New Breach Shows That Nonsecure Board Evaluation Surveys Are a Risky Business

Nicholas J Price
When you don't have the right tools, it's easy to cut corners and use the tools you have, which can put your organization at risk. But, consider this. What if those 'available but not-so-perfect tools' carried some risk of breaching personal or confidential information about clients, shareholders or other people connected with your business? What if you were aware that your current process put data about board directors and company business at risk? Would you continue using nonsecure electronic tools?

That's exactly the question that the latest data breach, of the survey company Typeform, forces us to explore.

Cyberattack on Popular Survey Company: It's Complicated

Typeform is a Spanish company that offers an online survey platform for individuals and businesses that want to use online surveys to obtain information from their clients. Typeform disclosed that they'd been victimized by a cyberattack that took place on June 27, 2018, and that they'd remedied the cause of the breach within 30 minutes. The cybercriminals had downloaded a partial backup of Typeform's customer database that they collected before May 3, 2018.

Some of Typeform's customers, such as the Tasmanian Electoral Commission; Fortnum & Mason, a premier British luxury gift firm; and digital bank Monzo, sent notices to their affected clients, notifying them of the breach. Monzo reported that about 20,000 of its clients were affected.

Typeform's Breach Is a Web of Complexity

The Typeform data breach was similar to a 2011 data breach of the email marketing company Epsilon. The incidents are similar because the breach affected their clients' customers. Customers paid Typeform to use their software to conduct customer surveys and quizzes. Typeform said that they would inform their customers of the breach by email.

Each of Typeform's customers could have up to tens of thousands of their own clients, which could become ancillary victims, essentially amplifying the number of people affected by the breach. Typeform's customers must notify all of their customers of the breach with the understanding that their customers may not even be aware that their data had been transferred to Typeform.

Typeform reported that they weren't exactly sure about the type of information the cybercriminals had obtained through the breach. They know that the criminals obtained email addresses, a small number of Twitter names, ZIP Codes, salary bands and ages. The officials at Typeform don't believe that the criminals were able to get ahold of subscription payment data, passwords associated with Typeform, payments collected via Stripe integrations or audience payment data. Typeform issued a warning to its clients that cybercriminals may have their email addresses and that those affected should be wary of phishing scams and spam emails. These emails often make threats and demand large sums of money or promise things that are too good to be true. Companies should advise their clients that, if something doesn't look right, don't click on it.

This incident should also serve as a warning to the general public to be aware that companies may be transferring their personal information to other companies when they complete online surveys or participate in other online activities. Cybercriminals may be able to secure someone's data before a company announces that their information has been breached.

Board Directors Should Be Aware of Online Surveys for Board Self-Evaluations

Good governance requires boards of directors to conduct board self-evaluations annually, and about 57% of boards are now doing self-evaluations.

Board administrators are learning that offering online surveys is easier and more efficient than distributing paper surveys. Online surveys also make it possible for boards to get the results of surveys anonymously. Applications like Typeform, Survey Monkey, Google Forms, Client Heartbeat, Survey Gizmo and Survey Planet are popular options for board self-evaluation surveys.

As the Typeform data breach indicates, these platforms lack the robust security that companies require for safely sharing data across platforms.

Boards that use personal or day-job email accounts for sending and receiving board self-evaluation surveys add another layer of risk to their annual evaluation process. Personal and business accounts also lack the high levels of security that boards should have for sensitive and confidential board communications.

Secure Board Evaluations Provided By Governance Cloud

The Diligent Board Evaluations module, which is part of Governance Cloud, was designed and built with advanced security measures so that board directors can complete their board evaluations online and be assured that their answers will remain secure and confidential. The module uses the same high-security standards of Diligent Boards'Ѣ; for example, Diligent is ISO 27001-certified for its Information Security Management System, with SSAE 16/ISAE 3402 (SOC 1, Type 2) controls audited for nine consecutive years.

Using Diligent's Enterprise Governance Management system, board administrators can send and receive questionnaires and surveys using Diligent Messenger within the closed environment of the Diligent Boards platform. Industry-leading data encryption keeps board directors' information safely out of the hands of cybercriminals.

In addition to getting strong security for board business, Diligent's board evaluation module assists board administrators in tracking board evaluations automatically, which promotes efficiency. Evaluations can be submitted anonymously to allow for honest and objective feedback. Board administrators can also create customized reports and analytics to maximize the benefits of doing the evaluations.

Diligent's products are fully integrated and designed so that boards of directors can complete all of their board business within the strong safety of the platform. Boards will no longer have to be concerned about being notified that their board data has been compromised because of a breach in the evaluation process or in the process of transferring the surveys.

Best practices for governance become the norm when boards implement the Board Evaluations module. The software design was built with both directors and corporate secretaries in mind. The Diligent Board Evaluations module integrates seamlessly with Diligent Boards'Ѣ to provide clients with a secure and advanced solution for board evaluations. The Diligent Board Evaluations module is as intuitive as it is secure and informative. As the leader in the industry, Diligent is a front-runner in innovation for total Enterprise Governance Management solutions. The right tool for boards to conduct board evaluations is a board portal and board evaluation module, such as the tools offered by Diligent's Governance Cloud.
Related Insights
Nicholas J. Price
Nicholas J. Price is a former Manager at Diligent. He has worked extensively in the governance space, particularly on the key governance technologies that can support leadership with the visibility, data and operating capabilities for more effective decision-making.