Keeping Board Data Safe

Directors often see sensitive information—whether that’s a credit union’s financials, legal questions or member data. So, it stands to reason that the information directors are accessing needs to be highly secure to protect the organization and its members. Fortunately, modern board portal solutions can help. 

Eliminating Email Risk

With 3.9 billion users in the U.S. alone, email is a convenient, ubiquitous way to communicate. However, because it is so commonplace, it’s easy to have a false sense of security. 

“Although email may seem private, it is not a secure method for discussing board-related matters or sharing sensitive documents,” says Ian Warner, president/CEO of CUES Supplier member Aprio Inc., Vancouver, British Columbia, who wrote more about this topic at cumanagement.com/0319emailvotes. “Board members often use their personal email address for credit union communications, which brings a potential security risk considering these are usually less secure than corporate email channels.”

Data breaches are costly, too. 

Warner references a 2020 study from IBM Security: “The average cost of a data breach in the U.S. exceeds $8 million and can take up to 280 days to be identified and contained,” he says. “This is not a risk that any board should be willing to take.

“People are also likely to use the same password across multiple web services,” he continues. “Every year, hundreds of millions of login credentials are leaked due to a data breach, making it easy to see why board communication shouldn’t be done through email. In July, a group of hackers managed to take over the Twitter accounts of over 130 public figures, including Elon Musk, Jeff Bezos, Bill Gates, Warren Buffet and more. The hackers were thankfully only trying to make some money by encouraging the victims’ followers to send Bitcoin.”

Warner says it’s easy to imagine how things could have gone differently had the public figures’ email accounts been hacked. “The cyber-criminals could have easily manipulated corporate decisions, having a long-standing impact on the organizations and their employees. For instance, the hackers could impersonate one of the victims to approve a plan to reduce a significant portion of the workforce, sell shares of the company or manipulate its stock. Or, more simply, they could have leaked board information to the press, which could have caused significant damage to the organizations.”

While the faces might not be famous, the risk is equally real for credit unions.

Board portals alleviate the risk of using email. “With today’s technology, board portals are purpose-built with industry-leading security measures,” Warner stresses. “The best offer end-to-end encryption, enabling a user to access the board portal anywhere—even through such non-secure connections as public Wi-Fi—and remain fully secure. Also, permissions control can restrict how directors view or download specific documents. And, if a device is lost or stolen, the administrator can either lock or wipe the board data from the device remotely. Two-factor authentication and biometrics provide additional support (on smartphones and tablets) and help prevent unsolicited access even if a user’s password has been compromised.”

With secure portal access, directors can gain assurance when voting remotely (particularly relevant since COVID-19) that the data surrounding votes is critical for any board to protect, Warner adds. “The voting process captures a board’s decision-making process, and it’s important that not just anyone has access to this information.

“Other documents and functions that contain data also are critical to protect,” he continues. “In not-for-profit organizations, the board meeting’s agenda (and related documents) may not be as important to protect since they are often made public. However, a private corporation can’t afford to have its financials fall into the wrong hands,” Warner notes. “Credit union boards often have access to sensitive documents, some of which contain personal member data. These items require a secure platform.”

Data Governance Best Practices

Kenny O’Reilly, president of CUES Supplier member MyBoardPacket.com, Arroyo Grande, California, thinks that boards will do the best job of securing their data when your IT team provides data security guidelines for directors to follow. 

“Each credit union should review its unique concerns and implement a policy that dictates its data’s safety, how it is accessed and stored on a director’s device,” he says. “Consider drafting a written policy on data use, signed by each board member, or a short training session for each volunteer.” 

For example, directors can be taught to be very careful in the ways they handle the devices they use for their board work.

“Unless an individual is extremely cautious with their personal device (keeping it protected with a strong password, meticulously logging out after each use, ensuring the device isn’t shared among the family, etc.), storing credit union data on a personal device is not wise,” he says.

In this vein of good device management, O’Reilly says the most infallible way to keep data secure is by providing each board member with his or her own tablet—and using the portal to restrict logins, allowing the board member to only sign in with the single tablet assigned to them. 

That way, he continues, “you control the device and the material going through it. Data is ‘containerized’ within the device, and the files controlled (edited, saved, deleted) by the credit union’s administrator.”

He also recommends two-factor authentication be part of your board data policy. “Many portals offer it,” he says, “but board members (and credit unions) are often reluctant to use it. Some individuals may complain that it’s cumbersome or less convenient, or difficult to have handy an additional login key. It may be an extra step, but the additional key offers another layer of protection.” Consider a source like yubico.com, he says, but there are many.

O’Reilly is surprised at the number of CUs that continue to email confidential data, strategic plans and sensitive member information. “Even if the file is password-protected or encrypted, once your board member unlocks the file, it lives, unfettered, on that device. The board member can forward the material and print it. If the individual is not diligent in keeping the computer locked or using a shared device among family members, the data becomes vulnerable. 

“In today’s world, it makes no sense to use personal email to communicate and share information with board members,” he reiterates. “If a computer becomes compromised, that’s a problem, and it can lead to a greater chance of phishing. Board members are targets to fraudsters and should be trained to avoid becoming a phishing statistic since scammers can easily find out who serves on a credit union’s board.”

Portals Part of Security Evolution

Not surprisingly, COVID-19 has fast-tracked the digital transformation of credit union board governance—and continued the need for data security.

“We are amidst the third evolution of how board and leadership meetings are conducted and secured,” explains Paroon Chadha, CEO of CUES Supplier member Passageways, Indianapolis. “The first generation began in the boardroom with paper documents and parcels mailed. As computers became commonplace, the second generation, defined by the transition to digital delivery and consumption, included governance by email and email attachments. Other enhancements, such as file encryption and centralized repositories like Dropbox or Google Docs, also played a role. Yet, for all the virtues of going digital, this process proved just as chaotic as paper and frankly felt like ‘digital duct tape.’

“Today’s digital governance platforms help promote board engagement while providing a streamlined experience so directors, even those skeptical of technology, find it straightforward and intuitive,” adds Chadha. “A progressive platform should also maximize your board’s time and experience, evaluate governance maturity and, above all, enable faster, more informed decisions. But given the sensitivity and density of the information shared with the board, organizations must first ensure their chosen board platform has a world-class security foundation.”

This level of security is nonnegotiable, continues Chadha. “Any platform used by the board of directors must encrypt information at every step. Capabilities should include continuous breach monitoring, remote wiping of data, and a company experienced and compliant with information security standards like ... SOC 2 Type I and II. Organizations should not use free software for board communication, where there is no guarantee of data protection, as there is typically no contract signed with free offerings. It’s not just a better board experience at stake, but reducing your liability makes this a no-brainer.”

A board management platform should also offer secure capabilities that support a credit union’s broader governance goals. For example, Chadha says that directors and CEOs should have the capacity to collaborate and govern outside of meetings. This can be supported by such features as encrypted chat, secure e-signatures and task management.

Also, if a legal or confidential matter is shared via email, data risk is heightened. 

“This is especially so if a board is involved in the discovery portion of the litigation,” he says. “It can be the difference between a credit union spending thousands of dollars on a secure information platform and tens of thousands of dollars in attorney fees. When information runs through a single secure platform such as OnBoard, the data is centralized, and risk diminished. It provides peace of mind that the information will only be accessible by its intended audience, with no worry that it might accidentally be shared or forwarded to an outside individual.”

“The ongoing crisis will permanently reshape how we work — how organizations govern,” concludes Chadha. “Credit unions will be the bedrock of our revival. Our communities need them to flourish. And that means effective governance.”  cues icon 

Stephanie Schwenn Sebring established and managed the marketing departments for three CUs and served in mentorship roles before launching her business. As owner of Fab Prose & Professional Writing, she assists credit unions, industry suppliers and any company wanting great content and a clear brand voice. Follow her on Twitter @fabprose.