As global geopolitical tensions continue to rise, organisations need to protect themselves against a wide variety of cyberattacks from increasingly aggressive sources.
The issue is particularly important for boards to remember. For a long time, cyber criminals have targeted board directors due to the highly confidential nature of the documents they work with. This means that boards don’t just need to consider cybersecurity as part of their corporate risk management agenda – they also need to think about how they are securing every aspect of their work.
This article will help you understand the measures that need to be in place to store and protect board documents within a board portal. It will also help you check whether the security and data protection measures within the board portal software you use or intend to adopt is appropriate to the task. In particular it will help you get to know what data storage and protection measures you should look for in a board portal software, and how you can check that you have the right board portal solution for secure content sharing.
With this information, you’ll be able to review the security of your board portal software, identify potential gaps in your defences, and put yourself in the best possible situation to protect yourself against an increasing volume and variety of risks.
What Is Board Portal Software and Why Is It So Important for Security?
The best board portal software provides boards and management teams with a digital platform for document sharing, collaboration, a historical digital archive, and access to board documents online and offline. The documents shared and accessed via board portals might include financial reports, budgets, corporate strategies, merger proposals, security updates, and policy statements.
As you can see, a board portal is a vital hub of communication. It is also a key repository of confidential information that is of potentially high value to criminals and certain countries that organisations need to protect against attack at all times.
When Is Board Portal Software Used and Which Potential Vulnerabilities Do You Need to Look Out For?
Administrators such as board secretaries and board directors use board portal software before, during, after, and between board meetings.
They use it before the meeting to send reminders about meeting time and location, confirm availability, create agendas, compile board packs with confidential and often sensitive information and upload previous minutes or any other relevant updates since the last meeting took place.
During the meeting, notes and minutes are taken within the portal. It's also used to record votes and decisions, assign actions, and set deadlines.
After the meeting, the minutes are sent out to board members. They must then sign-off on decisions via e-signature, set reminders on actions, notify directors of new uploads, and enable votes on any business that is still open or requires approval. Between meetings, the board portal is there to help directors, administrators, and the leadership teams to interact with and collaborate more effectively.
The most important factors to consider when you are checking whether you have secure board portal software are:
- Where and how the documents within the portal are stored and made available for access
- How documents are protected when users send and share them
How data and documents in a board portal is stored - what to look out for to stay secure and compliant
Data Storage
One of the key promises of easy to use board portal software is that it enables directors to securely access confidential documents anytime, from anywhere. Wherever that data is stored needs to be watertight secure, so first it is important to check whether the board portal software provider you are engaged with is only using fully encrypted storage and secure servers.
You should also ask about the procedures for the disposal of stored data. At Admincontrol, we guarantee that all information is erased and use a certified provider for data storage media deletion.
Security Management Processes and Compliance
It is not just important to know how and where your data is stored. You also need to know that your board portal software provider has robust security processes that cover its entire business, process, and products. In particular, it's key that the provider engages with third party testing procedures and industry-recognised certifications. The most important elements to check for are regular penetration testing, a SOC 2 report, and ISO 27001 certification.
Penetration Testing
Any board portal’s mobile and web applications should have a strong shield against hackers that is verified by regular penetration and security testing. Such tests should be carried out regularly by third party security experts who attempt to penetrate the system and find security holes that a hacker could potentially exploit. Ask your board portal software provider who is doing this testing on their behalf and how often.
Bug Bounty Programs
Companies with a mature security program also participate in Bug Bounty programs. This is a great and proven way of testing the security of a service with ethical hackers. The difference between ordinary penetration testing and a Bug Bounty program is the amount of security testers that are testing a service. Only relying on a single penetration test performed at regular intervals is no longer sufficient. With a Bug Bounty program a service is tested by many ethical hackers continuously.
Cyber Threat Intelligence (CTI)
With the increased threat landscape and change in geopolitical risks, organisations must also evaluate and keep themselves updated on threats toward their business. this is also valid for your suppliers, so that you don't end up with a supplier that may introduce additional risks. Supplier security has therefore become much more important.
In Admincontrol we receive threat intel from several sources, to ensure that we are able to detect new threats towards our solution and services.
External Audit Via SOC 2 Type II Reports
SOC 2 is developed by the AICPA (American Institute of CPA’s) and defines criteria for the management of user organisations’ data based on the Trust Service Criteria. These criteria relate to security, availability, confidentiality and privacy associated controls.
Always ask whether your board portal provider is meeting these criteria. A SOC 2 report ensures that your board portal software provider keeps data private and secure while processing or in storage, makes data accessible at any time, and implements specific controls relating to confidentiality and privacy of information.
ISO 27001:2022 Certification
ISO 27001 is the international standard that describes best practice for an Information Security Management System (ISMS).
An ISMS is an effective way of ensuring the proper management of information security and sufficient controls to reduce the risk of data breaches. It also provides a solid base for achieving compliance with the relevant data protection and privacy regulations such as GDPR.
The ISO 27001:2022 certification is a critical test of any board portal provider because it covers the entire business, process, and products and demonstrates a commitment to providing excellent security throughout every aspect of its service.
When evaluating an ISO 27001 certification, it is important to look at the scope of the certificate, to identify what the certification actually covers. Some companies choose to only certify parts of their company or rely on a certification from the data centre, which does not necessarily cover the services and solution that one would expect.
To provide trust to our customers, Admincontrol has chosen to certify Admincontrol as a whole, including the delivery of our service to our customers, which also include the secure development of our product. We also ensure that our sub-contractors have their certifications in place.
What to Look For In a Board Portal Solution For Secure Content Sharing
As well as looking at data storage and security management certifications, it is also crucial that you review whether your board portal software provider has specific measures in place to protect data in transit and ensure that only authorised users can access it. As a minimum, this means that the board portal your organisation adopts should include the following:
Secure Communication Channels Within the Portal
Secure portals ensure that all communication stays with the secure boundaries of the portal so that it is never carried out via insecure and vulnerable channels like email.
Role Based Permissions to Restrict Access to Confidential Documents
Easy to use secure board portal software provides customisable permission settings, so that only certain users can access particular documents of varying confidentially levels, depending on their roles.
Distribution Control
How do you secure that the business sensitive information you have is not downloaded and sent elsewhere? A secure service must also provide functionality so that you can control the distribution of the documents you share.
In Admincontrol we provide download restrictions and watermark functionality, so that you can prevent further distribution of the documents or keep track of where the file originated from.
Device Control to Prevent Information Falling Into the Wrong Hands
One if the big efficiency advantages of digital board portals is that they are accessible on mobile devices via a native app. There are dangers to be aware of here, though. A secure portal provider should enable your IT administrators to remotely wipe the content in the app if the device is lost or stolen. In addition it should allow you to manage on which device the user can access the board portal. The technology should also include protection against jailbreaking – the process used to removing software restrictions that are put in place by the device manufacturer.
Another issue is that people use many devices today that are shared with family members, so it is important to limit access to a certain number of approved devices.
In all these scenarios, and for your approach to security in general, it is crucial that the level of security is controlled and managed centrally by the organisation and not by end users.
Secure Electronic Signing for Remote Approval of Board Documents
E-signatures are a particularly important feature within secure portals because they enable directors to sign the minutes of board meetings and other corporate documents remotely, securely and in compliance with company and official guidelines.
To make sure the electronic signing within your board portal software is fully secure and provide the appropriate trust level and legal compliance, you’ll need to check compliance level and accreditations of the eSignature solution. At Admincontrol we have partnered up with Signicat AS, and as such are one of only a few companies who can use the EU Trustmark and is part of the EU trust list.
All Admincontrol’s data processing is performed within EU/EEA and both Signicat and the data centre used for processing is ISO 27001 certified.
Compliance with General Data Protection Regulations (GDPR)
EU and UK GDPR regulations lay out specific requirements for businesses and organisations to fulfil key objectives relating to data protection. They also set clear requirements for the security of personal data. When you are checking whether your chosen board portal solution complies with these requirements, any security certification scheme such as ISO 27001 or a third-party assurance reports such as SOC 2 will provide proof that sufficient security and the right level of data protection is in place.
Two Factor Authentication to Overcome Weaknesses in User Passwords, Restrict Access and Ensure Stringent User Verification
Over the years it has been proven that 90% of passwords can be cracked in less than six hours, two-thirds of people use the same password everywhere and 57% of people who have already been scammed in phishing attacks still haven’t changed their passwords.
Two Factor Authentication helps to solve this problem because it is an additional layer of security that ensures only authenticated users gain access to an online account. Initially, a user will enter their username and a password as usual. Then, rather than gaining access straight away, they will be required to provide additional information. This second factor could come from one of the following categories:
-
A code from an authenticator app on a phone, or a code sent by SMS
-
A biometric indicator, like the user’s fingerprint (Touch ID) or facial recognition (Face ID)
Two Factor Authentication is fundamental to the security of any board portal. It should be provided as an option by any board portal company that takes security seriously. If the option is available to you, make sure you enforce its use within your security policies.
The effectiveness of these measures is well proven: Microsoft has stated that 2FA is effective at preventing 99.9% of attacks on accounts.
Other Factors to Look For In a Secure Board Portal Software Provider
On top of evaluating your board portal software provider’s approach to data storage and protecting systems through technical means, we also recommend that you check the provider’s approach to employees and the protection of physical resources.
The top areas to review here include:
Screening and Background Checks
Does your provider screen all new employees before employment is offered within the company? Screening should include background checks on the employee’s previous roles (including reviewing public information about the employee being involved in negligent or criminal incidents).
Confidentiality
All employees within your chosen board portal provider must have signed non-disclosure statements that ensures that the employees fully understands their duty to maintain information they acquire as part of their work fully confidential, both during and after their employment.
Secure Areas
The production environment within your board portal software provider should be secured to prevent unauthorised physical access or damage to the organisation’s information and information processing facilities. The aim here is to prevent loss, damage, theft, or interruption to the organisation’s operations.
Physical Entry Controls
Secure areas should also be protected by appropriate entry controls to ensure that only authorised personnel are allowed access.
The right supplier should be open about all their physical and non-physical security measures, be willing to listen to your questions and provide you with assurances that all possible processes are in place to keep your data secure and protected at all potential vulnerability points.
Find Out More
Board portal software is essential for any organisation that wants to improve the efficiency and quality of senior level communications while saving time, money and accelerating decision making.
Reviewing the guidance provided in this article will help you establish whether your chosen supplier meets all these requirements, while keeping your confidential board data secure.
At Admincontrol, we make the issue of security one of our top priorities and will be happy to answer any questions you may have about any of our security arrangements.
