Do your communication practices, or those of your colleagues and directors, pose risks to your organization? If you’ve ever used personal email to communicate on a sensitive matter, the answer is yes.
Diligent Corporation commissioned Forrester Consulting to conduct an April 2018 survey of directors and governance professionals in 11 countries across Asia Pacific, Europe and North America. The findings are now out, in Forrester’s October 2018 report, Directors’ Digital Divide: Boardroom Practices Aren’t Keeping Pace With Technology.
The study found that significant percentages of boards are concerned about the security of data sharing and board communications. However, it also found that directors and corporate secretaries (governance professionals) don’t necessarily recognize that they themselves may be creating risks through their communication practices.
Let’s consider some statistics. The study found that 87% of boards are mildly to extremely concerned about the security of their board communications and data sharing. A full 41% of boards landed at the high end of that spectrum, reporting that they are very concerned.
Why Secure Board Communications is Important
Despite this, many boards send sensitive internal governance communications through insecure communication channels. How widespread is the use of personal email for internal board communications? It’s significant. Fifty-six percent of board members (directors) use personal email for their board communications, and they’re not doing so in isolation. Governance professionals and C-level executives use their personal email for governance communications.
We need to recognize, though, that this is not a good practice. We’re living in a world where cybercrime continues to evolve. Cyberattacks are increasingly sophisticated, and they’re occurring with growing frequency. Attacks are also becoming more complex, and there is a sense that recovery from digital breaches may become increasingly difficult.
Add to the mix the fact that hackers specifically target directors, C-level executives and the people who support them. When a hacker goes after these big fish in your waters, they’re not engaging in ordinary phishing; this is known as whaling. Think for a moment about some of the sensitive governance communications you’ve sent or received over personal email, and you’ll see that the waters are rich.
There’s another potential challenge associated with directors’ communications among themselves; without knowledge of what’s been communicated and retained, how can an organization ensure that it’s in compliance with General Data Protection Regulation (GDPR)?
The Risk of Poor Communication Practices
Compliance aside, such practices expose boards to potential for cyberattacks and digital breaches, as do inadvertent data leaks. Device usage is on the rise, with more than one option available to directors; 91% of boards run board management software on laptops or desktop computers, 59% do so on tablets, and 54% on mobile phones. Forrester found that almost 30% of directors and 29% of governance professionals said they’d lost or misplaced a hardware device in the previous year. Approximately one in five boards (21%) reported that, during the previous year, someone had stolen a director’s personal information and subsequently used that ID to access sensitive information.
Inadvertent data leakage can also take other forms. Forrester found that two-thirds of North American boards are functioning without board portal software. While 48% of boards in Europe have such software, and the rate climbs to 54% of boards in Asia Pacific, a mere 32% of North American boards currently invest in board portal software.
If your directors and management team access agenda packages in PDF format without benefit of a board portal, are you transmitting the packages through secure channels? Or are you sending them off into cyberspace via insecure personal email addresses? Data leakage can also occur through the loss of hard copy board materials, and 23% of the boards reported that paper assets had been lost or misplaced in the previous year.
These risks present an opportunity for you to positively impact governance practices at your organization. How, though, do you encourage adoption of secure communications practices? You may find the identification of risks associated with current email practices a good starting point for this important conversation. Remember that, while not necessarily aware of their contributions to security issues, a full 87% of surveyed boards expressed some degree of concern about the security of their data-sharing and communications practise.
How to Improve Boardroom Secure Communication Practices
It may also help to know that, as governance becomes more complex, directors are already looking to technology for solutions. An executive summary of the Forrester report can serve as a starting point for discussion of how Enterprise Governance Management (EGM) practices can address security gaps. EGM is the application of technical tools and resources to address governance needs in a secure environment.
Forrester found that boards ranked the possibility of an information/data breach as one of the five most critical components to achieving successful Enterprise Governance Management (EGM). Each of the regions surveyed for the study identified misplaced devices as their top security challenge. You, your management team and directors need to know that, if hacked, your personal email accounts can place individuals and the board at risk. Your board needs to know whether your organization can remotely wipe data and email messages from hardware that’s gone AWOL. If that’s not currently the case, and members want to continue accessing board materials from mobile devices, the board can resolve the challenge by investing in a software solution that does have the capacity to wipe data.
How you approach the conversations on secure communications with your chair and other leaders will be reliant on your insights on how your board functions. Is it generally open or resistant to change? Who among the board and management might be your early adopters? Are any internal controls already in place to support secure employee or board communications practices? Try to identify concerns that may be raised by some on the board, and how to alleviate these concerns. Are your directors (and colleagues) generally tech savvy, or might some require additional help with the transition? How might moving to Enterprise Governance Management (EGM) impact your recruitment and onboarding practices?
You’ll also want to consider financial and other resource implications should the board proceed with adopting secure communications practices. What are the potential financial implications of proceeding? What are the financial, compliance and reputational risks associated with not proceeding? How would you categorize your board’s risk tolerance? Does the board have other priorities that are more pressing, or might adoption of secure communication practices represent “low-hanging fruit” that would benefit the board and the organization?
As you contemplate next steps, reach out to your networks of trusted peers. Have any of their boards taken steps to use secure communications practices, or incorporated EGM? What did they learn from the process? What would they do differently? You can support more effective deliberations if you’re able to present your board with options and possible approaches that are informed by other boards’ experiences.
A brief that identifies issues and recommendations, as well as financial and other implications, may be among your early deliverables. If your board evaluation process is imminent, the board may want to include assessments of its communications practices and risks. Evaluation results can inform board goal-setting, which may, in turn, provide an impetus for adopting change. What if you’re months away from the next board evaluation cycle? It may be wise to assess the degree of risk posed by your board’s current communication practices, and determine whether one of the board’s committees should be tasked with reviewing communications practices and developing recommendations on incorporating EGM.