Board members and top company executives are responsible for ensuring the value of their brand— and today that value is closely tied to security, namely, cybersecurity.
But less than a quarter of board members are “quite confident” in management’s ability to respond to a cyber security threat according to a special report “Managing Cyber Risk: Are Companies Safeguarding their Assets?” by NYSE Governance Security magazine. And it’s not a conversation had in boardrooms often enough, experts say.
Not that the risks aren’t known: The cost of cybercrime to the global economy reached $455 billion per year in 2014, and is expected to grow, according to a MacAfee study, “Net Losses: Estimating the Global Cost of Cybercrime.” The true cost of failed cybersecurity, however, goes beyond direct financial losses: out of 189 firms that suffered a cyberattack, 79% of executives reported a drop in external reputation, 78% reported a drop in production and 75% reported loss of employee confidence, according to a 2015 survey by Deloitte and Symantec, “Winning the Cyberwar: Enabling UK Business Now and in the Future.”
“Every organisation, commercial or other, holds information that is valuable to an outside entity, whether it be a competitor or criminal organisation. And where there’s value, there’s an incentive for hackers to put their hands on your information. You need to assume that you are under constant attack,” said Ayal Vogel, president of AMID Strategies, a physical and cyber security consultancy. “And yet, if cybersecurity is ever discussed at a board level, it’s usually about securing customer information, not internal communications and intellectual property.”
See how you can improve your cybersecurity practices within the boardroom with this free white paper download.
According to NYSE special report, some 48 percent of board members “worry they don’t know enough to ask the right questions,
Publicity often focuses on the news, which often involves stories of credit card theft, exposed celebrity photos, or political leaks. More common are cases of product-related data theft and other intellectual property, employee and market data.
“Technology is changing at a faster and faster pace and companies are trying hard to keep up,” the NYSE report says. “Corporate directors may well feel as if bulletproof oversight of cyber risk is impossible.”
But according to NYSE, email creates security risks: there’s no control over the content of a sent email. Messages can be forwarded to the wrong person. Attachments can be duplicated. Users have no control over the servers where email is stored, or passes through.
Additionally, IT managers in charge of the company’s cybersecurity are often reluctant to share concerns about the company’s data security with the board. The Deloitte and Symantec report shows that in 70 percent of the firms surveyed, IT decision-makers did not feel comfortable with their firm’s data security plan.
But employees in charge of data security may not feel comfortable monitoring board members’ adherence to company guidelines — two-thirds told NYSE that their senior IT report to the board only “occasionally.” That’s why only a quarter of directors are “quite confident” in dealing with a cyber attack.
Securing board information
Board data should ideally be stored in a known location, segregated from the organisation’s other data. A hosted board portal may offer a better solution than a commercial cloud storage. Document sharing to a hosted board portal that can be accessed only by users authorised by the system administrator for different roles and rights (e.g. read-only, edit, share) can limit the risk of losing control of emailed attachments. Using a board portal with a strict authorisation scheme means the administrator won’t lose control over documents, even if a user’s access password has been stolen; in such a case the system administrator can simply deny access for that user.
The administrator can also block access to the portal or specific documents on an ad hoc basis, for example when an executive is travelling abroad and the administrator has reason to believe that the network connection to the portal, from that locale, might be compromised. Staff in charge of the board portal can halt the executive’s access to the portal awhile he is in that risky area.
The administrator can also block access to the portal or specific documents on an ad hoc basis. Say an executive is travelling abroad and the administrator has reason to believe that the network connection to the portal, from that locale, might be compromised. Staff in charge of the board portal can halt access while the board member is in that risky area.
“The tried-and-true methods of sharing sensitive documents may place your data at risk,” Vogel of AMID Strategies explains. “Even small- and medium-sized organisation need to rethink the way they store data, and how that data is shared internally and with external users. The board needs to lead the way.”
Board Portal Buyer’s Guide
With the right Board Portal software, a board can improve corporate governance and efficiency while collaborating in a secure environment. With lots of board portal vendors to choose from, the whitepaper contains the most important questions to ask during your search, divided into five essential categories.
July 29, 2021
What Technology Issues Are Boards and Governance Leaders Facing in 2021?
Discover the biggest technology challenges faced by board governance leaders in EMEA during 2021, where progress is being made and the solutions to where it is lagging.
December 28, 2020
What Role Does the Board Play in Business Continuity Planning?
Continuing in the face of adversity has been the dominant theme of the past year. When the scale of disruption caused by COVID-19 became clear, businesses worldwide were forced to adapt rapidly to the restrictions that came into force overnight. While many organisations have business continuity plans designed to keep…
December 21, 2020
Business Continuity Plan Maintenance: A Step-by-Step Guide
A business continuity plan (BCP) is a living, evolving document. Designed to be activated when unplanned disruption strikes, it must be flexible enough to guide actions regardless of the specifics of the situation. In a fast-changing environment, business continuity plan maintenance is an essential part of the business continuity programme…