With each passing month bringing new high-profile hacking cases, it might be no surprise to hear that boards and their directors are taking a long, hard look at how they keep their board and management information secure.
In June 2023, a vulnerability in a piece of software used by nearly half of FTSE 100 companies — from British Airways through to Boots and the BBC — led to tens of thousands of employees having their personal data compromised. A few weeks later, Calpers, the biggest public pension plan in the US, was hacked too — leaking data on 770,000 of its members. Then, in August of that year, the UK electoral register was hit, this time affecting an estimated 40 million individuals. The list goes on, and the numbers keep getting bigger.
All in all, at least a fifth of British organisations have had data stolen in the past year, according to cybersecurity firm Sophos. And the people sitting at the boardroom table have been taking notice: general counsels now list cyber security risks as one of their top concerns, and mitigation measures have gone from a page in the IT team’s annual report to a key item on most boards’ agenda.
“If you look at any survey of general counsel (or, indeed, you ask one), cyber security will always be one of the issues that keeps them awake at night.”
~ Lawson Caisley, Chair of the cyber risk committee, White & Case, via the FT
But are these board members, in turn, taking steps to protect the highly confidential information they’re given? Far from always.
According to a survey we conducted with the Corporate Governance Institute, boards are split into two roughly even groups: those that use a board portal (43%) and those that don’t (57%). And the difference between the two is telling: amongst directors using a portal, four out of five (83%) are satisfied that their board information is safe; meanwhile, for those without a portal, only two out of five do (41%).
For more details on what a board portal is and can do, check our complete guide to board portals.
So, what are board portals doing to generate such peace of mind amongst their users? Beyond the convenience and time gains, they bring two main security benefits:
When it comes to secure collaboration online, less is more. A board portal cuts down on the number of tools used to brief authors, collate reports, distribute packs, and approve board resolutions by replacing instant messaging apps, email, file-sharing or e-signature tools, and more.
Having all these different parts happen in one place not only makes the board reporting process more efficient and easier to use for everyone involved, but also reduces the number of potential entry points for attackers. Fewer tools equals fewer updates for your IT team to be aware of, deploy, and monitor, which in turn means fewer breaches for hackers to exploit.
Speaking of monitoring, portals give greater control over who can see what, when, and what they can do. An email with a board paper attached to it cannot be managed or overseen once it’s been sent — there’s no telling who’s read it or forwarded it on to whom, and there’s no recalling it. Whereas a board portal makes it possible to limit who has access to information (down to an individual board paper in an individual board pack), change things after publishing (e.g. remove users and wipe the data downloaded onto their devices), fix any mistake that slips through (e.g. delete a paper that shouldn’t be there), and get an audit log of who did what and at what time.
Control access down to an individual item.
Importantly, using a single platform doesn’t mean trusting a single line of defence. A good board portal will offer multiple, redundant protections against attack cyberattacks, from Two-Factor Authentication through to encryption, granular permissions, and audit logs (more on these below).
A unified solution protects against phishing attempts, too, because anything board-related coming from outside the portal can safely be considered malicious by default. For example, rather than wonder whether the Zoom link they’ve just received by email is genuine, directors can simply use the meeting link shared through their board portal and rest assured that it’s safe.
Integrate remote meeting links.
Each action performed manually leaves room for human error, with every email and message running the risk of attaching the wrong file or CC-ing the wrong person. And even a minuscule chance to get it wrong becomes statistically likely when compounded over the dozens of messages going back and forth for each paper, the dozens of papers going back and forth for each pack, and the dozen of packs going back and forth each year.
By automating each stage of the reporting process and keeping everything in a secure space with clear restrictions on who can access what, board portals protect against slip-ups — whether when asking the chair for what should be on the agenda, sending briefs to report authors, responding to demands for clarification, receiving the latest update to a paper, or sending directors the final version of the pack.
Automate your process from briefing to distribution.
One golden rule of cybersecurity: make it easy for users to do the right thing. So, rather than constantly relying on training and reminders to keep board papers secure, look for features that will help create a safe environment by default — even for the less tech-savvy users. For example:
Secure access with Two-Factor Authentication.
So, if you’re looking for a board portal to increase the security of your board information, where do you begin?
As with every other piece of software, a good place to start is simply to ask for credentials. Not all certifications are equal, so know the key ones that guarantee that the software provider follows a set of best practices — such as ISO 27001 and Cyber Essentials Plus. And make sure to check that these apply to their business and the services they provide you, not just to the data centre provider they use.
These certifications aren’t the be-all and end-all of security. But their absence is a sign the provider hasn’t been properly audited or isn’t focused enough on security to go through the process — so it’s an effective way to curate your shortlist.
Publicly available information can also be a useful indicator. For example, search for the board portals you’ve shortlisted in your device’s app store. When was the last time they received an update? If the latest version is older than a few months, it likely indicates suboptimal proactiveness and reactivity.
You can also check whether they’re available on governmental procurement platforms — like G-Cloud in the UK. Their presence on such marketplaces is a guarantee that the solution has been vetted for government use.
Finally, ask the board portal providers directly. Typical questions to ask about their product’s security would include:
Besides the content of their answers, their openness to reply will usually tell you a lot, too.
Board Intelligence is the only UK-headquartered, UK-hosted board portal. It offers the highest-quality data centres (ISO 27001 & 9001-certified), approved for hosting UK Government data, as well as all the cybersecurity features needed to keep your information safe — which is why it’s trusted by the boards of international banks, government bodies, healthcare providers, corporate service providers, and many more security-conscious organisations.
To see for yourself why 40,000+ board members and executives are using our platform to run their businesses efficiently and securely, book a demo of the platform.