Anyone that works in IT security will be aware of two things – that human error remains one of the biggest contributors to data breaches within an organisation and that senior executives can be among the worst offenders.
This is problematic for several reasons. Firstly, the information and data shared and discussed during a board meeting is arguably the most private a business will have. They could involve complex and confidential financial matters and even the future strategy of that organisation, information that should it fall into the wrong hands, would be highly damaging.
Furthermore, it means that security is harder to control. Anyone that sits on the board of a major company will be extremely busy and may not have the time nor the inclination to pay too much attention to security measures. It’s not uncommon for senior executives to assume that this will be taken care of on their behalf, when in reality it needs cooperation from them.
Educate the board
The first step in protecting board room data has to involve getting the board members up to speed with the organisation’s security efforts and policy. The board set the agenda for the whole, so if they are lax about data security then that can easily filter down to the rest of the company.
So this should include ensuring broader awareness around cyber security – knowing the company’s cybersecurity policies, ensuring they are functioning and are being enforced as intended and having an awareness of the type of risks that the company may face. This requires a link from IT to the board to make sure these knowledge gaps are filled.
Reducing human error
Because of the nature of their role, board members are probably more prone to human error than others – they have access to the most confidential data, they travel more, they use their own devices more and may not be as tech savvy as younger employees. While IT can do little about a document being left in a hotel copier in some far-flung part of the world, it can help manage the risk that comes with data on mobile devices.
Paper is inherently risky, but devices provide an opportunity to secure information – even if board members Bring Their Own Device (BYOD) – but the opportunity has to be grasped. especially These devices that have may have been used by other members of the family and connected to social networks, the internet of things and more, so there is inherently more risk of a data breach.
So security should include measures to keep work data separate from personal data. It isn’t enough to secure the device, the apps used need to have their own security layer. If the device is lost – which can always happen – there needs to be the ability to ensure access can be denied remotely or for the data to be wiped remotely.
Better board technology
While digital transformation has touched many areas of business, board meetings remain curiously untouched. We recently conducted research that revealed 59% of business executives in UK organisations admitted that minutes are still hand written manually during a meeting and then circulated once typed out. Only two percent of executives surveyed said they used bespoke meeting management software for sharing meeting agendas and information.
In many board meetings, executives are capturing, sharing and managing information in a way that security teams just wouldn’t tolerate in other areas of the business, and that’s something that comes with a high risk factor. That’s why the use of online board portals to replace paper or PDF based board packs for board meetings is on the rise – they will not only keep data more secure, but they make for a significantly more productive use of board members’ time.
It’s important to use a board portal with the appropriate ISO 27001 certification, but doing so means that board members have all the information they need for their meeting and can access that via their iPad or smartphone.
Protecting boardroom data is as much a cultural challenge as it is a technical one, but the right technology is of course an important factor. The best solution will come from a supplier that balances security with ease of use, so board members don’t try to find a workaround that also bypasses security.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.