Get Your Board Members Up to Date With Cybersecurity
Some boards are having to manage security in a digital environment for the first time. How do you keep your association secure? A mixture of policy and technology might do the trick.
A lot of association boards are still fairly new to seeing the big picture of how technology can shape their organization. One fallout, triggered by the pandemic but not limited to it: Board members may be thinking about the group’s cybersecurity for the very first time.
Jeff Middlesworth, chief product officer at Boardable, said that the pandemic created a digital shift that many boards were unprepared for, in part because their meetings were assumed to be in person, as mandated by their bylaws. Replacing physical meetings with videoconferencing creates new concerns.
“There’s an inherent surety about printed documents,” he said. “Of course, you can leave them on the subway or on the airplane. But they’re inherently way more secure than digital documents.”
The digital element creates security concerns that many boards have struggled with, especially as board members may have a technologically diverse spectrum of know-how.
Read on for suggestions on improving your board’s cybersecurity.
What Boards Should Consider About Cybersecurity
To start with, boards should not approach this aggressively.
“I’ve seen a lot of executive directors use scare tactics,” Middlesworth said. “I find when it comes to security, that’s not very helpful.”
Instead, he recommends approaches that combine policy and technology. Board members are different than regular employees. For example, board members may communicate using a professional email account from another organization.
Middlesworth said that board members should be made aware that the association’s staff won’t necessarily be able to manage a board’s security issues. “There’s an assumption that this is all being taken care of—that there’s a lot of techies outside of this board that are taking care of us. And more often than not, that’s really not what’s happening,” he said.
One approach is to have a dedicated security committee. Middlesworth suggests that associations that don’t have the resources for a dedicated committee assign security to an existing committee, ideally one that has a strong mix of leadership and technical know-how. Middlesworth said that this often turns out to be the executive committee.
“I find more often than not, your executive committee will probably have someone that has some IT background, or they’ll have some sort of governance, or a lawyer, or something of that nature,” he said. “And it’s also well-suited to that.”
But ultimately, he added, “It all depends on what you’ve got on your board.”
Middlesworth also recommends that any software you use for board management have the ability to restrict content downloading, so that the information cannot be shared as freely as a traditional PDF.
“You want to make it easy to get to, but you don’t really want them to download that, then email it to their Kindle, and then sell their Kindle to their grandson,” he said.
How Board Members Can Protect Themselves
Of course, while the board itself can create stricter standards, it’s still important for board members to improve their own security.
Middlesworth suggests that board members use two basic security elements, each of which is compatible with the other. The first is multifactor authentication, which requires users to log in through the help of an additional device. This tends to be secure, but board members with less technological ability may find the approach too complex.
“Multifactor is a tough hurdle to get over with some of them, but you’ve got to start there,” he said. “If it goes through, great; if you get pushback, figure out how to work through that.”
An alternative approach that may be a bit easier is single sign-on (SSO), in which access to other applications goes through a primary login interface. This can either be done through an existing application suite, such as those made by Google or Microsoft, or through a dedicated third-party tool, such as Okta.
“That adds a huge layer of security to your world, because you’re not going to pass around your Gmail username and password—or at least I hope not,” he said.
Preparing for the Worst
Even good cybersecurity isn’t 100 percent impenetrable. But putting in the right policies can go a long way, even with boards that aren’t technically savvy.
Given the natural turnover of boards, Middlesworth recommends building a strong onboarding curriculum that includes cybersecurity, incorporating security considerations in nondisclosure agreements, and crafting strong policies around security. Taking steps to improve your data security practices can give you a strategic advantage.
In addition, the committee that owns the bylaws around cybersecurity should take steps to periodically audit it.
“It doesn’t have to be overly sophisticated, but at least there’s a purpose and there’s people named who own that, review it, audit it, and make adjustments, because there probably are going to be adjustments at least every year,” he said.
(insta_photos/iStock/Getty Images Plus)