Board document data storage in an age of heightened geopolitical risk
Amid rising global geopolitical tensions, organisations need to protect themselves against a wide variety of cyberattacks from increasingly aggressive sources that include nation states.
The issue is particularly urgent for boards. For a long time,cyber criminals have targeted board directors due to the highly confidential nature of the documents that they work with.
This means that boards don’t just need to consider cybersecurity as part of their corporate risk management agenda – they also need to think about how they are securing their own sphere of work.
This article will help you understand the measures that need to be in place to store and protect board documents within a board portal safely. It will also help you check whether the security and data protection measures within the board portal software you use or intend to adopt is appropriate to the task. In particular it will help you get to know:
- Why a secure board portal is important in the current geopolitical climate
- What data storage and protection measures you should look for in board portal software
- How you can check you have the right board portal solution for secure content sharing
Specifically, we will cover
- The nature of the current geopolitical threat
- What is board portal software and why it’s an important security consideration
- When board portal software is used and the vulnerabilities to look out for
- How data and documents in a board portal is stored - what to review to stay secure and compliant
- What to look for in a board portal solution for secure content sharing
- Other factors to look for in a secure board portal – employee checks and physical protection of facilities
What is the nature of the current geopolitical threat?
In 2021, HP Wolf Security released a landmark study that highlighted that geopolitical risk is becoming an increasing factor in cybersecurity. The report stated that “nation state cyberattacks are becoming more frequent, varied and open; moving us closer to a point of ‘advanced cyberconflict’ than at any time since the inception of the internet”.
The HP research showed there has been a 100% rise in nation state incidents in recent years. Further analysis of over 200 cybersecurity incidents connected with nation state activity since 2009 indicated that businesses, especially larger organisations, are now the most common target (35% of all attacks). This was ahead of defence organisations, media and communications organisations, governments and critical infrastructure providers.
Since that report was released in 2021, the level of threat has grown to an even greater level following the conflict in Ukraine. In addition to increasing cyberattacks against Ukraine, there have also been a rise in concerted attacks against European energy companies, finance institutions and communications infrastructure.
Business functions at all levels within organisations now need to be asking one key question: are we ready to protect our data and operations against escalating cyber risks related to geopolitical tensions?
Boards are no exception – and they need to start by reviewing whether they have the best board portal software for secure data storage and content sharing. If your organisation doesn’t currently use a board portal, it will also help you evaluate the market, build your business case and choose the most secure portal for your needs.
What is board portal software – and why is it so important for security?
The best board portal software provides boards and management teams with a digital platform for document sharing, collaboration, a historical digital archive and access to board documents online and offline. The documents shared and accessed via board portals might include financial reports, budgets, HR updates, corporate strategies, merger proposals, security updates and policy statements. As such a board portal is a vital hub of communication. It is also a key repository of confidential information that is of potentially high value to criminals and certain countries that organisations need to protect against attack at all times.
When is board portal software used – which potential vulnerabilities do you need to look out for?
Administrators such as company secretaries and board directors use board portal software in the period, before, during, after and between board meetings:
Before the meeting: to send reminders about meeting time and location, confirm availability, create agendas, compile board packs with confidential and often sensitive information and upload previous minutes or any other relevant updates since the last meeting took place.
During the meeting: to take minutes within the portal, record votes and decisions, assign actions and set deadlines.
After the meeting: to send minutes, facilitate post-meeting sign-off on decisions via e-signature, set reminders on actions, notify directors of new uploads and enable votes on any business that is still open or requires approval.
Between meetings: to enable directors, administrators and the leadership teams to interact with and collaborate more effectively between meetings by accessing confidential company information from anywhere. They should also be able to communicate securely with other directors at any time within the portal.
With these processes in mind, the most important factors to consider when you are checking whether you have secure board portal software are:
- Where and how the documents within the portal are stored and made available for access
- How documents are protected when users send and share them
How data and documents in a board portal is stored - what to look out for to stay secure and compliant
Data storage
One of the key promises of easy to use board portal software is that it enables directors to securely access confidential documents anytime from anywhere. Wherever that data is stored needs to be watertight secure, so first it is important to check whether the board portal software provider you are engaged with is only using fully encrypted storage and secure servers. Only this way will your board portal partner be able to assure that the documents it stores for you (and provides you access to) is fully protected.
You should also interrogate procedures for the disposal of stored data. At Admincontrol, for example, we guarantee that all information is erased and use a certified provider for data storage media deletion.
It is also vital that you review arrangements made by your board portal software for ‘multitenancy’, which is the method by which board portal providers create logical segregation of data between multiple tenants (i.e. you and your provider’s other customers) within their storage environment. On a technical level, the security mechanisms that ensure full isolation within multitenancy arrangements should be built into the board portal database and application logic. Multitenancy arrangements should also be verified through regular third party security tests. Data encryption mechanisms should also be present to support full segregation by using unique encryption keys for each customer.
Security management processes and compliance
It is not just important to know how and where your data is stored. You also need to know that your board portal software provider has robust security processes that cover its entire business, process and products. In particular, it is key that the provider engages with third party testing procedures and industry-recognised certifications.
The most important elements to check for here are regular penetration testing, a SOC 2 report and ISO 27001 certification.
Penetration testing
Any board portal’s mobile and web applications should have a strong shield against hackers that is verified by regular penetration and security testing. Such tests should be carried out regularly by third party security experts who systematically attempt to penetrate the system and find security holes that a hacker could potentially exploit. Ask your board portal software provider who is doing this testing on their behalf and how often. You should also check whether they test in line with the Open Web Application Security Project® (OWASP). OWASP is a non-profit foundation that works to improve the security of software. It also produces the OWASP Top 10, a standard awareness document for developers and web application security that represents a broad consensus about the most critical security risks to web applications.
For example, Admincontrol ensures that its third party testing partner carries out tests using OWASP methodology and against OWASP Top 10 vulnerabilities. In addition, we verify our service against OWASP ASVS L2 and our Mobile Apps against OWASP MASVS L2+R on annual basis.
Bug Bounty Programs
Companies with a mature security program also participate in Bug Bounty programs. This is a great and proven way of 'battle testing' the security of a service with ethical hackers around the world. The difference between ordinary penetration testing and a Bug Bounty program is the amount of security testers that are testing a service. Only relying on a single penetration test performed at regular intervals is no longer sufficient. With a Bug Bounty program a service is tested by many ethical hackers continuously.
In Admincontrol we participate in the Visma Private Bug Bounty program with elite ethical hackers and are also part of a Responsible Disclosure program where security researchers are invited to find vulnerabilities and report them.
Cyber Threat Intelligence (CTI)
With the increased threat landscape and change in geopolitical risks, organisations must also evaluate and keep themselves updated on threats toward their business, this is also valid for your suppliers, so that you do not end up with a supplier that may introduce additional risks. Supplier security has therefore become much more important.
In Admincontrol we receive Threat intel from several sources, to ensure that we are able to detect new threats towards our solution and services.
External audit via SOC 2 Type II reports
SOC 2 is developed by the AICPA (American Institute of CPA’s) and defines criteria for the management of user organisations’ data based on the Trust Service Criteria. These criteria relate to security, availability, confidentiality and privacy associated controls.
Always ask whether your board portal provider is meeting these criteria. A SOC 2 report ensures that your board portal software provider keeps data private and secure while processing or in storage, makes data accessible at any time, and implements specific controls relating to confidentiality and privacy of information.
ISO 27001:2013 certification
ISO 27001 is the international standard that describes best practice for an ISMS (Information Security Management System).
An ISMS is an effective way of ensuring the proper management of information security and sufficient controls to reduce the risk of data breaches. It also provides a solid base for achieving compliance with the relevant data protection and privacy regulations such as GDPR.
The ISO 27001:2013 certification is a critical test of any board portal provider because it covers the entire business, process and products and demonstrates a robust commitment to providing excellent security throughout every aspect of its service.
At Admincontrol, our ISO 27001:2013 assessment and certification is performed by DNV GL, which is one of the leading global providers of accredited management systems certification.
When evaluating an ISO 27001 certification, it is important to look at the scope of the certificate, to identify what the certification actually covers. Some companies choose to only certify parts of their company or rely on a certification from the data center, which does not necessarily cover the services and solution that one would expect.
To provide trust to our customers, Admincontrol has chosen to certify Admincontrol as a whole, including the delivery of our service to our customers, which also include the secure development of our product. We also ensure that our Sub-contractors have their certifications in place.
What to look for in a board portal solution for secure content sharing
As well as looking at provisions for data storage and security management certifications, it is also crucial that you review whether your board portal software provider has specific measures in place to protect data in transit and ensure that only authorised users can access it.
As a minimum, this means that the board portal your organisation adopts should include:
Secure communication channels within the portal
Secure portals ensure that all communication stays with the secure boundaries of the portal so that it is never carried out via insecure and vulnerable channels like email.
Role based permissions to restrict access to confidential documents
Easy to use secure board portal software provides customisable-permission settings, so that only certain users can access particular documents of varying confidentially levels, depending on their roles.
Distribution control
How do you secure that the business sensitive information you have is not downloaded and sent elsewhere? A secure service must also provide functionality so that you can control the distribution of the documents you share.
In Admincontrol we provide download restrictions and watermark functionality, so that you can prevent further distribution of the documents or keep track of where the file originated from.
Device control to prevent information falling into the wrong hands
One if the big efficiency advantages of digital board portals is that they are accessible on mobile devices via a native app. There are dangers to be aware of here though. A secure portal provider should enable your IT administrators to remotely wipe the content in the app if the device is lost or stolen. In addition it should allow you to manage on which device the user can access the board portal. The technology should also include protection against jailbreaking – the process used to removing software restrictions that are put in place by the device manufacturer.
Another issue is that people use many devices today that are shared with family members, so it is important to limit access to a certain number of approved devices.
In all these scenarios – and for your approach to security in general – it is crucial that the level of security is controlled and managed centrally by the organisation and not by end users.
Secure electronic signing for remote approval of board documents
E-signatures are a particularly important feature within secure portals because they enable directors to sign the minutes of board meetings and other corporate documents remotely, securely and in compliance with company and official guidelines.
To make sure the electronic signing within your board portal software is fully secure and provide the appropriate trust level and legal compliance, you’ll need to check compliance level and accreditations of the eSignature solution. At Admincontrol we have partnered up with Signicat AS, and as such are one of only a few companies who can use the EU Trustmark and is part of the EU trust list.
All Admincontrol’s data processing is performed within EU/EEA and both Signicat and the data centre used for processing is ISO 27001 certified.
Compliance with General Data Protection Regulations (GDPR)
EU and UK GDPR regulations lay out specific requirements for businesses and organisations to fulfil key objectives relating to data protection (where data protection is defined as the process of safeguarding important information from corruption, compromise or loss). They also set clear requirements for the security of personal data. When you are checking whether your chosen board portal solution complies with these requirements, any security certification scheme such as ISO 27001 or a third-party assurance reports such as SOC 2 will provide proof that sufficient security and the right level of data protection is in place.
Two Factor Authentication to overcome weaknesses in user passwords, restrict access and ensure stringent user verification
Over the years it has been proven that 90% of passwords can be cracked in less than six hours, two-thirds of people use the same password everywhere and 57% of people who have already been scammed in phishing attacks still haven’t changed their passwords.
Two Factor Authentication helps to solve this problem because it is an additional layer of security that ensures only authenticated users gain access to an online account. Initially, a user will enter their username and a password as usual. Then, rather than gaining access straight away, they will be required to provide additional information. This second factor could come from one of the following categories:
- A code from an Authenticator app on a phone, or a code sent by SMS to a phone.
- A biometric indicator, like the user’s fingerprint (Touch ID) or facial recognition (Face ID)
Two Factor Authentication is fundamental to the security of any board portal. It should be provided as an option by any board portal company that takes security seriously. If the option is available to you, make sure you enforce its use within your security policies.
The effectiveness of these measures is well proven: Microsoft has stated that 2FA is effective at preventing 99.9% of attacks on accounts.
Other factors to look for in a secure board portal software provider
On top of evaluating your board portal software provider’s approach to data storage and protecting systems through technical means, we also recommend that you check the provider’s approach to employees and the protection of physical resources.
The top areas to review here include:
Screening and background checks
Does your provider screen all new employees before employment is offered within the company? Screening should include background checks on the employee’s previous roles (including reviewing public information about the employee being involved in negligent or criminal incidents).
Confidentiality
All employees within your chosen board portal provider, must have signed Non-disclosure statements that ensures that the employees fully understands their duty to maintain information they acquire as part of their work fully confidential, both during and after their employment.
Secure areas
The production environment within your board portal software provider should be secured to prevent unauthorised physical access or damage to the organisation’s information and information processing facilities. The aim here is to prevent loss, damage, theft or compromise of assets or interruption to the organisation’s operations.
Physical entry controls
Secure areas should also be protected by appropriate entry controls to ensure that only authorised personnel are allowed access.
The right supplier should be open about all their physical and non-physical security measures, be willing to listen to your questions and provide you with assurances that all possible processes are in place to keep your data secure and protected at all potential vulnerability points.
Find out more
Board portal software is essential for any organisation that wants to improve the efficiency and quality of senior level communications while saving time, money and accelerating decision making.
Reviewing the guidance provided in this article will help you establish whether your chosen supplier meets all these requirements, while keeping your confidential board data secure.
At Admincontrol, we make the issue of security one of our top priorities and will be happy to answer any questions you may have about any of our security arrangements – you can get in touch here.
We also recommend this broader guide to Reviewing your board technology investments.