Directorship in cyberspace
As conference centre manager at Brisbane Technology Park, Kellie Heiler is very aware of the changing role of technology in the boardroom.
“Electronic white boards, data projectors, HD videoconferencing and the use of high-speed broadband are all commonplace now,” she says. “Not long ago, people were impressed by the
100 Mb fibre-optic broadband we have here. Now there’s growing demand for podcasting, webcasting and webinars. It’s considered a necessity.”
Videoconferencing is particularly efficient in terms of time and cost – a meeting in Europe used to mean a week out of the office. “And, you’re not limited to being in one place at a time,” adds Heiler. “When you link with multiple sites your meeting can include people in, say, India, America and the UK.”
David Roper GAICD, managing partner of CIO Partners and chairman of NASAA Certified Organic, considers virtual conferencing to be one of two essential IT tools.
“Cheap or free internet solutions such as Skype are a great way to go,” he says.
“They’re perfect for directors who carry a laptop and need to attend a meeting from a hotel room. They support video and audio calls, and they can also be used if you only have access to a normal telephone. However, some board meetings each year should still be held in person; video and teleconferencing can’t beat the personal quality of face-to-face discourse.”
In his view, the other essential is email for distributing board papers and notifying or resolving key issues that occur between board meetings. “Again, this needs to be used judiciously,” he says. “Some directors may focus less on an email than they would on discussion in a formal meeting. We also need to remember that standard email over the internet isn’t totally secure; IT departments can provide encrypted email software where privacy is assured.”
In many companies, the paperless boardroom is already a way of life. “A lot of boards are using laptops or iPads for board papers and distributing them electronically,” says Bruce Linn FAICD, who heads a strategic management consulting business and is chairman of the national Internet Industry Association. “When the documents are in PDF format, they can’t easily be edited and as they’re easy to store, it’s also easy to search for information from a previous meeting. A number of companies have set up a secure website for the board – a board portal – so directors can download papers rather than receive them by email.”
Not yet quite so familiar, cloud computing allows board papers and other corporate data to be securely uploaded onto a server in the “clouds” rather than the corporate server.
“Cloud computing means companies now have a real option of downscaling their own IT resources – and the risks associated with having their own IT resources – by using professional data rooms spread around the world,” continues Linn. “I think some very significant business decisions will need to be made around this emerging area.”
Growing risks to security
It’s heady stuff – especially as many directors began their careers when board papers were paper, phones were attached to wires and computers stayed firmly on the desk. As late as 1994, when Linn started one of Australia’s first internet service providers (ISPs), few people had even heard of the internet.
“In little more than a decade, it has gone from being something no one knew about to central to everyone’s business,” says Linn. “We also believe the rate of change will increase as the pervasiveness and complexity of the internet grows.”
Directors are under mounting pressure to embrace the opportunities associated with technologies such as social media and electronic commerce, but it seems that few are rising to the challenge.
“At a recent conference in Christchurch, for instance, we had a workshop session on social media,” says Linn. “It attracted a lot of interest, but the number of directors who had ever used Facebook or LinkedIn, or even knew the first thing about social media, was disappointingly low.”
Many directors are equally unaware of the risks inherent in new technology.
“Wherever technologies are interconnected through the web or another interface there is a risk that someone will penetrate the system to eavesdrop on data, transmissions, saved files or other confidential information,” says Rodger Manning GAICD, cyber safety business manager at QinetiQ Australia. “And, when it comes to security, people are always the weakest link.”
The high-profile nature of directors and executives attracts so-called “whale-fishers” – those who target the biggest “fish” in the sea – but few directors realise how easy it is to get caught. “When we run cyber safety training courses for directors and executives we use ordinary internet search engines such as Google to gather information about a volunteer,” says Manning.
“Directors are usually amazed by the size of their internet footprint. For instance, we might find their children have been talking about where they live, what mum or dad does for a living and the details of their next holiday. We might find what clubs they belong to and other personal information – invariably enough to build up a comprehensive dossier on a specific executive or director. Then we show how easy it would be to spoof them with a fake email.”
It’s remarkably easy to fake an email – everything anyone could need to know is spelled out on YouTube – and that email can be convincing in every detail. For example, if you know a particular friend is on holiday in Bali and you receive an email telling you what a great time he or she is having and which includes details like the names of his wife and children – perhaps even your own partner and children – why wouldn’t you click on a link to look at the photos? When you do, you will actually be downloading malicious software, which your regular antivirus software is unlikely to detect.
“We continuously test the top 14 commercial brands of antivirus software with malware threats as they emerge,” says Manning. “The most effective find about 40 per cent of them and it typically takes the others two to three weeks to catch up. That’s two to three weeks when commercially valuable information could be extracted from an organisation without anyone being aware of it.”
This is exactly how several major oil companies were reported to have been attacked in 2008. “Despite being among the largest global corporations and therefore well-placed to understand and afford very sophisticated IT security, senior executives were again identified as the weak point,” continues Manning.
“In this case, it wasn’t a personal message – directors all received emails asking them to comment on new legislation. They actually linked to websites infected with malicious software, which enabled the attackers to extract proprietary information, including highly valuable intellectual property data relating to the identification of future reserves.”
Some people make life even easier for the bad guys. Blackberries and iPhones are easy to lose and if they aren’t locked with a password, anyone who finds one has free access to information. Yet, Manning has found that the most difficult group to convince to take even this simplest of steps is executives and directors – the people who need it most.
A presence on the board
Another new issue challenging boards is the threat of cyber attack – the modern-day equivalent of industrial espionage.
“Broadly, large companies can suffer attacks from people who are effectively spying on them to gain economic advantage,” says Linn. “For instance, if a large mining company is negotiating contracts overseas, a competitor could hack into its systems and extract sensitive information that would put it at a serious disadvantage. And attacks like these can be relatively easy if companies are less than diligent in protecting their data resources.”
While not all directors can be specialists, IT needs to be seen as a high potential risk item on the board agenda. “Just as with legal, accounting, environmental and other areas of risk, every director is equally accountable if things go wrong,” says Roper, a specialist in board IT governance. “Governance of the IT aspects of the business is not about understanding the technology but ensuring the business risks of using that technology are being adequately addressed. Technology is a double-edged sword when used to run the business. It’s great for automating controls that would otherwise be laborious and prone to human error, but issues such as cyber crime can create even greater problems if the organisation is not aware of, or becomes complacent about, the totally new set of risks technology can introduce.”
Linn suggests every board should include someone who understands IT and the role it plays in the organisation. “Those of us who come from the IT industry have been saying for a decade or two that there’s a dearth of skills in technology around the board table,” he says.
“You would hardly consider having a board without accounting or legal expertise, yet there’s often a yawning gap in an area that permeates every aspect of the business.”
Too much of a good thing?
There may be no escaping technology but there are times when we need to draw a line.
Videoconferences:“There’s no substitute for a face-to-face meeting, looking someone in the eye, having a debate and coming to a position of agreement on an important decision,” says Bruce Linn. “Videoconferences can be very useful supplements to face-to-face meetings, but technology has a long way to go before it can replace them.”
PowerPoint: A graphic where it’s needed, a slide to highlight a particularly point – PowerPoint can be an extremely useful tool. But presentations featuring dozens of slides with 25 bullet points each manage to be simultaneously boring and distracting.
Texts and tweets: “The chairman should ensure all directors have turned off their mobile phones, plus PC-based email and instant messaging software, before commencing any board meeting,” says David Roper.
Loud voices: Travellers tend to assume no one can hear their phone conversations in places like a crowded airport lounge. Next time you’re there, pay attention and you might be surprised by how much you learn – and to realise how much others might learn from your own calls.
Email: “Never email something you wouldn’t say to the person’s face or hide behind email to criticise someone rather than talking it through,” advises Linn. “If you write an angry message, leave it in your draft folder overnight and review it before you send it.”
Any technology that isn’t working: “Pre-test the equipment before the meeting and if you’re really uncertain, get the professionals in to help,” says Kellie Heiler.
Technology for its own sake: “Technology is a tool that can help directors fulfil their duties and responsibilities,” says Rodger Manning. “Becoming enamoured with, or focused on, the technology for its own sake won’t further the effectiveness of the board.”