Your board is involved in some of the most sensitive and confidential discussions within your business. So, it’s sobering to think that so many board meetings today are still organized and built around paper documents and insecure messaging and file sharing services.
The risk isn’t contained to the board meeting itself. Board administrators and secretaries can spend weeks preparing a board meeting – gathering reports, conducting research, reviewing past meeting minutes, and of course coordinating schedules with the board members.
It’s actually here, in the preparation phase that you’re most exposed. And remember, the average board size is 9.2 members – so that’s x9.2 chances for your most sensitive company information to fall into the wrong hands.
Attackers understand the sensitivity of board communications, so it’s not surprising that it’s board members who are increasingly becoming the targets for cyber security attacks.
When Salesforce board member, Colin Powell became the target of a hacking attack, the resulting leaks included details of potential acquisition targets for Salesforce – including those that were “in-play”.
For large multinationals, the risks are magnified. Not only is the business a visible target for industrial espionage or malicious leaks, but the geographical spread of board members means board administrators often rely on email, consumer-grade file sharing services, and even paper-based copies of the board pack.
Email remains a key productivity tool for more enterprises. However, that doesn’t mean it’s the most appropriate solution for every use case – particularly where there’s sharing of sensitive information involved.
Email was never designed with security in mind, and many senior executives would be surprised at just how easily it can be compromised.
In many instances, it’s also impossible to evaluate the robustness of a board member’s email solution. Most board members will sit outside of your own corporate firewall, and with the majority of board members actually sitting on three or more boards, many will use their own accounts – often including consumer-grade solutions. Information that’s been carefully protected within your own corporate network is suddenly uncontrollable.
Don’t rely on email: The most effective change any board can make is to replace the use of email with a secure messaging service such as Wire.
Wire offers complete end-to-end encryption, meaning only the communicating users are able to read the messages. It’s the number one line of defense against man-in-the-middle attacks – a form of attack that allows malicious eavesdropping on your communications. In some cases, the attack can be so sophisticated that your board members might not even be aware that they’ve been compromised.
Secure file transfer: Under no circumstances use email attachments as a means to share files. Likewise, the use of file sharing services is to be carefully considered.
Unfortunately, many of the best-known file sharing tools don’t offer end-to-end-encryption. Slack, DropBox, Box, Google Drive, Microsoft OneDrive and Skype all have one thing in common. None of them offers you, or your board members end-to-end encrypted file sharing.
This means that if you share files through these cloud services, they're at risk of being compromised.
By comparison, Wire offers fully encrypted secure file sharing – making it the most secure choice for sharing sensitive board information and files.
Consider the use of ephemeral messaging: Ephemeral messaging describes messages shared between users that disappear after a predetermined time. Think Snapchat but for business. Note, there are some federal and state regulations that require some types of companies (ie financial services, and healthcare), to retain specific types of documentation; however, for general board updates ephemeral messaging mitigates the risk of sensitive information languishing on an email server.
Choose a secure solution for screen sharing: With geographically disparate board members, board meetings occasionally have to rely on web conferencing and screen sharing.
Unlike Wire, which includes end-to-encryption as standard across your video calls and screen sharing sessions, many of the screen sharing tools available to your board don’t enable end-to-end encryption, leaving both conversations and the content of the screen share open to man-in-the-middle attacks. Even enterprise-grade products such as Webex have their own end-to-end encryption limitations.
Train your board: This is something everyone can, and should, do.
Due to their busy schedules, it’s not uncommon for senior management to miss your company’s regular security training sessions. However, due to the nature of their communications, it’s vital that you extend security training to everyone in your business, and to your external board members.
Remember, regulations such as GDPR now impose financial penalties for the misuse of data, so it’s in everyone’s interest to stay informed and up to date with the latest tools and process.
Morten Brøgger, CEO, Wire