With data breaches seemingly becoming the new norm, cybersecurity has spiked into a key concern for all corporations. While common breaches expose consumer credentials, corporate information accessed by the board has repercussions that trickle throughout the company and down to the very last customer. So, what are the repercussions of a board level leak? How do they affect the company internally and the public externally?
In this piece, Brian Stafford, board expert and CEO of Diligent, and Sandra Fathi, president and founder of Affect, will respond to key questions that answer how to best protect board materials and what companies can do to prepare for future breaches. Brian and Sandra will share their expertise from an internal and external perspective, respectively.
Q1. How have board functions changed in the digital age?
Brian: Now that everything is digital, it's much more convenient to search through old board materials and other resources such as past annual reports, analyst coverage and industry research. With this information, board members are now expected to know more and do more.
Sandra: Externally, the advent of social media and citizen journalism is making board members more aware about their companies - such as quickly learning about reputation issues, a potential crisis or how the market is moving. This type of information is no longer a closely guarded secret within the walls of an organization but rather on full display on review sites like Glassdoor or Yelp, personal blogs and social media posts.
Q2. What are some examples of sensitive data that the board of directors may receive electronically?
Brian: Board documents can detail current financials, projections, strategies, impending M&A transactions, layoffs, intellectual property, trade secrets, details of ongoing negotiations with partners, competitors, or governments, and more. There have been instances in the recent past where board materials were hacked specifically to obtain non-public information that was later acted upon by the hackers putting the company and the board at risk. Depending on the industry, there may also be PII for customers and employees, patient data, details of partners, etc.
Sandra: Boards may also be given advanced warnings of potential crises, pending litigation, or other types of governance and compliance issues. Often the hope is that this type of information will never be public if the organization can mitigate or eliminate the risk quietly. Board members may also be having proprietary discussions concerning executive management and company leadership that are not intended for wider audiences.
Q3. Where are the biggest holes in data security for boards?
Brian: People are always the biggest data security issue - and board members need to understand the risk of their individual actions. Board members tend to be less tech-savvy than other company executives or those in technical roles. This means they may be more likely to fall victim to targeted attacks, such as phishing scams. Further, Board members do not like to be inconvenienced with complex or time-consuming security protocols, which may lead to less stringent defenses and simpler passwords. In fact, Diligent research showed that over 30% of board members are using free email services like Gmail or AOL and a significant portion of the other 70% are using emails outside of company firewalls.
Sandra: In addition to their individual actions, board members also need to understand the security needs and sensitivity of the company's cyber risks. By not knowing if the company is collecting credit card data, medical records or other sensitive PII, board members may accidentally share information to the wrong sources. Other considerations can include: Is the company operating in a politically unstable environment? Is terrorism a threat? Are there other physical safety concerns?
Q4. How involved should a board of directors be in a company's cybersecurity initiatives?
Brian: Cybersecurity is definitely a board-level problem. The board should regularly bring in the CIO or CISO to discuss preparedness, role-play different scenarios, and gain at least a high-level understanding of the business' cyber-readiness. Part of the effort should also include the board itself being aware of what they can do to secure their own materials and lead by example.
Sandra: This is one of the top threats to any business today and it is absolutely one of the top priorities for today's boards of directors. It is imperative that they:
1. Understand the security vulnerabilities with the operating systems, the hardware/software, the physical liabilities, the data, facilities, third parties etc.
2. Understand the people (oversight), policies and technologies in place for cybersecurity
3. Test and validate the systems and structures on an ongoing basis to ensure that they are always prepared for the latest security threats
Security is just as much part of the board's mandate as the fiscal and operating responsibilities that they have traditionally focused on in the past. The modern board has to have the technological insights to address and grapple with these threats.
In the second half of this series, we will discuss the biggest implications of board level data breaches, the best practices to follow if a breach should occur and how companies can prepare for future leaks.