Cybersecurity - how are Directors managing their IT?
Coffee chat session summary
Directors and their own IT set-ups
It was noted Non-executive directors (NEDs) tend to already be nomadic – working from home, office, or travels. They have their own devices and are expected to ensure these are maintained. Regardless of how they are organised, all Directors must ensure their devices are properly protected, strong passwords used (and regularly changed) and applications kept up-to-date. Passwords should not be re-used, with password managers helpful to keep track of multiple passwords. “Two Factor Identification” (2FA) should be always enabled for additional protection.
If NEDs are not IT literate, they should seek help to ensure proper cyber hygiene. In the absence of one’s usual IT assistance, WFH may mean tech-savvy teenagers are onsite who can help, or most items can be learned through online searches, and YouTube videos providing step-by-step instructions. A poll showed most participants thought their mandate companies should be offering assistance to NEDs regarding IT and cyber matters. Many felt more work was needed to improve their own practices.
Not all Directors have (or require) IT support, however obtaining replacement computers or getting hold of appropriate support may currently be more difficult than usual. Adequate bandwith, regular backups and multiple devices can all help to ensure the Director can keep working.
Have an anti-virus installed, and make sure it runs and updates itself. An online search for reviews will help see which one suits best, but the main message was that it must be used and kept updated.
Regarding encryption, a distinction was made between:
(i) encryption of data on devices (noting lost or stolen devices being a lower risk whilst stuck at home), and
(ii) encryption of information sent between devices and remote systems. For the latter, a VPN was recommended – a kind of “secure pipe” between you and your company for sending documents. Many Directors will be familiar with examples such as ShareFile or their Board portal where they log on and upload/download documents to avoid using email. Free personal email services like free Gmail/Hotmail accounts should never be used to send or receive sensitive data – keep to the corporate accounts and make sure all sensitive documents are password protected.
It was noted that tablets tend to have fewer security weaknesses than PCs. But don’t forget to wipe the device when no longer required and ensure all documents have been deleted.
Also be careful on instant messaging applications like WhatsApp or Slack as 100% security cannot be guaranteed. These are great tools for communications and quick exchanges – often acting as the office “water cooler” and for wider collaboration, and for less sensitive matters. If asked to send a sensitive document on via such a platforms, first ask why as these should only be shared via your agreed secure portal.
In general, Directors should be wary of free applications, and of course watch out for phone calls from “Microsoft”, “Apple” or your bank – these will not be calling you, rather it is fraudsters wanting to access to your data. If anyone calls, don’t provide details, but call back on the company’s usual number and request your usual contact – do not call any new number the caller gave.
In summary, some of the tips for a Director’s own IT included: try to split personal from work computers, and don’t forget to run your back-ups
take care of where sensitive documents are saved, who has access to them and take care how these documents are sent
encrypt sensitive data and documents e.g. via password protection
be wary of free applications
practise good cyber hygiene (strong passwords which are not re-used, 2FA, anti-virus programmes, VPNs, and keeping everything updated),
look out for phishing emails (currently on the “Covid” subjects in particular)
only rely on trusted websites for information