Cyberthreat and Securing the Board Cyberthreat and Securing the Board: Three Misconceptions that Undermine Boardroom Security EVALUATING BOARD SECURITY Leaders who want to assess their board’s cybersecurity practices can do so by asking three simple questions: How is the Board Data Stored? Any security evaluation should begin with examining who controls the data. Not knowing where information is and having an inability to control where it goes means that the solution is highly unsecure. This is why emailing board documents as PDF files is not a secure solution. Files can be accidentally forwarded by directors to others outside the board, or housed in personal email accounts with minimal consumer-level security on systems that the vendors themselves admit should not be regarded as secure. The same is true of “cloud”-based solutions where your files could be on any server in the file-sharing network and where you have no way of knowing exactly where they are. The success of cloud solutions is based upon the assumption that they are secure, whereas in fact, high-profile cases of hacking, such as revelations of passwords and celebrity photos from cloud service providers4 demonstrates just how flawed that assumption of security is. Although hosted board portals do seem cloud-like and are often mistakenly referred to as “cloud-based storage,” there are important differences; hosted board portals carefully control where your data is stored and keep the information of each hosted organisation segregated. Knowing where data is located and how it is secured provides greater control and assurance over who has access to the information. How Strong are the Locks? Whilst knowing the whereabouts of your data is crucial, so too is ensuring that only authorised users can access it. This can be accomplished by encrypting that data, that is to say, converting the data into a string of meaningless 0s and 1s so that only those in possession of the correct digital key can decipher it. Paper board packs have no digital key at all; everyone who holds a copy can read the information. Whilst it may be true that PDFs that are emailed or stored on file-sharing systems can be encrypted and password protected, it puts the onus on whoever is distributing and receiving the material to manage password protocols. Even then, PDF documents remain vulnerable to “brute force” attacks using readily available software. Higher-quality hosted board portals typically use 256-bit encryption, and since there are more possible combinations than stars in the universe, it’s safe to say that it would take almost an eternity for even the most determined hackers using the most advanced technology to crack the code. 4 BBC News, http://www.bbc.co.uk/news/technology-29011850 Who Controls the Keys? No matter how strong the encryption system is, however, anyone with the right key can still access the information; anyone who has the password to a password-protected PDF virtually owns the document. Stolen passwords mean stolen documents. However, a strong portal never loses control of the documents; a password only goes so far because control of the encryption keys resides within the system; the person logging in will only see what he or she is allowed to see, and if a password is stolen, the administrator can simply deny access for that password. In the case of authorised users, administrators can limit access to specific documents as well as assign access and visibility of documents to a user group; for example, a compensation committee may prefer to withhold sharing their information with the board as a whole. The administrator of a hosted board portal can control device access too, restricting director access from personal, less-secure devices and mandating access through organisation-owned systems. Also, when sensitive documents are no longer needed, the administrator can conduct a “virtual purge,” closing off the documents to any users trying to access those files. Similarly, access can be restricted according to user or device, useful if a director leaves the board and materials need to be recovered or a password has been stolen. SET A SECURE EXAMPLE Cybersecurity, particularly the security of the board’s own information and data, must be of paramount consideration; having a secure, intuitive board portal handling all board information, communication and collaboration facilitates better board security and improved working practices. A board’s failure to uphold high security standards can undermine the security scheme of the organisation as a whole, whereas a board that leads by example increases the effectiveness of the organisation’s security and places it in a robust position in the face of increasing threats. Unleashing the value of information. Securely. Diligent helps the world’s leading organisations unleash the power of information and collaboration – securely – by equipping their boards and management team to make better decisions. Over 4,000 clients in more than 70 countries rely on Diligent for immediate access to their most time-sensitive and confidential information along with the tools to review, discuss and collaborate on it with key decision makers. Diligent Boards expedites and simplifies how board materials are produced and delivered via iPad, Windows devices and browsers. At the same time,it delivers practical advantages like cutting production costs, supporting sustainability goals, and saving administrative and IT time Join the Leaders. Get Diligent For more information or to request a demo, contact us today: Call: +44 (0)20 7605 7480 Email: [email protected] Visit: www.diligent.com Diligent is a trademark of Diligent Corporation, registered in the United States. All third-party trademarks are the property of their respective owners. ©2016 Diligent Corporation. All rights reserved. WP0015_UK Please complete the form to gain access to this content Access Now Related Resources L'impact économique total de Diligent Entities The Total Economic Impact Of Diligent Entities Quatre recommandations pour que votre conseil d'administration mène une AG réussie The Total Economic Impact Of Diligent ESG A Checklist to Be Deal Ready: Prepare for Strategic Growth with a Centralized Corporate Record How to Achieve Global Growth at Scale Webinar Five Best Practices for Information Security Governance Betting on Better Board Meetings: William Hill Diligent Boards™ lends a human touch to the Princess Alexandra NHS Hospital Trust Board Diligent Moves Medtronic's Board Collaboration Forward Key Trends in Boardroom Communication Board Portal Buyer's Guide Ten Practical Guidelines to Improving Board Communication
Cyberthreat and Securing the Board: Three Misconceptions that Undermine Boardroom Security EVALUATING BOARD SECURITY Leaders who want to assess their board’s cybersecurity practices can do so by asking three simple questions: How is the Board Data Stored? Any security evaluation should begin with examining who controls the data. Not knowing where information is and having an inability to control where it goes means that the solution is highly unsecure. This is why emailing board documents as PDF files is not a secure solution. Files can be accidentally forwarded by directors to others outside the board, or housed in personal email accounts with minimal consumer-level security on systems that the vendors themselves admit should not be regarded as secure. The same is true of “cloud”-based solutions where your files could be on any server in the file-sharing network and where you have no way of knowing exactly where they are. The success of cloud solutions is based upon the assumption that they are secure, whereas in fact, high-profile cases of hacking, such as revelations of passwords and celebrity photos from cloud service providers4 demonstrates just how flawed that assumption of security is. Although hosted board portals do seem cloud-like and are often mistakenly referred to as “cloud-based storage,” there are important differences; hosted board portals carefully control where your data is stored and keep the information of each hosted organisation segregated. Knowing where data is located and how it is secured provides greater control and assurance over who has access to the information. How Strong are the Locks? Whilst knowing the whereabouts of your data is crucial, so too is ensuring that only authorised users can access it. This can be accomplished by encrypting that data, that is to say, converting the data into a string of meaningless 0s and 1s so that only those in possession of the correct digital key can decipher it. Paper board packs have no digital key at all; everyone who holds a copy can read the information. Whilst it may be true that PDFs that are emailed or stored on file-sharing systems can be encrypted and password protected, it puts the onus on whoever is distributing and receiving the material to manage password protocols. Even then, PDF documents remain vulnerable to “brute force” attacks using readily available software. Higher-quality hosted board portals typically use 256-bit encryption, and since there are more possible combinations than stars in the universe, it’s safe to say that it would take almost an eternity for even the most determined hackers using the most advanced technology to crack the code. 4 BBC News, http://www.bbc.co.uk/news/technology-29011850 Who Controls the Keys? No matter how strong the encryption system is, however, anyone with the right key can still access the information; anyone who has the password to a password-protected PDF virtually owns the document. Stolen passwords mean stolen documents. However, a strong portal never loses control of the documents; a password only goes so far because control of the encryption keys resides within the system; the person logging in will only see what he or she is allowed to see, and if a password is stolen, the administrator can simply deny access for that password. In the case of authorised users, administrators can limit access to specific documents as well as assign access and visibility of documents to a user group; for example, a compensation committee may prefer to withhold sharing their information with the board as a whole. The administrator of a hosted board portal can control device access too, restricting director access from personal, less-secure devices and mandating access through organisation-owned systems. Also, when sensitive documents are no longer needed, the administrator can conduct a “virtual purge,” closing off the documents to any users trying to access those files. Similarly, access can be restricted according to user or device, useful if a director leaves the board and materials need to be recovered or a password has been stolen. SET A SECURE EXAMPLE Cybersecurity, particularly the security of the board’s own information and data, must be of paramount consideration; having a secure, intuitive board portal handling all board information, communication and collaboration facilitates better board security and improved working practices. A board’s failure to uphold high security standards can undermine the security scheme of the organisation as a whole, whereas a board that leads by example increases the effectiveness of the organisation’s security and places it in a robust position in the face of increasing threats. Unleashing the value of information. Securely. Diligent helps the world’s leading organisations unleash the power of information and collaboration – securely – by equipping their boards and management team to make better decisions. Over 4,000 clients in more than 70 countries rely on Diligent for immediate access to their most time-sensitive and confidential information along with the tools to review, discuss and collaborate on it with key decision makers. Diligent Boards expedites and simplifies how board materials are produced and delivered via iPad, Windows devices and browsers. At the same time,it delivers practical advantages like cutting production costs, supporting sustainability goals, and saving administrative and IT time Join the Leaders. Get Diligent For more information or to request a demo, contact us today: Call: +44 (0)20 7605 7480 Email: [email protected] Visit: www.diligent.com Diligent is a trademark of Diligent Corporation, registered in the United States. All third-party trademarks are the property of their respective owners. ©2016 Diligent Corporation. All rights reserved. WP0015_UK
