Dear reader,

Welcome to the December 2018 edition of The Director’s Dilemma. I write these dilemmas based on my twenty years’ experience consulting to boards and helping them to avoid becoming front page news, banned or fined. The reputation damage and career impacts of a board gone awry can be severe.

My ‘joy in work’ is to help boards and directors avoid becoming the next disaster and instead become the next great success. I do this by diagnosing board processes and procedures to identify latent problems, and guiding clients to address threats before they eventuate.

To read this email in a browser, go to www.mclellan.com.au/newsletter.html and click on 'read the latest issue'.

This month our case study protagonist faces a dilemma caused by poor password practices and sloppy security. I hope you enjoy thinking about the governance and strategic implications of the latest dilemma:

Grace is a director and chairs the People and Culture Committee of a large government owned corporation. Her board receives its papers on a portal that directors access with a user name and password.

Last week Grace lost her laptop while going through security at a busy airport. She only turned her back for a few moments, but it was gone when she turned around. There was no CCTV footage that showed who picked it up.

Grace bought a new laptop and suffered a few days trying to locate or recreate all her passwords as she had the old laptop programmed to automatically fill them in for her. She finally has everything and has logged on to the portal to read her board papers.

These were sent to her yesterday and it is the first time she has logged in to start the arduous job of reading and considering them, but the portal shows the files without bold text and the ‘h’ button says she looked at them last night.

One of the papers considers the award of a large construction contract and all three of the shortlisted companies are listed. Another paper, because it is nearing calendar year end, considers the performance of the CEO’s direct reports and contains their current salaries, bonus recommendation, and planned salary increase for the following year.

Grace is mystified. How can this be? Has she suffered a cyber breach and, if so, what should she do?

Steven's Answer

Such a cyber breach scenario is likely for Directors in today’s highly connected digital environment. Providing convenient access to sensitive information has taken precedence over cyber risk prevention and risk mitigation. Unfortunately, most organisations only pay attention to cyber risk mitigation and/or prevention after a cyber breach.

It is clear that this organisation has suffered a significant cyber breach.

It is time to act with clarity and leadership to minimise the impact on the organisation, its director(s) and its key affected stakeholders.

This breach needs to be addressed at a holistic business level before an information technology level response is considered. Though it is critical for the information technology department to prevent such similar occurrences from happening to any other person immediately.

The CEO and/or Chairman should take immediate charge and formulate an integrated business response. They need to seek input from key internal people including legal counsel, public relations, Chief Risk Officer, Customer Relations and Head of Operations. They may also choose to seek external advice from relevant experts in this matter in their relevant jurisdiction.

An official response needs to be crafted to all the affected parties involved as soon as possible. The relevant government authorities need to be notified. The organisation needs to provide sufficient coherent information on the actual scope of the cyber breach as is commercially and legally responsible (unless a criminal investigation is underway). Being upfront about the problem and taking responsibility is much better than trying to hide something and then for others (government authorities, affected clients) to find out via social media. Grace will lose her clients’ and other key stakeholders’ trust by seeking to hide something. Your organisation’s and the key senior executive’s reputation will take a hit from which it may be difficult to recover.

Steven Dujin is Managing Director & Co-Founder at Cyber Risk Assurance Pty Ltd. He is based in Sydney, Australia.

Julie's Answer

Nearly 30% of board members reported losing or misplacing a phone, tablet, or computer in the past year according to Forrester Research.

Grace’s first step is to inform the IT staff at each of her boards what has happened. They may be able to help secure data on her laptop using remote lock or data wipe it to prevent further access. Grace may need to let her boards know that she is doing this – that will depend on the communication protocols of each board –  a director should not contact staff about a business matter without letting the CEO know.

Next Grace should sit down with the chief legal officer of the board whose data she believes has been compromised. They need to consider what is contained in the papers and whether this constitutes a reportable data security breach. If it is reportable, they can assist in reporting to appropriate authorities.

Next Grace needs to change every password that she has not already recreated. Some directors use a formula to help create and remember their passwords, but it must be unpredictable. She should also get remote lock down and wiping capability, and learn how to use it. Grace can store her documents in a vault such as Dropbox rather than keeping solely on her new computer.

Grace should also ensure that she doesn’t respond inappropriately to any phishing or scam emails that may arrive in the next few weeks attempting to gather more data from her. Even if an email appears to come from a trusted source, she should verify that it is genuine before clicking or responding.

Julie Garland McLellan is a non-executive director and board consultant based in Sydney, Australia.

Andrew's Answer

This is best addressed in two parts: what Grace should do right now; and how to avoid similar incidents in the future.

Most importantly, Grace must not panic. As a matter of priority, Grace should immediately change her passwords for all applications and web sites she would typically access from her laptop to curtail further access from the laptop thieves.

Grace should then proceed to inform her fellow directors and the cyber security team of the organisation for which she chairs the People and Culture Committee of the suspected cyber breach. Working with the board portal vendor, the cyber security team can obtain a recent login history and ascertain, based on login time and location, which logins were not made by Grace and confirm or deny a cyber breach occurred. In the event of a breach they will assess the impact and determine whether the breach must be disclosed in accordance with the Notifiable Data Breaches scheme and report the incident to law enforcement. 

To prevent future incidents, Grace should enable the disk encryption that is available on her laptop. All Mac and Windows laptops issued in the last four years have this capability. Grace should use a cloud-based password vault to store and automatically fill in her passwords rather than rely on a web browser for this. These two simple practices would make it almost impossible for Grace’s passwords to be stolen and used to access the board portal. Grace and her fellow directors would also benefit from elementary cyber risk training.

Andrew Bycroft is CEO of the International Cyber Resilience Institute. He is based in Sydney, Australia.

Book review - Setting the Tone from the Top by Melinda Muth and Bob Seldon

This book provides practical and easy to implement ideas for doing what we all know to be one of the board’s most important jobs: setting the right culture and tone.

Regular readers of The Director’s Dilemma may recall my review of Bob Seldon’s book Don’t. This book takes the practical advice on sentence construction, word choice and clarity from general to specific boardroom use. It is excellent.

Setting the Tone From the Top gives board members techniques, tips and strategies for conversing effectively with each other, with executives and stakeholders, to ensure all views on key topics such as conduct, risk and strategy, are canvassed, heard and evaluated.

It starts with an evaluation of culture, how it is formed in start-ups, how it is shaped by successive management and board evolution, and, most important, how it can be shaped by adopting new practices. Basically, the book is about clarity of intention, clarity of communication and congruence of action.

Directors play an important role in setting the tone at the top; it is important that we recognise and manage the impact our words and language have on the company. The book concludes with practical strategies and ideas that any board or director can implement. I’m now busy practicing what I learnt from reading it. I hope you will enjoy it, benefit from it, and be better directors as a result!

Available online from The Australian Institute of Company Directors

Julie's news – In November

I was thrilled to be recognised for my 20 years’ service to the Australian Institute of Company Directors. It was such an honour, and also a shock at how much time had passed and how busy it has been. Governance keeps evolving and director’s need education, support and community. It has been an honour and a privilege to work with so many aspiring and improving directors and to work with so many great governance experts. It has also been a lot of fun!

On the work front; I had another lovely trip to Oman where I presented a two day advanced governance masterclass to a group of amazing directors and senior compliance executives. I also saw a little bit more of the beautiful country and enjoyed a bargain in the souk!

The Gordon Director’s Group mastermind session was another highlight and we really enjoyed investigating science and Australia’s role in space followed by a presentation from Carolyn Chalmers who was visiting Australia as part of the working group preparing the new ISO 47,000 standard for international governance.

AGM season is well advanced in Australia and I have been busy preparing and attending annual meetings for my boards and a few clients. I have also enjoyed some great strategy sessions with clients and am starting to feel that it is time to take a well deserved rest. Have a great Christmas break, enjoy your own rests and let me know if you have any suggestions for dilemmas or need for facilitation or governance work.

I am always keen to work more and will be delighted to hear from you if you would like to arrange a board strategy workshop, education session, or board performance review. Just call me on the number below or reply to this email for a discussion of how I might help your board.

Inspirational quote for December - This month my favourite quote is:

A note on names - A few readers have asked me where I find the names for the protagonists in each case study; I 'borrow' them from people I meet for things that I read. Grace is a virtue as well as a woman’s name. Our protagonist needs to live up to her name and improve her practices.

This newsletter - If you have any ideas for improving the newsletter please let me know. If you are reading a forwarded copy please visit my website and sign up for your own subscription.
Suggestions for dilemmas - Thank you to all the readers who have suggested dilemmas. They are greatly appreciated. I will answer them all eventually. I could not write this newsletter without your help and without the generous help of all the experts who respond each month to the case studies.
Be a contributor - If you would like to attempt a response to the dilemmas for publication you will be most welcome. Simply reply to this email and let me know.
Let's connect - I use LinkedIn to share information about boards and directorship with my friends and acquaintances. If you use LinkedIn and we are not yet connected I will welcome a connection from you. You can find me at linkedin.com/in/juliegarlandmclellan.
Let me help you - If you would like me to speak to or train your board, staff, audience and/or group please contact me at julie@mclellan.com.au.

Farewell until the next issue (due 1 February 2019). I look forward to greeting you again then. In the interim I hope you will enjoy health, happiness and hard work as well as a lovely holiday.

Enjoy governing your corporations; we are privileged to do what we do!

Best regards,

Julie


Photo Credits: Personal images in this newsletter are provided courtesy of the contributors, course attendees and conference participants. Main Photo by mentatdgt form Pexels.

Disclaimer: The opinions expressed above are general in nature and are designed to help you to develop your judgement as a director. They are not a definitive legal ruling and do not constitute legal advice. Names and some circumstances in the case study have been changed to ensure anonymity. Contributors to this newsletter comment in the context of their own jurisdiction; readers should check their local laws and regulations as they may be very different.

Privacy: I am privileged to have your contact details and keep them as safely as possible. I will alert you if they are ever accessed by any unauthorised person (the technical staff at ayuda help with publishing and issuing the Director's Dilemma nad have access so they can send the newsletters to you). I do not sell your details to anyone; they are kept only for the intended purpose - sending you this newsletter and helping to build the judgement of company directors by providing a safe way to consider potential responses to real life events.