Governance Best Practices

Using Personal Email Weakens Board Security

Your board likely reviews and discusses risk registers, risk assessments and Enterprise Risk Management (ERM) reports on a regular basis. Cybersecurity and data breaches feature increasingly prominently within such analyses and with good reason: cyber threats are evolving at a rapid pace and their complexity continues to escalate.

Email is a common ‘attack vector’, whether in the form of a ‘phishing’ or ‘whaling’ attack (where individuals receive emails intended to deceive them into divulging login details, passwords and other sensitive information) or through malware-infested attachments.

That’s why email security is vital for any organisation, and doubly so for boards. Yet many directors continue using unsecured, personal email accounts to discuss and share information that should remain safe and secure.

It’s a commonplace that, when it comes to data breaches, there are three types of organisations: those that have been breached, those that will be breached and those that have been breached but don’t yet know it. The only defence is to minimise your ‘attack surface’ and make sure you’ve got strong systems and protocols in place.

What Is Your Data Breach Protocol?

Protocols for dealing with data breaches are essential. If you’re hit with a ransomware attack, will you pay up, or does that run counter to your organisation’s convictions? It’s worth discussing – and deciding – before an incident occurs. Your IT and security leaders should conduct incident response exercises – and these should include the board.

If they’re not, then you’ll be doing your organisation a significant favour by putting this on the agenda.

Of course, when breached, an organisation’s responsibilities go beyond principles, protocols and practicalities: there are legal, financial and reputational consequences to deal with as well. Productivity is likely to take a hit, legal counsel may be required and insurance (or lack thereof) may be a further factor. All of these are significant in themselves and reputational damage will likely have a major impact – one that may be quantified, at least to some extent, in subsequent financial reports.

Yet, despite growing awareness of the risks associated with data breaches, too many risk registers downplay or ignore board communication practices. This isn’t simply a matter of colleagues showing deference to the board; it’s more a matter of whether boards and management teams have turned the lens inward on these risks. And as noted, the risks of unsecured board communications being intercepted, sensitive systems compromised and proprietary information stolen are significant.

Email in the Boardroom: Risky Business

Hackers and other cyber criminals specifically target directors and those who support C-level executives. Forrester Consulting’s April 2018 study, commissioned by Diligent Corporation, found that more than half (56%) of board members use personal email, rather than secure, business-regulated email, to communicate with fellow directors and their contacts within the organisations they lead.

Forrester surveyed some 411 governance professionals across 11 countries in North America, Europe and Asia Pacific and further found that 51% of C-level executives and 50% of governance professionals similarly used unsecured email to communicate sensitive information.

In fact, Forrester found that personal email use is common across boards of all company sizes and regions. In North America, 53% of boards communicate via personal email, followed by 51% of European and 48% of Asia Pacific boards.

Across all regions, even directors with access to board portal software were found to use personal email for board communications. These findings are made more alarming once we consider the increasing sophistication of cyber criminals’ methods to obtain information. Phishing attacks use personalised email targeting to probe for weaknesses, but from a governance point of view whaling is the greater concern. These are phishing attacks that target senior people in an organisation, including their support staff.

This means you, your directors and senior management. Take a moment to reflect on the specifics of some of your own confidential and sensitive governance-related communications.  Then consider Forrester’s findings that at least half of all directors, C-level executives and governance professionals is using non-regulated email for what can be critical communications.

Imagine the consequences and reputational risks should hackers latch on to one of the big catches in your organisation and land a ‘whale’.

The Threat Isn’t Just Digital

Forrester also highlighted increases in board reliance on mobile devices like laptops, tablets and phones, and the vulnerabilities they present. This is another source of risk, again with critical data at stake.

Nearly one-third (30%) of board members reported losing or misplacing a phone, computer or tablet in the prior year. The same is true for 29% of governance professionals.

That’s a lot of information going missing, and there’s no doubt that some of it will fall into nefarious hands. In such cases, it’s vital that bad actors don’t access a stolen device and find an email folder full of private, and valuable, messages and attachments.

Even though various colleagues within your organisation may hold primary responsibility for cyber security, it’s likely that you’re the person to whom your directors turn for insights on effective board operations. The trust you hold and the influence you carry are accompanied by the responsibility to also identify solutions.

Secure Your Communications, and Your Devices, Today

The best way to mitigate these risks is by introducing an Enterprise Governance Management (EGM) system. Simply put, EGM is the application of technical tools and resources to address governance needs, a technology-based counterpart to Enterprise Risk Management.

It supports effective governance and pre-emptively uses technology for secure communications and secure transmission of information and documents. Of all the acronyms to which you expose your directors, EGM may be one of the most relevant when applied to working through crises – and when it comes to avoiding crisis creation through less than secure communications.

Diligent Messenger is just one element of an EGM system, but it offers quick wins at a low cost. It provides secure channels for messaging and sharing documents between individuals, committees or groups, including the board. It enables real-time collaboration, and its secure system works as a standalone product or integrates seamlessly with Diligent Boards™. There’s simply no need to use personal or corporate email systems any longer.

We understand the individuals and groups can resist change and may not like the idea of adapting to new systems and protocols. But individuals and groups must understand the risks and the potentially catastrophic outcomes of a major data breach, from fines and lost revenue to loss of trust and declining market share.

It’s a cruel fate, but one that awaits any organisation that doesn’t take strong action to protect its data and minimise its risks. But the good news is that such action is neither difficult or disruptive – and it can all start with you.

Want to learn more about why board members using personal or work email can expose your boardroom to unnecessary risks? Download the full Forrester Report and see how your board should improve their communication practices.

Board Portal Buyer’s Guide

With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.

Featured Blog