A recent study shows data used by boards of directors isn’t sufficiently secure, says Adam Levin of IDT911, who identifies where the security risks are.
Discussions and other activities that take place at the board of directors level are among the most sensitive communications a company has. Corporate growth is planned, potential products evaluated, financial positions reviewed.
Because Target’s board discusses data security, the retail giant is utilizing their D&O policy to cover costs of the massive 2013 breach. But with all the risk management efforts occurring within organizations today, a recent study revealed security continues to be hit or miss at the top levels.
The results of the 2014 Thompson Reuters Accelus Board Governance survey hold some key points in identifying areas where significant risks still exist and, in some cases, where opportunities to implement more secure practices may be found.
Why should top-level data security be a priority?
The information contained in board documents is a tantalizing target to a number of parties inside and outside the company. Decisions surrounding downsizing or restructuring efforts are of considerable interest to current employees and contractors. Strategic discussions about potential acquisitions could significantly impact stock activity if it was revealed to investors. Intellectual property involving product details or research initiatives would be a gold mine to competitors.
Take, for example, the covert cyber attacks, dubbed “Night Dragon,” in which Chinese hackers targeted the proprietary information and project financing plans of global oil and energy companies.
Safeguarding the materials, documentation and communications related to board activities may not be a high enough priority for many organizations, but it should be. This data is simply too lucrative for cyber criminals to ignore. And at the rate data breaches are occurring in nearly every sector, companies need to get serious about including board operations in their risk management assessments and data protection planning.
Where does risk still exist?
Security concerns begin at the everyday level. Seventy-one percent of the survey’s participants reported storing board documents and communications on private mobile devices, such as laptops, tablets and smartphones. Considering the rate at which these portable devices are lost and stolen, organizations could potentially be putting a lot of corporate data at risk with this practice. (continued.)
#pb#
Rather than housing confidential data on private mobile devices, secure portals are available that are designed expressly for the purpose of storing and providing access to confidential corporate information. These platforms provide the kind of protection board communications require. Unfortunately, only forty-nine percent of survey participants said their company utilizes such a solution.
Sensitive data also may be at risk while in transit, a problem exacerbated by the number of organizations that exchange documents with board members using commercial email accounts, such as Yahoo! and Gmail. According to the survey, forty-three percent of respondents reported always or regularly using these types of non-secure email addresses for board member communications.
Data protection isn’t just about digital ones and zeroes. Hard copy materials are just as vulnerable to exposure as any electronic file. It’s an area often overlooked by risk assessments, which is disturbing when considering the number of survey respondents — 60 percent — who said they were not confident that board members were following the organization’s document retention policies when it came to destroying printed materials. Even more worrying is that this number is actually up six percent from the same survey in 2013.
Steps to safeguard board data
A number of strategies are available to reduce the risk of an exposure when it comes to board operations. Most solutions are relatively painless and low cost to implement. Some utilize technology while others rely on improving the data protection practices used by boards and their organizations.
Encryption, for example, is a highly effective tool for safeguarding data both in transit and while at rest. It’s also easy to use and there are versions available at no cost. But in spite of encryption’s effectiveness, it’s still an underutilized approach. Survey results showed that sixty percent of organizations never or only occasionally encrypt their board communications.
For a culture of security and risk mitigation to fully permeate an organization, action and expectations must start at the top. Surprisingly, even though sixty-seven percent of respondents said their board is very concerned about cybersecurity risk, the percentage of boards that say they set a risk culture and a strong tone for compliance expectations actually fell from 2013 to 2014. (continued.)
#pb#
Gaining detailed insight into the types of information that exist within an organization — which formats they’re in, where they’re stored, how they’re handled, who is able to access them and how they’re destroyed — is the first key step toward creating a better security posture. Creating a written information security plan (WISP) for the organization sets the stage by documenting philosophies and expectations around data protection, broadcasting the leadership team’s commitment to a strong security posture, setting out best practices for all to follow and contributing to audit and regulatory compliance.
Finally, know where risk mitigation may be available for board activities through cyber policies that cover breach response and other costs. Those organizations without cyber coverage might still be able to tap into a D&O policy to address Board-level exposures related to the actions of directors and officers.
Adam Levin is chairman and founder of IDT911
