Ask the Expert February 2013
Q: My board is concerned about data privacy and security – will an online platform increase or decrease these risks?
A: One argument often wheeled out against the transition to a board portal is that security will be compromised.
The idea, however, that asking directors to carry around cumbersome printed documents is somehow more secure than carrying around a password-protected tablet with encrypted data simply does not stand up to scrutiny. Most readers of this journal will certainly have encountered the situation where sensitive printed board papers have been left in a taxi cab, an airline lounge or in the seat-back pocket of an aircraft. Some may even have the uncomfortable memory of such papers having been left by company secretarial staff in the output tray of a fax machine exposed to the prying eyes of anyone passing by.
That said, board portal security is a discipline which requires constant vigilance, a strong commitment to process and deep technical expertise. Our viewpoint is that the range of threats
to confidential online communication is broad and that a good portal should protect against all of them. We also believe that the environment is rapidly evolving, which necessitates a commensurately evolving architecture. This evolution
needs to happen at the structural level. ‘Bolt-on’ security is counterproductive and should be avoided. We categorise platform threats in four classes: external hacks, internal breaches, discoverability and human error.
External threats include industrial espionage, social engineering, and intrusion by non-state actors in various forms. A good portal needs to deploy proven techniques such as full- strength encryption, multi-factor authentication, certificates, perimeter defence and secure site hosting to address them.
The second class of threats emanates from the inside. Internal breaches may come from disgruntled employees or others. While it’s true that much of the information that is communicated internally is not confidential, the unique sensitivity of board content dramatically raises the requirement for protection, whether protecting against threats from the outside or from the inside.
For a typical director, discoverability is the number one concern relative to electronic board communications. We deploy two strategies to address this threat: non-proliferation of content so that only a single copy of any document exists, and central administrative control. These two responses permit the company secretary or general counsel to enforce the organisation’s retention policy independent from the actions of the users.
The fourth threat is inadvertent – human error. As we all know, email and other common forms of digital communication are prone to over sharing. But that approach backfires in board communication. Whether through segregation of content, granularity of permissions or hard restrictions on content distribution, the system is hardened so that common mistakes are no longer a concern.
While platform security sufficed in a ‘pre-tablet’ world, the model has to be expanded to account for the risks introduced by the mobility of tablet devices. Fundamentally, tablet use requires the extension of the board portal’s security umbrella to the device itself.
Erin Ruck, BoardVantage
tel. +852 2293 2698