Would you be comfortable sending off your personal tax info via email?
The private and sensitive information contained in our tax documents are the essence of an identity thief’s dreams: names, addresses, banking information and so on. It’s the most sensitive packet of information most of us send out every year. When you’re about to hand that off you probably have security top of mind. But are you as sensitive relaying board information around? Many aren’t. But we all should be.
First why get serious about board information security?
According to a Harvard Law article on Maintaining Board Confidentiality, Directors’ legal obligations to protect confidentiality includes safeguarding the following types of information:
Material, non-public information, the disclosure of which is regulated by federal securities laws and by company-wide policies and procedures.
Sensitive boardroom discussions that have both personal and business elements and implications.
Confidential, non-public corporate information including: proprietary information that is of competitive, commercial value to the company; inside information about the company’s finances, operations, and strategy; and sensitive information regarding board proceedings and deliberations.
News coverage about leaks show how information getting out can compromise a company’s competitive advantage, reputation and commercial success – even if the information accidentally released is recovered.
The Digital Alternatives
So how can you operate a board with the modern expectation of instant, convenient information access and protect your sensitive documents shared over the Internet? You have some choices to make the exchange more secure. Here are a few things to keep in mind:
Email – not a secure method for sharing sensitive documents.
It may seem private, but even if you’re using an email account that sends attachments over a more secure HTTPS connection, like your corporate email system or Gmail, you have no control over your recipient’s server, and they may download your attachment from an unencrypted HTTP connection. Now say they did that from a public Wi-Fi network. Things just got very un-secure.
File sharing services – be aware of the risks and complexity.
A lot of file-sharing services offer some sort of encrypted transmission for file sharing. One of those is Dropbox. Say you and your tech-savvy directors (if you eye-rolled at that, this method is not a good option) set up a shared Dropbox folder. Anything you put in that folder would travel encrypted from your Dropbox folder to Dropbox’s servers then to your director’s Dropbox folder (which is typically stored unencrypted on their devices). Beware that using a service like Dropbox means your board is putting trust of your sensitive files on their servers, and in their security, with millions of other organizations’ enticing information next to yours. Beyond security, learn more about the tradeoffs of using Dropbox.
Homegrown file sharing systems – ask how you are protected.
If your organization is large enough to have an IT department, they may have set up an application for you to share encrypted files with your board (e.g. SharePoint). It’s hard to argue against the economy or control of in-house systems but here are some questions you might want to ask to ensure your system complied with your board’s confidentiality obligations: Is file security encrypted at the recipient’s end or do you run the same risks as sending email mentioned above? Where is the data stored – and how are your servers protected from invasion or disaster? (For example, are they at a Q9 data center or in your semi-secure office?) What are usage stats for your in-house system? Do your directors use it and find it convenient?
Board portals – consider the security and easy-to-use board features.
The thing about security is that it has to be balanced with human behavior. Many directors are not tech whizzes and if you make communication complicated, they may disengage and the decision quality at the board goes down. Board portals are designed to provide advanced encrypted information-sharing protection (at both the sender and the receiver ends), highly secure data servers, along with the convenience of a one-stop location for agendas, calendars, and contacts in an easy-to-use system engineered for directors to use frequently.
Sounds a little doomsday, and intimidating to execute doesn’t it?
Even with a rigorous board policy of confidentiality obligating us to protect information, investing in security can feel like buying trip cancellation insurance – mostly things don’t seem to go wrong, so why not stick with the status quo? But corporate information leaks and hacks are increasing in frequency.
Before staying at risk, talk with a peer who’s had an information leak and ask what they wish they’d done for security. Share with your board the risks of your current security infrastructure and make sure they feel protected and comfortable with compliance. Also talk with board administrators and directors using a portal and find out the benefits – security and beyond (Ask us, we’re glad to connect you with users of our board portal).
Consider a convenient option to enhance security
It’s good to know the options. Why not look at the board portal options out there. Aprio Boardroom is one highly trusted and affordable option.
We’ll get you started – 10-step Board Portal Assessment Guide