Securing Board Papers: Mission Impossible?

Forrester says more than 50% of company directors use personal email for board communications and don’t use collaboration tools because they’re too slow. Are you or your directors among them? I dig into the options and the huge, hidden risk of a poor choice.

Boards’ Risky Business

The actual quote from Forrester’s October 2018 survey Directors’ Digital Divide is this: ‘Over half of sensitive internal board communiqués happen over personal email.’ The number quoted is 56 per cent. That’s of company directors who admitted to the practice; the real number could be much higher.

This is surprising, considering that company directors are governance professionals who are supposed to be concerned about data breaches, compliance violations and the exposure of highly sensitive board papers. Is it carelessness – or do many directors want to avoid using their corporate collaboration systems?

The Forrester survey provides this explanation: ‘Boards tell us their current board management software acted either as a hindrance or provided no help at all’ when responding to a crisis. The reason given was that secure communications between board members took too long, at a time when speed was critical.

Paper Inefficiencies

Another surprise is that one in two companies still uses paper to produce board packs, according to a recent UK survey run by eshare. CEO Alister Esam said: ‘Paper board packs can be easily lost, are inefficient and do not make for transparency and good governance at board level.’

Board packs in paper form also make collaboration difficult, especially before and after meetings when directors aren’t in the same room. The paper format is also less suited to legal or regulatory discovery in the event of a crisis and severely compromises the speed and accuracy of a company’s response.  Electronic collaboration software should be making these paper-based practices obsolete – so why isn’t it?

Another Time?

Clearly, electronic file sharing and collaboration is a blessing for board and committee members, but truly secure collaboration solutions are rare. That’s because most platforms and portals started out with limited security. That was some time ago, before massive data breaches became weekly events and security moved up the agenda. As with many a software system, adding security later comes close to Mission Impossible.

With hackers finding new ways every day to crack so-called ‘secure’ portals and seize highly confidential data, collaboration software must have the most robust security provisions, not the minimum. So, how can you check if your collaboration platform is truly secure – or just empty vendor claims?

Oils ain’t Oils

One factor is encryption. You might assume that all encryption is the same – you either have it or you don’t – but that’s not the case. Encryption algorithms vary widely in strength so you’ll need to do your homework. In any case, if your adversary is a nation-state, it will use far more sophisticated ways than brute force to find the key.

Even if the enemy isn’t a nation-state, single encryption still won’t do the job. As Trend Micro’s Bharat Mistry explains: ‘If a hacker has the right level of time and resources, it’s difficult to say that any encryption is completely immune.’ That’s why multiple encryption has become the standard in high-security environments like the military and intelligence communities.

Just Add Security?

It’s comforting to imagine that robust security can be bolted on later, but it’s not like attaching a bull bar to a Land Rover. Security has to be built into the design of the collaboration platform or portal from the very start. For the most robust security, a purpose-built collaboration platform should adhere to the same security principles applied by military and intelligence communities and cybersecurity experts:

  1. The Military Principle of Multiple Layered Servers which means deploying multiple levels of document encryption and infrastructure protection. This avoids single-point vulnerabilities that are easily exploited by hackers.
  2. The Intelligence Community Principle of Compartmentation which means using multiple levels of compartments with access control by compartment or level. This assures access on a ‘need to know’ basis so that no individual, regardless of title or seniority, are granted access to information they don’t ‘need to know’ for their roles.
  3. The Principle of Least Privilege (POLP) which means granting only those privileges necessary for the performance of an individual’s job. This principle is well established in IT security and ignoring it has some infamous examples: Edward Snowden’s highest level task was creating database backups, yet he had virtually unlimited access to classified information. According to Digital Guardian, the NSA is now using the Principle of Least Privilege to limit access permissions of its employees.

To retro-fit these controls onto an existing collaboration software just isn’t possible. These three critical principles need to guide the design of the software from the very first idea. Another consideration is the ease of use: if security is bolted-on rather than built-it, it can add complexity for the user, making risky workarounds like using personal email accounts more attractive. Also, adding security later can open rather than close security gaps, if third party software is required to complete the job.

Data Security in the Cloud

Collaboration portals that are cloud-based have become popular for good reasons: they’re easy and cost-effective to deploy and manage. Yet, when you entrust sensitive information such as board papers to a cloud-based service, you need to consider where the data is held and whose jurisdiction covers its protection.

For instance, overseas vendors of cloud collaboration solutions will likely hold your data outside Australia where foreign jurisdictions apply. In addition, some cloud service providers have other obligations: the US Patriot Act which could force them to share your board papers with US agencies. Not a comforting thought?

Buy Local?

If having access to your data and backups is important, especially in the case of litigation or regulatory compliance, local hosting in Australia might be attractive. Knowing that you’re operating under Australian law might be, too. A prudent choice might be to choose a collaboration portal hosted in Australia. Knowing that your data is hosted in a secure facility certified up to PROTECTED by the Australian Signals Directorate might be comforting too, especially if it’s manned 24/7, 365 days a year.

Dealing with an Australian service provider with Australian staff has other spinoffs too: avoiding time differences and delays when you need technical support, and communication issues with personnel whose first language may not be English. You can also build a relationship with the vendor and provide input for future product enhancements. That’s a real benefit.

Mobile Vulnerability

‘Nearly 30% of board members reported losing/misplacing a phone, tablet, or computer in the past year. Another 23% reported losing/misplacing paper assets, making the loss of devices and papers the most common security breach’ according to the Forrester 2018 survey.

Data security on mobile devices could be a big issue, if your board members use smart phones or tablets to collaborate on sensitive board or committee papers. Consider these:

  • The encryption key is usually stored on the device
  • Remote wiping does not work when mobile and WiFi access is disabled, and
  • The device cache retains parts of recently viewed content.

Mobile devices are also accident-prone; they’re often left, lost or stolen in large numbers. 200,000 mobiles a year are left in London taxis alone. No wonder, mobile security has become a major new surface of exposure.  That makes double encryption of each file – a necessity not a ‘nice to do’.

How about no browsing?

A prudent alternative to vulnerable browsing is to use a double-encrypted tunnel for file transfer, so your sensitive board papers can be securely accessed and saved on mobile devices and worked on, then or later.

The secure saving is assured by encrypting each file with a unique key and then encrypting it again with device-level encryption. The most secure collaboration platforms for mobile devices will also destroy the data path and file vault, if access attempts fail. This means, if a mobile device is mislaid, stolen or hacked, it will be effectively ‘uncrackable’ and your sensitive data will be protected.

And no keys?

The way to avoid the risk of stored keys is not to store them on mobile devices. In fact, the most advanced secure collaboration platforms keep no component of the access key on the device or anywhere. They derive the user authentication and master encryption keys from a user-entered vault key so, even of a board member leaves a tablet in a taxi, it will be fully protected and your board papers secure.

And easy to use?

If security gets in the way of accessing sensitive material which is needed ‘right now’, it becomes a barrier to user acceptance and an invitation to use riskier alternatives.

It is possible to have security with ease of use; some of the most advanced collaboration solutions use sophisticated security which is invisible to the user. With the option of facial or fingerprint biometrics, these systems can make the user experience even simpler than using basic usernames and passwords.

So, how secure are your board papers?

If you’re not sure, contact us to discuss purpose-built Secure Collaboration that uses the highest levels of security at all points, including patented protection for mobile devices.