The Perils of Corporate Email Addresses for External Board Engagements: A Governance Imperative

In an increasingly digital age, the choice of communication channels for board-level discussions carries significant implications for security, confidentiality, and corporate governance. A pervasive, yet often overlooked, risk arises when board members utilise their primary corporate email addresses (i.e., those provided by their primary employer) for their external board responsibilities with a different organisation. 

This practice, while seemingly convenient, potentially exposes both the board member and the external organisation to a multitude of security vulnerabilities and governance challenges, which warrant rigorous re-evaluation.

The Inherent Vulnerability of Corporate Email Systems

Corporate email systems are designed and maintained primarily to serve the interests and security parameters of the issuing organisation. When these accounts are used for external board duties, the control over sensitive information pertaining to the external board can shift from that board to the primary employer’s IT infrastructure and policies. Athena Board has specific mitigating controls to control this at both an admin and a user level.

Most board portals do not offer the multi-layered security approach that Athena Board does, which may lead to compromised access when considered inline with the issues below:

  1. Cybersecurity Risks and Data Breaches: Corporate email systems are constant targets for cyberattacks. Phishing, malware, and sophisticated persistent threats are designed to compromise these accounts. If a board member’s corporate email is compromised, not only is their employer’s data at risk, but all confidential information pertaining to the external board they serve is also immediately exposed. This creates a cascading risk where a breach at one entity can inadvertently compromise the security of another, leading to severe reputational damage, regulatory penalties, and financial loss for the external organisation.
  1. Internal IT Access and Oversight: It is standard practice for corporate IT departments to have full access and oversight over all email accounts hosted on their servers. This access is essential for system maintenance, security monitoring, compliance with internal policies, and, in some cases, legal discovery. While typically governed by strict internal protocols, the reality remains that:
  • Unintended Disclosure: IT staff, while performing legitimate duties, may inadvertently gain access to highly confidential board discussions and documents of an unrelated entity. This creates a privacy concern and breaches the expectation of confidentiality inherent in board proceedings.
  • Employer Policies: The primary employer’s IT use policies may permit monitoring or even auditing of email communications. This means that board-related correspondence, even if unrelated to the primary employer’s business, could be subject to review or retention by the primary employer.
  • Departure of IT Staff: While less common, the departure of IT personnel who had access to such data, or disgruntled employees, could pose an elevated risk of deliberate misuse or disclosure.
  1. Lack of Control and Data Retention Policies: The external board has no control over the data retention policies or backup procedures of a board member’s primary corporate email provider. This can lead to situations where critical board documents are deleted, archived, or become inaccessible without the external board’s knowledge or consent, hindering continuity and historical record-keeping. Conversely, data may be retained longer than legally required for the external board, creating unnecessary data liability.

The Imperative for Dedicated Board Communication Channels

To mitigate these substantial risks, organisations must implement clear policies that mandate the use of secure, dedicated communication channels for all board members. This typically involves:

  • Dedicated Board Portal: The most robust solution is a secure board portal such as Athena Board. Athena Board has been purpose-built for board communication, offering end-to-end encryption, granular access controls, audit trails, device level security controls, and data sovereignty. Athena Board eliminates the reliance on vulnerable email systems entirely.
  • Neutral, Personal Email Addresses (with caution): As a less ideal, but sometimes necessary, interim measure, board members could use a personal email address (e.g., Gmail, Outlook.com) that is entirely separate from any corporate affiliation. However, even these accounts do not offer the same level of security, governance, and administrative control as a dedicated board portal. A case in point is the recent, massive gmail data breach. They also rely on the board member’s personal security practices, which may vary.
  • Organisation-Provided Email Addresses: In some cases, the external organisation may provide a dedicated email address (e.g., [boardmembername]@externalboard.org) for the sole purpose of board communications. While better than using a primary corporate email, this still lacks the comprehensive security features of a board portal.

Conclusion

For robust corporate governance and the steadfast protection of sensitive information, the practice of board members using their primary corporate email addresses for external board duties must be actively discouraged and ultimately prohibited. 

Organisations, in particular, must adhere to stringent privacy and data security standards. The potential for inadvertent disclosure, cyber compromise, and loss of control over critical information far outweighs any perceived convenience. Investing in secure, purpose-built communication platforms, such as a board portal, is not merely an IT recommendation but a fundamental governance imperative that safeguards the integrity and reputation of the organisation.

Athena Board includes a multi-layered security approach. This, when combined with sophisticated device management and audit ensures that inadvertent leakage of confidential data is prevented.

Athena Board can help, contact us @ sales@athenaboard.com