Understanding Board Communication Practices and Why They Carry Risks

Nicholas J Price
5 min read
People communicate all day long without thinking very much about who hears what they have to say and where the information travels. That's fine for the general population, but board directors have a greater responsibility to keep board business private and secure. Board directors may honestly believe that because they're careful what they say outside the boardroom, they're keeping board communications confidential.

What many board directors fail to realize is that the channels of communication they use every day may not be secure at all. As much as they lack knowledge about cybersecurity, hackers and criminals are way ahead of the game, and they're looking for the weak links in communication channels between board directors. They're also looking for ways to listen in on conversations between board members and their managers, shareholders, regulators and others.

Board communication practices carry many risks. It's imperative that board directors understand their communication channels and practices so that they can work with IT professionals and managers to seal all the leaks.

Working Collaboratively Among Roles to Secure Communications

Company business flows more smoothly when everyone has a role and fulfills it to the best of their ability. Effective board directors have many responsibilities, but their primary role is to increase profits and to mitigate risk while minimizing costs. Senior executives focus on operations and fulfilling the plans that the board outlines for them. Board directors and managers aren't IT experts, and no one expects them to be. IT experts fill the role of keeping trade secrets and strategic planning secure.

When it comes to allocating money, board directors and managers sometimes feel that they're spending large amounts of money on IT security but can't really be sure what the right amount should be. To some degree, many board directors and managers believe that some part of the company's allocation for cybersecurity takes funds away from projects and processes that can help them achieve their goals.

It's not surprising that they'd feel that way considering that cybersecurity doesn't have much of a direct return on investment. Some sentiment and concern exist about spending way too much money to prevent something that hasn't even happened yet and may not happen at all. When it does happen, the IT department is likely to take the largest amount of criticism and the company could take a hit on financial reports and reputation.

The net result is typically a constant wrestling match over how much spending for IT security is enough. In a perfect world, there is enough trust between board directors, managers and IT experts to come to a reasonable consensus on the IT budget allocation.

Gaining Insight From a Real-World Example

During the 2016 U.S. presidential election, Hillary Rodham Clinton ran for President against Donald Trump. Political campaigns sometimes dig out past indiscretions of political opponents and one of the targets aimed at Hillary Clinton was using her personal email address for highly confidential government correspondence in her role as Secretary of State in 2015.

Clinton admitted that she used her private email address for official government correspondence on multiple devices. She excused her actions by stating that the U.S. State Department allowed her to use her private email address and that her primary motive was convenience. It was easier to carry one device for work and personal business. What Clinton failed to consider is that her personal electronic devices lacked the level of security necessary for someone in her position who regularly communicated sensitive federal information.

Does Convenience of Communication Supersede Common Sense on Your Board?

The business environment is changing at lightning speed. Board directors are facing regulatory pressures forcing them to place a greater focus on improving oversight. Mobility places higher demands on flexibility, speed and security. The issues that boards face call for secure communications between board members, committee members and those they communicate with daily.

Board portals offer a secure way for board directors to communicate in a highly secure environment. However, as we can see from the example with Hillary Clinton, secure communications only work when you use them. Board directors who transfer documents and communication using unsecured channels could be regularly exposing their company's confidentiality without thinking about it.

Evaluating and Implementing Formal Lines of Procedure and Communication

Using a board portal is the surest way of protecting board communications. Many companies get that part right. Where there may be a breakdown is that they don't have formal procedures about what to use the portal for and what to communicate through it.

If establishing procedures about board communications isn't already on the board agenda, it's time to get that discussion going. Do you know whether board directors are using the board portal 100% of the time for board communications? Are they sometimes using personal email accounts to make changes or revisions in documents before circulating them to other board directors? Are they circulating those documents outside the board portal? Are board directors using their personal email accounts for board business on multiple electronic devices? Are board directors storing board documents on their personal computers, cell phones and tablets?

Every communication outside the board portal presents an opportunity for hackers to break into the communication channel and places confidential corporate information at risk of a data breach.

To protect all of the board's data and other communications, the board must work together with their partners in senior management and IT departments to establish formal lines of policies and procedures around communication. Having formal policies will help to familiarize individuals with the language barrier consisting of IT terminology. All three parties must 'buy in' to this issue in order for it to work.

Creating and Implementing New Board Practices Around Communications

This is where the roles of board directors, senior executives and IT experts finally mesh. All three parties are needed to create a map of who has confidential information and how they send it. Together, they'll need to identify and evaluate potential areas where communications and channels may not be secure.

Board directors will likely need to create new policies that require all board communications to occur inside the portal and monitor board activities to make sure that it's actually occurring. They'll also need to educate managers, employees and others about the dangers of sending anything that isn't encrypted or secure, regardless of whether they think the communication is important. Keeping communications secure isn't a 'one and done' activity. It has to be an issue that is under constant review and that evolves as it needs to, in order to keep up with the rest of the demands of business.