Data security and board portals

Wednesday | 6 November 2013

Security is the number one reason why an organisation switches from physical board meeting packs to using a digital board portal solution. However, security is also often cited as the major concern for organisations which decide not to make that switch. Phillip Baldwin, Head of ICSA Boardrooms Apps (HK) Ltd, explores this apparent paradox and lays a few ghosts to rest.

When it comes to security, you need to analyse potential threats logically and methodically, weighing the likelihood of a threat happening with the potential effect if it happens, the cost to mitigate it and the inconvenience of securing your information. If your company uses an internet-based email system, every email is just like a post card – easily read by every postman through whose hands it passes. You can improve the security of your email correspondence by embracing encryption systems and by password protecting the files you send. However, this relies on the people to whom you are sending the information having the passwords and decryption systems in place, and on their willingness and ability to use them. If the system you set up is not easy to use, you will find that people will stop using it in favour of an easier method. Any encryption system needs to be transparent to the users and should not reduce their convenience in any way. Most corporations have security protocols in place, but it is far too easy to make a mistake with emails. For example, attachments can have unseen fields. In one example a helpful HR person at a company sent an employee telephone extension list to all employees. But the spreadsheet had hidden columns that were easily unhidden to reveal everyone's pay, bonuses and stock options – including senior management's (www.techhive.com).

Having everything encrypted helps, as do passwords. But does the CEO have a post-it note with his password in his top drawer? Does his secretary print all his emails out for him to read? If you email board papers to directors/ senior managers on the road, where do they print them out – the hotel business centre? The risk to passwords is not just in the places you know, often it's in the places you don't. How many of us have used the same password for our online supermarket account as the one used to protect highly sensitive documents? If that password gets hacked on anyone's system, it could be used to access your corporate data without you knowing.

Password reset options are often an easy way to access a person's account. All you have to do is launch an app and tap the 'forgot your password' tab, and have it send an email to you. And where is the first place that the email is sent? The device you are currently holding. Quickly reset the password and you are into that 'secure' app. Digital security is often forefront in people's minds, but the latest attacks are often 'social hacks’, using personal but often publicly available information, such as when you forget your password and it asks 'what's your pet's name?' Pieces of personal information that are casually discarded can be used to piece together or retrieve that 30-character random password that you thought was secure. However, sometimes quite likely, internal threats may be more damaging than super hackers on the other side of the world targeting you. Are you sure nobody can walk off with one of your backup tapes? I once spent a couple of hours in a board meeting discussing the virtues of a proposed new IT system. The directors asked all sorts of valid questions about data security. Not one asked about physical security and the reality was that the server was protected by a door with a simple push lock system that was open most of the time! It would have been a very simple task for someone to walk in and pick up the server.

Tips on data security

Here are some things to think about for data security – especially when considering a board portal/ paperless meeting solution.

It's about balance

Security and usability are closely tied and it is important to find a system that provides the balance required. If there are too many restrictions, users are bound to abandon it altogether. Yes, you can add password protection to documents, but if each document has a password, users are bound to use the same password over and over, or their passwords will be written down on sticky notes which bypass any and all security. Security works best when it's easy for administrators, flexible and secure for IT, and transparent for users.

It's about trust in people

Board papers would historically be printed, compiled, checked, and double checked. In an age of instant delivery, it's all too easy to click the wrong button and instantly deliver the wrong content to the wrong people at the wrong time, unless controls are put in place to limit this risk. Similarly, controls must be put in place to limit the ability to further distribute or copy sensitive information outside of the secure environment, without being too restrictive in making the solution unusable, or not fit for purpose.

It's about trust in security

When delivering the security of your papers, who can you trust more than your own organisation? Emailed documents will invariably be passing through one (or in some cases many) email servers. People outside the trusted environment may be able to access that content without your knowledge. Let us assume you find someone who says they can protect your documents – can you trust them? How open are they regarding security, how up-to-date are they with the latest protection methods and how closely do they guard your security? You can gain additional peace of mind by ensuring the third party provider is audited externally, either by yourself or a professional company.

Audit logs can provide some peace of mind, but it's often a case of too little too late. If your data has been compromised, extracted, forwarded, the fact you know who was logged in is little comfort when that sensitive data has already been sold.

Content security is important. It doesn't matter if you've used a titanium padlock on the front door if a backup key is stored under the door mat. In the same way, how the key used to unlock the content is created and stored is just as important as how the content is locked.

It's about limiting risk

One way to limit risk is to limit the places content is stored, or how and when it is accessed. When distributing content either digitally or physically, can you be certain where it goes? Does it get copied or forwarded? Content management controls can limit which devices get the content, and at what time and for how long. So make sure your board portal/ paperless meeting solution has these controls in place. It is also important to have control over the receiving device. Is it secure? Is the connection secure? How strong is the security? Each link in the chain is a potential weakness, something for an attacker to use to gain access to your data. This can take the form of human error or digital security, both of which can have risk limited if managed well. Your users should be able to access the content when they want, where they want and that means risk. When they are in a coffee shop or a hotel lobby is the WiFi compromised? Could the device be stolen or just left unlocked while they grab a latte? Could the device become compromised in some other manner, for example if someone accesses the device long enough to install a key logger without the user knowing?

It's about control

Once you can be certain that the information is stored securely, and that each link in the chain is secure, you need to be sure that content is delivered to the right people, at the right place, at the right time. All too often someone may hit 'reply all’, or copy to the wrong 'Mike'. Email systems have little or no control over what content is sent where and when, and no way to recall it either. When delivering printed papers, it's important to have the user's latest address, or it could fall into the wrong hands (and even then, it is not uncommon for couriers to deliver the wrong papers to the wrong address). With digital devices, even if you could secure the device, what is to stop them using a personal device, one that's not secured or could have been compromised? Make sure your paperless solutions provider has these issues covered. The administrator should be able to control which devices can receive what information and when, plus whether or not this information can be sent on and/ or printed out. By tying the user and information to the device, the risk of leakage is minimised.

What happens when someone leaves the company, or loses their device? With gigabytes of storage, today's devices can carry a lifetime of sensitive information in a neat little package. You could send a command to remotely wipe the contents but this assumes the WiFi is working and/ or the SIM card has not been taken out and that the device is kept above-ground and/ or not placed in a Faraday bag. It is imperative that security and control over content is maintained whether the device is online or not.

Balancing security and usability

When choosing a board portal/ paperless meeting solution, do your homework on security as well as usability. In all likelihood, the board portal you choose will be more secure than your current paper-based solution and certainly any solution involving email or a drop box type set up. But you also need to invest in education and training. Moving from paper to using a tablet device such as an iPad or surface tablet can be quite daunting for directors, but with the proper training and planning the change will be for the better. Your company's papers will be more secure, more easily kept up-to- date and conveniently delivered. There are a whole host of useful applications within the leading paperless meeting solutions that will make the life of a director much easier and, after a short training session, they will be sold on the new system. Equally, the life of the company secretary will improve dramatically when using a board portal. It will mean less paper and less time spent putting the board pack together, as well as an enhanced ability to control information and its distribution.

Phillip Baldwin Head of ICSA Boardrooms Apps (HK) Ltd Acknowledgements: Richard Carrey, CEO, Technology Support Ltd (www.tecsupp.com) Jamie Kenyon, Product Manager, BoardPad, ICSA Boardroom Apps Ltd (www.boardpad.com)

SIDEBAR: The do's and don’ts of data security

The do's

Always update your software. Updates fix security flaws and issues, or combat new attacks. Secure your device. Many people don't even bother to use password protection for their devices. Disable emailing and printing for secure content. If it's outside of the secure environment, it's out of your control. Control the data, where you can. When administrators are uploading papers, they may be receiving it from a variety of sources. These can be restricted to the office network for uploading, before being distributed securely to the right place at the right time to the right person, anywhere in the world.

The don’ts

Don’t access data in an insecure area or over an insecure connection. Avoid WiFi public hotspots such as coffee shops, or places where someone can easily see or record you typing in your password, or look over your shoulder to see your content. Don’t write down your password. Similarly you should regularly change your password, avoid using easy-to-guess passwords and avoid using the same password everywhere. Don’t install malware. Of course, this is often done unintentionally, but observing basic security protocols when downloading software can help mitigate this risk. Don’t be overly cautious with security. You need to give users enough access and flexibility. Locking down security too much can make things worse.