Data breaches are one of the number one security concerns for organisations of all sizes, sectors and industries. In 2016, businesses hold more and more data, on customers, prospects, staff and more, and keeping that information secure is a priority for all.
The discussions and data exchanges that take place at a board level are perhaps even more important to keep secure. These will often involve complex and confidential financial matters and even the future strategy of that organisation.
This means that security is not just a matter for the IT team – it is an important, strategic policy that must begin right at the top. Yet this is something that is often overlooked. Because the board is positioned differently to the rest of the organisation, board security can be omitted from otherwise sound company-wide security policies.
So a board’s security must be at least the equal of the rest of company, rigorously enforced, and board members must be made aware of their own responsibilities in this area.
However, board members are not generally known for their deep understanding of cyber security. How can this be balanced with the absolute need to keep confidential data protected?
Start at the top
Despite the best efforts of the cyber security industry, the past 18 months have seen some of the biggest and most damaging data breaches the corporate world has known.
The explosion in content, data and information generated in modern business means that most organisations hold confidential data of some sort or another – and whether it’s Ashley Madison or British Gas, a data breach can be hugely costly, both in terms of the bottom line and the long-time damage done to trust and brand.
So cyber security is not just a concern for the CIO and their team – it’s something that everyone at board level needs to be aware of. In its 2015 whitepaper, ‘10 Steps: A Board Level Responsibility’, the UK government warned that security was now a board level responsibility, and offered help for senior executives on how to keep sensitive data safe.
This has to include both an increased level of awareness around cyber security – knowing the company’s cyber security policies, ensuring they are functioning and are being enforced as intended, and having an awareness of the type of risks that the company may face.
This requires a link from IT to the board to make sure these knowledge gaps are filled, and that board members are kept up to date with latest threats. Perhaps there is a role for a sub-committee that focuses only on the analysis of cyber threats and reports back to the board.
Addressing human error
It remains the case that many data breaches in business come from human error. Board members are perhaps even more vulnerable to this than most employees – they travel more, have access to the most confidential and sensitive information, and may not be as technology savvy as younger staff members.
Whether it is leaving a printed document on a train, forgetting an iPad after a meeting, or failing to pick up a confidential file from a hotel business centre after using the copier, a board member has more opportunities than most to expose a company to risk.
Increased use of mobile devices also creates more potential risk of a data breach. If board members bring their own tablets and smartphones to the office – devices that may have been used by other members of the family and connected to social networks, the Internet of Things and more – there is inherently more risk of a data breach.
So the education of board members about the importance of keeping the corporate network secure should be a key element of cyber security, as is board members’ roles in fostering a culture of compliance and security across the company.
Demonstrating that security is a board-level concern makes it easier and more natural for other employees to follow suit, and ultimately helps create a security-focused environment throughout the organisation.
Smarter use of technology
While this is not the case for every board member on every board, there is a general perception that those that serve on a board may not be the smartest uses of technology.
They may capture, share and manage information in a way that security teams would ban across the rest of the business, so there is a real need to help board members use the technologies that will make their lives easier but also help maintain security.
Tablets and smartphones are now ubiquitous in the workplace, and while use of connected devices does come with increased associated risk, they can also be extremely useful in keeping board data secure.
The use of online board portals to replace paper- or PDF-based packs for board meetings will not only keep data more secure, it will reduce paper at those meetings and make for a significantly more productive use of board members’ time.
Board members have all the information they need – before, during and after the meeting – and can access that via their iPad or smartphone. For people that travel a lot, this negates the possibility of leaving paper documents around, and if a device is lost it can be wiped remotely to ensure its contents remain unseen.
Keeping an organisation secure isn't an easy task, and board members can be big contributors to increasing risk. But the best place to start a culture change is at the top – and with education about cyber security and more widespread use of digital tools, board members no longer have to be a corporate security concern.
Sourced from Alister Esam, CEO, eShare