Why Board Members Using Personal Email Weakens Security for the Board

Shelagh Donnelly
7 min read
If an organizational crisis hasn't already occurred during your tenure as a governance professional, there's a good likelihood that you, your board and management will need to work through at least one before you eventually hang up your governance boots. Anyone who's made it through such a trial will know that while crises inevitably bring valuable lessons that will stand you in good stead, these lessons are not without cost.

That's why organizations have risk registers, and strategies to mitigate risks. Your board likely reviews and discusses risk registers and Enterprise Risk Management (ERM) reports on a regular basis. Cybersecurity and cyber attacks feature increasingly prominently within such analyses and with good reason. Cyber attacks are evolving at a rapid pace and their complexity continues to escalate.

Cybersecurity Awareness Month is drawing to a close, but it's always timely for you and your board to pay attention to digital security. It's said that, when it comes to cyber attacks, there are three types of organizations: those that have been breached, those that will be breached and those that have been breached but don't yet know it.

Current boardroom cyber breach protocol

Ideally, your board and management team have already established principles associated with cyber breaches. For example, is the organization willing to pay ransomware if demanded or does that run counter to fundamental convictions? Toss that topic on an agenda if you'd like to encourage healthy boardroom debate! Your organization's Chief Information Security Officer (CISO) or CIO may well have run incident response exercises with management and, ideally, with your board or one of its committees. If not, you may do your organization a valuable service by suggesting that the board discuss such an undertaking.

When an organization incurs a cyber breach, the implications extend beyond principles, protocols and the practicalities of whether someone in the organization knows how to acquire bitcoin. There are also the matters of compliance and disclosure, along with lost opportunities and hits to productivity. Legal counsel may be required and insurance is another factor. While none of these is insignificant, reputational impact is a major consideration ' one that may be quantified, at least to some extent, in subsequent financial reports.

Yet, despite growing awareness of the multiple risks associated with cyber breaches, I'd be surprised if the majority of risk registers tackle board communication practices. This goes beyond the extent to which your colleagues may be deferential toward the board; rather, I suspect it's more a matter of whether boards and management teams have turned the lens inward on this topic. When you consider the sensitivity of many communications with and between directors, though, the use of personal email accounts can represent just that: risk to the organization.

The dangers of using email in the boardroom

How so? Consider that hackers and other cyber criminals are known to specifically target directors and those who support C-level executives. Then consider that 56% of board members use personal email, rather than business-regulated email, to communicate with fellow directors and their contacts within the organizations they lead.

That's one of the conclusions of Forrester Consulting's April 2018 study, commissioned by Diligent Corporation. Forrester's report reflects surveys of 411 governance professionals across 11 countries in North America, Europe and Asia Pacific.

The study found that 51% of C-level executives and 50% of governance professionals adopt the same doubtless well-intended approach. I wouldn't be surprised if some people choose this approach in order to avoid communicating delicate matters through corporate email systems.

In fact, Forrester found that personal email usage is typical across boards of all company sizes and regions. 53% of North American boards communicate sensitive internal board communications via personal email; that's the highest reported rate in the study. European boards aren't far behind, at 51%, and the percentage of personal email usage is lowest in Asia Pacific, at 48%. Across all regions, even directors with access to board portal software were found to turn to personal email for board communications.

As you contemplate these numbers, consider the evolution of cyber criminals' fraudulent email practices to obtain information. We all need to be mindful of mass scale, angler (social media) and spear phishing. The latter involves highly directed and personalized email targeting.

However, it's the phishing practice known as whaling that's of particular relevance in a governance context. Whaling is exactly what the term implies; hackers are after the 'big catch'. That means targeting people at the top of the org chart, and those who support them. This includes you, your directors and management.

How to improve boardroom communication practices

Take a moment to reflect on the specifics of some of your own confidential and sensitive governance-related communications. Then consider Forrester's findings; at least one out of every two directors, C-level executives and governance professionals is using non-regulated email for what can be critical communications. Imagine the consequences and reputational risks should hackers latch on to one of the big catches in your organization.

The Forrester study also highlighted increases in board reliance on hardware devices, and just how vulnerable boards are to other inadvertent data leaks. Hardware theft represents one form of potential data leakage, the unauthorized transfer of data. Even the most sophisticated among us can be susceptible to hardware theft.

Having spent the past decade as a governance professional, I was not na?'ve to the concept of hardware going AWOL, but I was surprised to read the study's findings on this front. Nearly 30% of board members reported losing or misplacing a phone, computer or tablet in the prior year. The same is true for 29% of governance professionals.

While it's other colleagues within your organization who hold primary responsibility for cybersecurity, it's likely that you're the person to whom your directors turn for insights on effective board operations. If you and your directors have relied at times on personal email systems, you can do your organization a service by flagging the risks associated with these practices.

Of course, a good governance professional knows that it's not enough to simply identify a risk or problem. It's up to the board to make informed decisions. However, the trust you hold and the influence you carry are accompanied by the responsibility to also identify prospective solutions.

The advantage of secure communication solutions

You can impact your board's mitigation of risks associated with phishing and data leakage, by introducing discussion of Enterprise Governance Management (EGM). EGM is a term that Diligent recently developed, and so it will likely be new to you, your directors and management. Its principles are straightforward and practical. Simply put, EGM is the application of technical tools and resources to address governance needs.

I think of Enterprise Governance Management as a board's tech solution-focused counterpart to Enterprise Risk Management. It supports effective governance and preemptively uses technology for secure communications and transmission of information and documents. Of all the acronyms to which you expose your directors, EGM may be one of the most relevant when applied to working through crises ' and when it comes to avoiding crisis creation through less than secure communications.

Diligent Messenger is an innovation that represents just one element of EGM. Think of it as a secure means of texting and sharing attachments with an individual, a committee or group, or with your board as a whole. It provides capacity for real-time collaborations, and its secure system works as a standalone product or integrates seamlessly with Diligent Boards'Ѣ, so there's no longer a need to turn to personal or corporate email systems.

While change itself isn't seamless, and some may be reluctant to adjust their communication practices, you understand the risks associated with use of personal email. You also understand how your people best adapt to change, and so you'll find the right way to broach prospective solutions.

The concept of speaking truth to power is an important one. Is it time for you to initiate a conversation on how you, management and your directors communicate with one another?
Related Insights
This is where Author Role goes
Shelagh Donnelly
Shelagh Donnelly writes about governance and the world of administration, and speaks internationally on both topics. She's been a direct report to C-level executives, including four CEOs, in the private and public sectors. Shelagh spent the last decade of her 21-year higher education career immersed in the world of governance. As the institution's governance point person, she elevated the directors' onboarding program, championed the introduction of portal software, and introduced efficiencies and practices that enhanced operations and ongoing board development. Responsible for effective operations of the institution's governance system and accountable to board Chairs and the institution's CEOs, Shelagh supported all five of the board's committees. She worked with four board chairs, more than a dozen committee chairs and multiple directors. Shelagh's professional affiliations have included the Institute of Corporate Directors (ICD) and the National Association of Presidential Assistants in Higher Education (NAPAHE). Through the Association of Governing Boards' (AGB's) Board Professionals Leadership Group, she served as a board professional mentor. She remains a member of Governance Professionals of Canada (GPC) and has served as Chair of the Board of Directors of CICan:GPOP (GPOP), a national professional association affiliated with Colleges and Institutes Canada (CICan). She is one of only two individuals to be recognised with the CICan:GPOP Award for Distinguished Service. Shelagh began publishing Exceptional EA, an online professional development resource for career assistants, in 2013. She continues to publish Exceptional EA and write for other publications, and is the author of the forthcoming book, The Resilient Assistant. Exceptional EA: 'https://exceptionalea.com/ Colleges and Institutes Canada (CICan): https://www.collegesinstitutes.ca/