Imagine a boardroom a generation ago.  Smoke fills the air and sidebar discussions thrive while the board members wait for the presentation to begin.  Manila packets filled with research, financials and other sensitive information are distributed around the table.  The meeting progresses; a decision might be made, and afterwards the packets would be collected in their entirety and destroyed lest they end up falling into the wrong hands, compromising company research or spilling sensitive secrets.
So what happens today where technology is so prevalent?┬á In a recent August-September 2011 study, Thomson Reuters conducted a survey of general counsel and corporate secretaries to understand how company information is secured when provided to corporate board members. ┬áThe survey titled ÔÇ£Better board governance: Communication, security and technology in a global landscape of changeÔÇØ looked at a global cross section of companies from a variety of industries. ┬áThese companies ranged in size from under $500 million to over $10 billion. ┬áThe results indicated a lack of secure procedures for corporate board information management.
Board Communication and Security
In todayÔÇÖs world of technology board members can be distributed across the globe and meetings are sometimes virtual.┬á Surprisingly though, a majority of companies, 61%, still utilize paper and courier to transmit information to board members. ┬áAnother 49% transmit documents through email. ┬áUnless encryption is used, email is generally not a secure method for transmitting confidential documents. ┬áOnly 10 % of companies use specific email accounts set up for board members to deliver information. ┬áInstead, a whopping 65% said they never use the corporate email network.┬á In these situations the email is usually sent to a private email account where security rules are not defined by the organization so security cannot be controlled.
A scant, 21% of companies surveyed utilize a secure portal for transmitting board documents.  This method is the most secure of the three but sadly it is the smallest percentage.  Secure portals use an encrypted channel to transmit information so data is protected against eavesdropping.  Additionally, in secure portals Digital Rights Management (DRM) settings can be applied to information so that it does not leave the portal and access to information within the system can be audited.
           
Document Retention
With 61% of companies using paper to distribute documents, the next logical question would be whether or not a policy is in place for the destruction of such documents after they have been used.  The survey found that 63% of companies require their members to destroy copies of board related documents.  However, only 30% of all companies surveyed suspected that the board members actually did delete, shred, or destroy them.  Also, 60% suspected that at least one or more board members retain documents on their personal devices whether it is a computer, smart phone, or tablet.  Not only is this a risk for data disclosure, it also creates additional efforts for eDiscovery since the personal devices of board members could contain information related to litigation.
Board Scrutiny
On a more positive note, 64% of companies surveyed are experiencing more scrutiny within their board practices when compared to last year.  This increase falls into line with more strict governing guidelines and regulations.  The Thomson Reuters reports showed that the most difficult challenge with relation to board governance are regulatory flux, global boards, effective controls, and time.  The governance breakdown shows that 44% attempt to adhere to local governance norms and another 39% adhere to global governance norms.  A small percentage, 17%, is trying to go beyond minimal governance requirements.
Summary
Security is important for the protection of vital information within companies.  As such, companies do a lot to protect themselves and their information.  However, serious deficiencies in security are seen in the processes surrounding information given to corporate boards.
Many corporations are still using unencrypted or personal email accounts or snail mail to send confidential board documents and policies for document destruction are routinely not followed potentially allowing for information to be being lost or stolen.  Board members operate mostly outside of the organization but when handling corporate information they should treat it in the same way organizational employees do such as observing corporate data retention and destruction policies.  If you are concerned about information leakage from board members, consider training on secure information handling procedures and create a method such as a secure portal for distributing information to the board.
For more information
Many Corporate Boards Are Pretty Much Waiting to Get Hacked
Better board governance: Communication, security and technology in a global landscape of change
It’s amazing how security can be so lax with the decision makers while security controls are enforced for those doing the work.
I agree. Great article.
Cyber security needs to be one of the bullet points on our next presidentÔÇÖs agenda sheet.
Security is important no matter what level you are at.
They are responsible for it in the end too.
I’m surprised at all the diverse content you post here. Thanks for another great information security blog.
There needs to be training for board members and C-level executives so that they can understand good security practices. Often these individuals are “above the law” in organizations.
They surely need it. Most boards don’t know how to create a strong password let along more complex security techniques.
Kudos on a great article. Thanks Eric.
This is a message to the admin. Your security thinking cap blog is a great site and I really enjoyed reading your Security focus at the corporate board level article.