Boards are spending an increasing amount of time considering risk management pertaining to cyber security, data governance, and the Internet of Things. Great strides are being made in terms of uplifting cyber security maturation and the sophistication of protective mechanisms. But can such sophistication distract from the basics?
Let’s think about this in a board context:
By virtue of what we do, board members are exposed to a unique nexus of confidential information. Lawyers and other such practitioners have firmly defined parameters around legal professional privilege, as do doctors and medical professionals with doctor-client confidentiality, but what about board members with several streams and types of information?
Board members spend considerable time steeped in different types of deeply sensitive information including commercial, legal, political, personal, medical, and financial. The appropriate confidentiality of the information can be contingent on the recipient: the chairperson; to other office-bearers; to the full board; to the executive management team(s); to the broader organization; to shareholders and stakeholders; and to the external environment at large. There is also the extent or depth information shared, as well as the timing of such sharing: before; during; and immediately following key triggers and events internally and externally. These subjective factors intertwined necessitate judgement be exercised in a highly nuanced and considered manner – and that’s just for one board.
As a board member, which email address do you provide when you send or receive confidential information pertaining to your board’s organization?
Many of us “wear multiple hats” by working at, and serving on boards of, multiple organizations at once. This means we are navigating and being entrusted with several sets of such deeply sensitive information, each subject to those differing factors. In tandem, we have increasing reliance on email and digital platform communications even more so since we are all busy, all on the go, and all multi-tasking multiple roles. As board members, how are we protecting the confidential information we are disseminating in that manner? Pertinently, are we fully aware of all the places we send it (deliberately or otherwise)?
Let's examine this paradigm – board members and fellow governance portfolio holders working for, and directing, several entities at once. We have day-jobs during business hours, serve on several boards of directors on our own time, some operate or consult within side-hustle businesses, some are also undertaking further study. By counting those email addresses there is at least one personal address (two or more for Millennials, but more on that shortly), one for your day-job, one for any business or consulting activities, and one for any tertiary study. Some boards provide internal email addresses, but this differs per organization.
For current board members, thinking about the board you sit on; how do you communicate with your fellow board members? Or, for those in the company secretariat space, how do you reach board members when you need to communicate important, official information (outside of usual board platforms for board packs)?
Let’s say an urgent issue arises requiring the CEO to seek the timely attention of their board, and the CEO uses the board member’s “work email” addresses, being addresses belonging to a separate private company’s domains, i.e., CEO from Company A must contact their board members. Hypothetically, say Company A’s board comprises 10 independent, non-executive directors based in differing Companies B through K.
CEO sends their email – now, consider the implications of this correspondence being added to 10 additional company’s servers. This information leaves Company A’s internal environment (within Company A’s control, subject to Company A’s policies and procedures as mandated by Company A’s board in line with Company A’s board’s risk appetite) and is added into 10 new external environments. These 10 external environments are subjected to 10 different information technology policies. Entrusted to 10 different IT support teams. Say one is placed within a large multinational organization with IT departments of 100+ staff with varying levels of clearance able to access everyone’s computers and respective data. Some organizations might outsource their IT support services to third party providers, either onshore or overseas. 10 different sets of cyber security controls. 10 different approaches to digital risk management. 10 different protocols for data retention. For board members with seniority in their respective day jobs, add potential 10 additional sets of eyes of the personal assistants access their emails. More exposure still with AI assistants and digital productivity tools (but this is a separate topic for a separate day).
See where I’m going with this? From the perspective of Company A, how could they confidently provide assurance regarding the safety and confidentiality of its own information when distributed in that manner? Say Company C suffers a data breach, does the board member from Company C have accountability to Company A for any information lost? Think back to contact tracing methods utilized during the COVID-19 pandemic and apply that mapping to the CEO’s initial email communication. How much further than the intended 10 recipients did the information go?
In relation to email communications, we have at least two viable alternatives:
· Creating internal email addresses for each of your board members; or
· Communicating with board members on their personal email addresses
Each option has its merits and drawbacks.
Internal email addresses provide a strong layer of control and protection over organizational information – everything essentially stays in the one spot. It comes in handy for board members regularly writing to external stakeholders or counterparts as their email address and email signature are uniform to the organization. However, this does create other problems. In addition to being more accessible externally, it also creates an avenue for staff to contact board members directly (whether hidden from internal directories or not), which is rarely ideal or appropriate. From the board member side, it can also create practical difficulty depending on the domain security protocols (differing between Microsoft or Google products) and how these interact or interfere with board members’ individual or personal devices. Being a relatively new product, MS Teams does not seem to know yet how to play nice with or navigate seamlessly between multiple email addresses, even with authentication mechanisms enabled on the respective devices.
Utilizing personal email accounts greatly mitigates the possibility for additional points of contact to trace beyond those original 10 hypothetical recipients. This option also provides reprieve from yet another set of login credentials to either try to remember, or otherwise track/manage with yet another piece of technology. Less fuss toggling between applications or products. Having experience with both methods, using my personal email address is my preference.
Having said all this, it would be remiss of me to not champion the Millennial value-add.
As Millennials, email hygiene and delineation of personal and professional information are second nature to us. We grew up alongside the internet and all went through the phases of distasteful hotmail and AOL email addresses. Many of us have a minimum of 2 email addresses – one serves as a ‘throw away’ account for inconsequential matters like online shopping, questionable TikTok or Temu purchases that are too good not to take a chance on, or marketing birthday deals. The inbox is often an abyss of spam that we don’t read, and nothing terrible would happen should the account become compromised. In addition, we have a dedicated address for managing our serious affairs such as taxation, medical, job applications (although sometimes professional matters are connected to yet another account), et cetera – essentially pertaining to matters our generation call “adulting”. We are mostly all familiar with password storage applications, as well as securing and backing up personal or sensitive content from our devices.
You won’t catch us leaving the wrong account logged into the wrong device or leaving our devices unlocked (the basics!). A board can champion the most sophisticated, cutting-edge cyber security measures in the world but they won’t protect against an older colleague who insists on writing their password on a sticky note to “safely” affix to the underside of their keyboard. Nor will all the best policies and protocols in the world protect a busy portfolio holder leaving their workstation open and unattended.
If you’ll indulge me a quick story – Andrew, one of my favourite eccentric colleagues in the IT Department of a law firm we both worked for during my insurance litigation days had a hilarious (but infuriating) method for keeping us on our toes. Should he pass your desk and find your computer both unlocked and unattended he would quietly sit down, open your email account, and send a firm-wide email simply reading ‘Donuts!’. This meant for your sins of unsafe online practices, your penance would be buying donuts for the office the next day. That, or on crowded office days, he would run a split-second keyboard shortcut that turned your entire screen upside down. Imagine Andrew hopping onto a Company C workstation left logged into Company A’s email domain and emailing the wrong company.
Further, it’s one thing to commit such sin in a private, closed office environment predominantly occupied by internal staff, but another thing entirely when working in mixed or public spaces. For board members, we often don’t work exclusively from one office – meaning open workstations (be they laptops, tablets, or mobile devices) present higher and compounded inherent risks. As I’m observing in United States café culture, it’s also common for patrons to leave their laptops at their tables while they use the restroom or step outside to take a phone call – are you locking your device, or is it open for everyone to see whatever confidential information is on your screen?
As an organization, how are you protecting your internal confidential information if your board permits communications via external company email addresses?
Are you fully cognizant of everyone else who has inadvertent access to your email account(s) and device(s)? How are you storing your passwords?
Ultimately, as a board member, what steps are you taking to protect both you and the respective organizations you serve in managing the respective sets of information correctly?