As more board executives, directors, and administrators adopt digital board management processes, board cyber security risks associated with piecemeal digital adoption leave them more vulnerable to serious cyber threats.
Board members play essential roles in organisations of all types, including financial institutions, healthcare organisations, non-profits, and governmental bodies. The board of directors provide oversight and ensure the organisation remains focused on its mission and vision.
Boards must entrust their members with sensitive data to ensure they effectively fulfill their roles. But a data breach involving sensitive board information can result in costly litigation and devastate an organisation’s reputation.
The costly risk of board cyber security breaches
According to an annual IBM Security Report, the average data breach in the United States costs $8.64 million. The expense rises for organisations in highly regulated industries, such as healthcare organisations, which incur the highest average cost for a data breach.
Boardroom breaches can tarnish an organisation’s reputation. Lost business costs — including customer turnover, revenue lost by system downtime, and efforts to gain new business with a diminished reputation — account for about 40% of the average total cost of a data breach.
Boardroom breaches can tarnish an organisation’s reputation. Lost business costs account for about 40% of the average total cost of a data breach.
When COVID-19 hit, our “new normal” turned into remote work, Zoom meetings and distributed IT. These measures bolstered health and safety, but also invited increased cyber security and identity-based attacks. In April 2020, the FBI’s Cyber Division reported receiving about 400% more cyber security complaints daily.
While recent research shows 100% of senior IT and IT security leaders say they’re more focused on security than in the past, OnBoard’s latest survey of board directors, administrators and staff members found only 57% see cyber security as an important issue.
Getting the board on board: a cost-benefit analysis approach to cyber security
The sources of cyber security threats in the boardroom
A security threat can happen, whether your board meets in-person or virtually. But where do the threats originate?
According to Verizon’s 2020 Data Breach Investigations Report, outsiders executed 70% of all breaches. Breaches take many forms, including malicious attacks, human error, or compromised credentials.
Cyber criminals often target executives and professionals who sit on boards, because of their access to a large amount of sensitive information. In 2020, IBM X-Force uncovered a global phishing campaign targeted at more than 100 high-ranking executives.
Though less frequent, a board member may leak confidential data on social media, leverage insider information for personal gain, or feed information to the media.
Best practices to prevent board cyber security attacks
While boardroom cyber attacks always remain a threat, the recent increase in remote meetings and electronically shared information require organisations to take action to reduce risk.
1. Securely manage all board materials digitally
Many boards still rely heavily on printed board books, disclosures, and other important materials. But printed materials can easily get into the wrong hands, especially now as more boards meet virtually or send documents in the mail.
Some institutions choose cloud-based services like Google Drive and Dropbox to share materials. But these solutions offer inadequate security to prevent cyber criminals from stealing sensitive data, including personally identifiable information (PII).
A secure, digital solution prevents such attacks. It also gives board members access to relevant documents from a single portal. Security measures for a board portal include encryption, two-factor authentication, and biometric scanning devices. These include tools for voice, fingerprint, facial, or iris recognition.
In addition, tracking which documents each board member accesses and shares gives boards the power to thwart insider attacks — and more quickly contain them, if they happen.
Identity gets a new look: examining the W3C Verifiable Credentials standard
2. Set appropriate permissions
Board members need access to the right information to fulfil their roles, but not all board members need the same level of access.
Board members in many industries, for example, complete an annual questionnaire disclosing any personal conflicts of interest. A conflict of interest might limit a member’s access to information on certain topics.
Assign appropriate positions to board members to give them access to what they need to succeed — no more and no less.
3. Protect meeting minutes
Meeting minutes represent the official record of a board meeting and offer protection against liability, provide evidence of decisions, and create a clear list of actions and next steps.
Board administrators often distribute meeting minutes via email or online. Minutes delivered this way can inadvertently expose confidential information, resulting in litigation, expense, and a damaged reputation.
Make it a priority to protect meeting minutes. Prepare minutes quickly and destroy notes used to compile them. Make minutes available to board members in a read-only format. Consider limiting how long a member can access them digitally for best board cyber security practices.
4. Provision company email addresses — and require board members to use them
Personal email accounts lack adequate security for sensitive information. Provide board members with a company email address —and require them to use it for all board-related communication.
5. Wipe vulnerable devices
Board members often access information on a number of electronic devices. While it’s important to ensure they can work while on the go, it’s also critical to insist board business be conducted only on safe, trusted devices.
Board members may lose or replace their personal device for whatever reason. According to Statista, consumers replace smartphones about every three years, and enterprise devices are replaced more frequently. So, consider wiping all locally stored information from devices that haven’t connected to the internet within an established period, such as 90 days
It’s time to make board cyber security a priority
Cyber attacks in the boardroom can lead to costly consequences. Take action now to mitigate board cyber security risk, while ensuring board members can access the information they need to be successful in their essential roles.