Managing Cyber Security and UK Boards

Cyber Security in the UK Boardroom

Managing cyber security for organisations can be accelarated by having a CIO at the table that will help ensure that security practices in the boardroom are what they should be, and that culture can then be communicated throughout the organisation.

It would seem to be a truism, at this point, to note that the engagement of UK boards of directors in cyber security can make a critical difference in threat protection and threat response.

Yet the London office of Grant Thornton, in its nationwide survey of boards and cyber security, has this to say: “Most boards don’t pay attention to cyber security, despite the fact that they might make a real difference [by doing so].”

This is a great mistake, because the boardroom is one of the key targets for cybercriminals. Board members, for obvious reasons, share a vast amount of sensitive information, and that means that when a criminal hacks the board, the losses can be painful and dangerous.

Yet, according to the survey, more than six in ten of the companies say that no board member has specific responsibility for cyber security. And in roughly the same proportion of companies, the board does not undertake a regular formal review of cyber security risks and management.

“Putting cyber risk onto the board agenda is one of the most effective ways to minimise the chances of a successful attack and reduce the financial impact if a breach occurs,” the survey says.

And the first step for a board to better managing cyber risk in the organisation is to manage it for the boardroom itself.

Managing Cyber Security and Making the Boardroom Secure

Large UK companies each hold about £52.4 million (US$68.8 million) of sensitive information each, including intellectual property or other commercially valuable data.

Among financial services (banking) firms, this figure rises to £64.8 million (US$85 million).

Much of this data passes through the boardroom, and figures in the communications among board members. And this leads to the three reasons directors are targeted by hackers:

• Directors have access to high-value data;
• Directors are usually given scant attention by IT security, because of their position; and
• Directors generally have little training in managing cyber risks, even on a personal basis.

These tendencies are confirmed by a Forrester Research study which shows that over half of sensitive internal board communication happen over personal email. Fifty-six percent of board members are using personal email (not business-regulated email) to communicate about board matters. “This type of practice leaves boards vulnerable to potential cyberattacks, breaches, and inadvertent data leaks,” the study notes.

Any employee is positioned to make a mistake that can lead to a data breach. It can be as simple as opening a phishing email or clicking on a bad link. That goes just as much for directors, who, when they make a mistake like that, risk revealing critical corporate data as they unwittingly open a back door to sensitive information. Yet directors are rarely trained in even the most basic elements of cyber security and most receive little training in security measures. In fact, 62 per cent of directors participating in a Diligent/NYSE survey reported that they don’t receive any cyber security training at all.

Directors should take the time to learn about managing their own devices (not leaving them open, without even password protection, on a restaurant table, for example), managing passwords, identifying insecure connections and, most of all, using secure channels for their communication.

Board members routinely receive and send critical company information on everything from intellectual property to competitive strategy, including briefs about ongoing litigation. Many, however, find it tedious to use the specially built applications that are designed to keep such data safe. It’s much easier to just pick up the smartphone and send a message via a public email social messaging platform.

Cyber security teams must impress on directors that they must use the tools purpose-built for this reason.

Board members rarely have a sufficient background in tech, so security teams should keep that in mind. It is extremely important to consider a board member with a technology or systems background. Having a CIO at the table will help ensure that security practices in the boardroom are what they should be, and that culture can then be communicated throughout the organisation.

Diligent Governance Cloud Secures Boardrooms

Diligent, the pioneer in Modern Governance, provides board management software that supports the highest level of corporate governance with specially conceived technology, supported by a full-scale team of security experts.

As the long-standing market leader for high-level corporate communications, Diligent is uniquely positioned to offer its clients the highest level of assurance around security measures. Diligent’s unique position in the marketplace allows for investment in best-in-class security practices at a level that is greater than most players’ annual revenue.

With ongoing investment and dedication to security technology, resources and infrastructure that no other provider can match, Diligent clients gain a strategic partner that truly puts security first.

All members of Diligent’s Security Team are active participants in the information security community in order to maintain up-to-date knowledge and expertise. This means that they are aware of nearly anything that hackers have available, ready to thwart all the most sophisticated techniques of attack.

Diligent has established a security program based on industry standard frameworks that is dedicated to ensuring customers have the highest confidence in our custodianship of their data. Our Information Security Management System (ISMS) is ISO 27001:2013 certified and our cyber security framework is based on NIST standards.

Diligent Boards™ data is housed in a world-class hosting infrastructure. Co-location data-hosting facilities are operated at Tier 3 equivalent or higher standards. Diligent owns and operates its own equipment. Data stored by customers in the Diligent Boards solution is not hosted by any third-party cloud providers. Instead, it is stored on Diligent’s own secure servers and protected by strong physical security. Access to these data centres is limited to authorised personnel only and verified by two-factor authentication.

Data is encrypted at rest, in transit and on the users’ devices. The Diligent Boards service supports the current recommended secure cipher suites to encrypt customer data in transit and at rest. Customer data is encrypted at rest on Diligent’s storage systems and on the customer’s mobile devices that run the Boards apps. Customer Data encryption keys are stored in a tamper-proof FIPS 140-2 L3 certified Hardware Security Module.

Diligent has a documented Security Incident Response Program in place to handle a security incident. Incident response procedures are tested and updated at least annually. All incidents are managed by Diligent’s Security Incident Response Team. Diligent classifies the event and determines the incident response process. In the event of a security breach, Diligent will promptly notify customers of any unauthorised access to customer data.