During the current COVID-19 crisis, cybersecurity and privacy should move to the forefront of everyone’s thoughts, especially for boards of directors.
Corporate boards, nonprofit boards and other leadership teams all face the challenges of remote working, and remote meetings have become a front-and-center cybersecurity issue. While boards have traditionally conducted some meetings via conference calls, boards are increasingly using technologies such as videoconferencing to conduct meetings due to the COVID-19 crisis.
Board members should note that these technologies are not without risks. Every day, more and more tales are being heard about meetings being hacked into, interrupted or otherwise compromised.
In fact, new terms have been coined to categorize these malicious actions. While these actions typically involve someone actually disrupting a meeting, a bad actor intent on stealing information will probably just sit there, trying not to be noticed, all the while stealing secrets.
Understanding the risks associated with videoconferencing and taking action to avoid them have arguably become a fiduciary duty for all boards and board committees.
Similar to physical board meetings, virtual board meetings often include discussions of confidential information, intellectual property, trade secrets and company plans. This highly sensitive information is frequently the target of bad actors and unfortunately bad cybersecurity protocol can make it easier for them to obtain this information in virtual settings.
Best Practices that Board Members Should Follow
There are basic things boards should understand and implement to make their communications more secure. While not exhaustive or situation-specific, some of these include:
- Understanding the security and privacy profiles of the platform you are using. Are the video feeds encrypted? End to end? And where are the servers hosting the feeds? What are the security and privacy practices of the countries where such servers are located?
- Utilizing passwords for all meetings. This can help control who is actually in the meeting.
- Verifying meeting attendees. Before the meeting or conversation actually starts, verify everybody in the meeting, including phone numbers that do not have an associated video feed.
- Understanding the recording features of the platform. Understand who can record the meeting and also the security around the recording. For example, where is the recording stored? Is it encrypted? Password-protected? Also, you should understand the legalities and practicalities of whether the meeting should be recorded at all.
- Understanding any regulatory and compliance implications of the meeting. For example, if you have the meeting, are there any associated disclosure requirements, and if so, how will you meet them? On the government side, are there any “sunshine” law requirements around the meeting and will it be subject to freedom of information act requests?
- Understanding the features of the platform. Who can share their desktop? What controls does the host have? What abilities do the attendees have?
As stated earlier, one size does not fit all and there are other things boards might consider based upon their particular circumstances. As such, the above should be seen as a starting point and not as the end game.
Keep Your Privacy and Cybersecurity Antennas Up
In short, video conferencing can be a very useful tool when confronted with crises like the present COVID-19 situation. However, our privacy and cybersecurity “antennas” should always be up when using these technologies. Just as a board would not let just anyone into a physical board meeting, the same mindset needs to occur with virtual board meetings.
Lastly, boards should remember that their duty is to think about cybersecurity for the enterprise at all times. Gone are the days when a board could rely on their IT staff to give the “all’s good” on cybersecurity for the organization. Boards have a duty to understand these topics and to act accordingly, whether when meeting virtually or otherwise.