In my line of work, I have the pleasure of talking to boards of directors and C-Level executives all over the country. I’m often impressed with their commitment to their enterprises, their keen intelligence, their professionalism and their drive. But I’m frequently stunned to see organizations without a process and control environment for protecting their intellectual property online. Of particular interest, board communications are among the most vulnerable.
Too many organizations treat emails, stored internal document files and social media communications as operational exceptions to otherwise tight cybersecurity framework rules. In fact, Thomson Reuters Accelus pointed out in its annual Board Governance Survey that more than 75 percent of organizations “utilize unsecure, personal email accounts to distribute board documents.” And barely half ensure these communications are encrypted. In this day and age, I call that a “wow!”
Board books, in particular, are almost 70 percent bigger than they were just a couple of years ago, according to some estimates, and more than half of companies produce them digitally. We all realize the importance of saving trees and “going green” but, having said that, we also know that confidential information is included in these books. Interestingly, the number of companies that distribute them electronically has dropped of late.
Things are changing for the better. Thomson Reuters Accelus also reported that 52 percent of organizations use board-only portals to share sensitive board information. Another encouraging trend: More organizations are providing their boards with secure mobile devices for board communications.
I call that good news because protecting sensitive information is getting harder every day. We pointed out in an issue of our Board Perspectives: Risk Oversight newsletter that despite the U.S. Securities and Exchange Commission requirements to disclose cyberattacks, reported attacks are just the tip of a vast iceberg. And cybercriminals are using ever more sophisticated means to gain control of online information. Simply stated, they are playing for keeps. We know that because Protiviti helps companies all over the world assess and manage these growing threats.
For boards of directors, as well as any other level of the organization seeking to secure its data and communications, an approach toward security that focuses on information governance is critical. This fosters cross-organizational collaboration and structured policymaking. That kind of team approach is vital to managing the risk of cyberattacks on board documents; it seems perfectly tailored to the less-than-structured and flexible approach so many companies now take to their board communications.
Protiviti employs a number of content management measures, including document locking on our online intellectual property. Others have been known to go so far as to embed user verification codes that cause documents to electronically “shred” themselves if opened by an unauthorized user. Some swear by this kind of digital rights management. Others have found it cumbersome to the extreme. This is challenging in the board environment, as directors and executive teams like to keep things simple.
What do you do to protect your board communications and intellectual property and sensitive information online? Share your thoughts in the comments below.