Protecting an organisation from a security breach is now a critical part of a board’s responsibility. The UK Government’s ongoing national cyber security strategy has highlighted the importance of improving cyber awareness and risk management. The strategy identifies security as a board level responsibility, and has gone as far as to create guidelines and help sheets for executive teams to protect sensitive data.
And yet, board members often overlook one critical link in the cybersecurity chain: their own roles as custodians of company information. Some of the most sensitive company data – M&A information, negotiation details, senior executive compensation plans, strategic plans, financial and customer data – sits within board reports that are routinely distributed as PDFs over unsecured email, or even couriered to them in paper packs ahead of meetings.
Often, the problem is that the board’s position ‘above’ the organisation means it is excluded from security processes that apply to every other part of the business. We find that while the CIO reviews the company’s cybersecurity requirements, he or she may believe that board security is a matter for the company secretary or general counsel. There is often an assumption that it sits outside the CIO’s domain.
Of course, all security has to be usable – and this can mean a compromise between convenience and effectiveness. Few people want to impose unwanted systems on the most senior people within a company. And so they are allowed to carry confidential information on paper as they travel between meetings, and store this information in whatever way they choose. The possibility of a breach is obvious. But there is another risk: if security is lax at the top of the business, what message does that send at a time when CIOs are trying to enforce that security is everyone’s business?
Board level information should be subject to the same rigorous security checks as all other data. Consider:
- Do you know where your confidential data is at any given point? Is it secured, or is it sitting, forgotten, in a pile of paper on the back seat of a taxi? Digital data should be encrypted while both in transit (using 128-bit SSL/TLS encryption) and at rest (using 256-bit encryption to deter hacking attempts), and accessed only with a digital key. Paper is best avoided.
- Who controls the keys? What is the protocol if a password is stolen? A secure system will be able to deny access rights centrally if this happens.
- Who has access to your board reports? Is it just the board members, or could there be other people you don’t know who are handling your data? This is particularly relevant if you issue paper packs to directors who sit on multiple boards. Digital versions should be able to assign varying access rights to different people, depending on what level of information they need to see.
- If you send information digitally (over secured email on PDF, for example), what happens to it when it reaches the recipient? If the answer is it’s printed out and carried to the meeting (this happens in many cases, sadly), then you’re back to the first point.
Security has a permanent place on the agenda of board and senior management meetings. It is one of the most pressing issues facing companies today, with the potential to seriously damage reputation in the event of a breach. Closing the final loophole – that of the board’s own security – should be at the top of the agenda in 2015.