it cyber security

Technology experts and board members agree that boards need three things from software: functionality, hassle-free use and security.

The board IT toolkit has to include email, file sharing, document organisation and note-taking capabilities via iPad and phone apps, as well as a website. Organisations need to be able to schedule board meetings, to assemble, update and archive board documents, to record votes and take minutes — and to see precisely when documents were viewed and by which director.

But time-poor directors have little time to learn a suite of disparate software tools. So in recent years, a new class of tool known as the board portal has appeared, offering the entire board toolkit in one place.

Portals also seek to answer the perennial challenge of board technology — security. Directors are among the world’s most tempting targets for cyber-intruders looking for secrets to sell or money to extract.

Three good habits

Security experts have long pointed to these basic rules to help improve security:

  1. Corporate mail Directors’ webmail services are generally more vulnerable than corporate email systems. Fortescue’s Mark Wallace notes that IT administrators can monitor all traffic, assess risks, and block suspicious activity.
  2. Tim Ebbeck believes companies should mandate that directors use company-provided accounts for security’s sake. “I was speaking to a director of one of the big banks and they’ve been through a huge amount of training on cybersecurity — but they still use their personal email,” Ebbeck says.

  3. Password management A password manager (sometimes called a password vault) makes it easy for people to use long, hard-to-guess passwords, change them, and spot fake websites often used in so-called whaling attacks. Alternatives include LastPass, 1Password, DashLane and KeePass.
  4. Use two-factor authentication “Two-factor authentication”, or 2FA, adds security, no matter what account directors use. It brings in a second factor of authentication, such as a code sent to your phone.

Benefits of a board portal

Portal vendors take the approach that if a company can control its board’s entire system, it can ease director’s tasks while lowering the chances of a security breach. A centrally controlled board portal allows documents to be removed and passwords reset if there’s concern the system may have been compromised.

The best-known portals can cost a five-figure sum each year. Nasdaq’s Boardvantage has been used by ANZ, UPS, LinkedIn and Hyatt. Diligent is reportedly used by British Gas, Heineken and BUPA, and “63 per cent of the ASX 100”, says its vendor.

Economist and company director Geoff Swier is on three boards, all using Diligent. Swier says in his experience the portal makes board documents easier to find, though they still need good organising. He also likes its ability to update documents in the background.

Tim Ebbeck MAICD, former head of both SAP and Oracle in Australia and New Zealand, expects Diligent and other portal tools to become more capable and user-friendly over time, with better annotation and navigation of board papers. For instance, portals often provide secure messaging between directors, SMS-style. The security of these messaging systems can be uncertain, and some security experts and users prefer dedicated secure encrypted messaging apps such as Signal.

But individual directors who have portal access may not always use a separate messaging app, as it is yet another new program to learn.

The security squeeze

A 2018 report by IT research group Forrester Consultants found that: “board portal adoption is high, but usage is limited”. It states that many directors globally remain tied to more familiar tech — notably, their personal email and PDF files. In a 411-strong global group of governance professionals, more than half of sensitive internal board communications happened via directors’ personal email accounts. It also found that little more than a third of boards had highly secure communications between board members.

This matters because directors are a target for cyber attacks and other breaches. Michael Khoury MAICD, forensic IT partner at Ferrier Hodgson, says individuals involved in governance are a popular target.

Ebbeck emphasises the role of carelessness in cybersecurity breaches. “Most people either have simple passwords or are sharing their email account with someone else who might look after their diary for them,” he says. “It’s very basic stuff.”

The disincentive

So why doesn’t senior management enforce tougher cybersecurity rules for directors? Khoury and others acknowledge one reason is that people in senior management like to keep their board members comfortable and undisturbed.

As cybersecurity expert Bruce Schneier has noted, IT security frequently requires users to deal with hard-to-use technology and follow strict rules. Directors are often keen technology users but don’t like to be inhibited by corporate guidelines, says Mark Wallace, head of cybersecurity for Fortescue Metals Group and co-author of the AICD’s cybersecurity course.

All this creates a powerful incentive for company secretaries, chief information officers and CEOs not to bother directors with tough new security measures or ask them to learn technologies that require training. No-one wants to tell the deputy chair he or she can’t send emails on the Yahoo account they’ve used since 1998.

At its best, portal software is functional, easy to use and gives board members a high level of protection against threats. Wallace sees it as the best way to support directors in performing their roles, while providing the security their organisations need.

Some companies mentioned in this feature have advertised in Company Director, but have had no involvement in or influence on actual editorial content.