notable in that they’re fast-evolving. Just as cybersecurity needs frequent consideration at board level, so the tools used by the board require regular assessment.

“I used to go to the board of directors and the audit committee annually for about 20 minutes. We now meet with the board eight times a year for at least an hour each time.”

Anish Bhimani, CIO of Commercial Banking and Managing Director, JPMorgan Chase

If your board has already settled on using a specific tool during the lockdown, now is your chance to properly assess it — before bad habits become hard to change. Use our Guide to Security in the Virtual Boardroom below to get started.