It takes ten minutes and costs nothing. It also won't fix the thing your board should actually be worried about.
A director on one of your boards keeps the board pack in a personal Gmail account. The minutes are there, the draft resolutions, the frank exchange about an executive who isn't working out. Protecting all of it is a password and, if you're lucky, a code texted to a phone. That is the standard of security guarding some of the most sensitive information your organisation produces.
There is a free fix for part of that problem, it takes about ten minutes, and most directors have never heard of it. It's Google's Advanced Protection Programme. Turn it on. Then read the second half of this post, because switching it on is the easy ten percent of the job, and the hard ninety percent is somewhere else entirely.
Why a director's inbox is worth attacking
Start with what an attacker gets from breaking into a director's email. Not just the contents, though board strategy, financials, and personnel matters are valuable enough, but something better: a trusted identity. An email that genuinely comes from a director's real account, asking the finance lead to approve a payment or change supplier bank details, is far more convincing than any spoof.
This is the engine of business email compromise, and BEC is not a fringe risk. In its 2024 Internet Crime Report, the FBI's Internet Crime Complaint Centre recorded around $2.8 billion in reported US losses to BEC, the second-costliest category of cybercrime that year behind only investment fraud. In the UK, reported fraud losses run into the billions annually, and the National Cyber Security Centre has warned that AI is already making attacker impersonation cheaper and more convincing. The classic BEC pattern impersonates a senior figure precisely because authority short-circuits scrutiny, which puts directors, by definition, in the firing line.
One detail worth holding onto: most BEC is sent from free webmail accounts in the first place. Fortra's analysis of Q2 2024 found that 72% of BEC attacks were launched from a free webmail domain, with Gmail by far the most commonly used provider. The lesson for a board isn't that Gmail is uniquely dangerous. It's that a message arriving from a perfectly normal-looking personal address proves nothing about who sent it. And a director's own hijacked account is the most convincing launchpad an attacker could ask for.
This is, in other words, exactly the scenario Google built Advanced Protection for. The programme's own guidance recommends it for people whose accounts hold valuable or sensitive information, naming business executives explicitly. That describes your board.
What Advanced Protection actually does
The programme is Google's strongest tier of account security, and it's free. Three things change when you enrol.
First, and most importantly, sign-in requires a passkey or a physical security key rather than a password and a texted code. This is the part that matters most, because it defeats phishing. A passkey can't be typed into a fake login page, forwarded to an attacker, or intercepted the way an SMS code can. It's the single biggest upgrade available to any account.
Second, you get stricter checks before downloading files or installing apps, on top of the malware protections already built into Chrome and the Play Store.
Third, a set of security settings that are normally optional get switched on and held on, so they can't be quietly disabled later, whether by the user or by anyone who gets in.
The friction that used to put people off has largely gone. Enrolment once meant buying physical security keys; now a passkey created on the director's own phone, using its fingerprint or face unlock, is enough to enrol. The one genuine piece of admin is setting up recovery options beforehand (a recovery phone and email), so a lost key doesn't mean a lost account.
Two things are called "Advanced Protection". Don't confuse them.
This trips up even the technology press, so it's worth thirty seconds. The Advanced Protection Programme described above lives on the Google account and works on any phone or computer; it's the external lock against phishing and takeover. Separately, Android 16 introduced a device-level Advanced Protection mode, which is an internal lock: one toggle that forces every hardening setting on the phone to its strongest position.
The device mode is more aggressive and comes with trade-offs. It restarts the phone after a long idle-locked period, blocks app sideloading, and can't be partially switched off. It suits genuinely high-risk individuals who expect to be targeted by sophisticated attacks. For most boards, the account-level programme is the right tool, and the good news is it doesn't depend on what phone anyone carries.
On personal Outlook rather than Gmail? Roughly half of directors are. Microsoft's account security works differently and deserves its own walkthrough; that's Part 3 of this series.
Why it's still not enough
Here's where this connects to the first post in this series: a more private personal account is still a personal account. The same logic applies to a more secure one.
Advanced Protection hardens the lock on the director's mailbox. It does nothing about who owns the filing cabinet. The account is still personal. The organisation still can't see what's in it, can't set a retention policy over it, can't recover it when the director leaves or falls out with the board, and has no authoritative record of board decisions made through it. Every governance gap that existed before enrolment exists after it. They just sit behind a much better lock now.
So the honest framing is: Advanced Protection is excellent harm reduction for a reality you'd rather not have. If directors are going to use personal email for board business, and many will, whatever the policy says, then a phishing-resistant account is enormously better than the alternative. But harm reduction isn't the same as control, and a board that congratulates itself for switching on a free setting has mistaken the easy part for the whole job.
What to do
- Turn it on this afternoon. It's free and takes about ten minutes per account. Set up recovery options first, then enrol with a passkey. There is no good reason to wait.
- Make it a baseline expectation, not a suggestion. If directors use personal email for any board business, the board can reasonably require phishing-resistant sign-in as an interim control, and minute that it has done so. It costs nothing and demonstrably reduces a named risk.
- Then ask the question the setting can't answer. Where does your board's information actually live, and does the organisation control it? Advanced Protection tells you a single account is hard to break into. It tells you nothing about retention, continuity, ownership, or the dozen other accounts and devices in play. That was the subject of Part 1, and it's where the real work sits.
The point that matters
A free security setting that defeats the most common attack on the most valuable inbox in your organisation is an easy yes. Switch it on. Require it.
Then remember that you've secured the account, not the record. The lock is the easy ten percent. Owning what's behind it is the ninety percent that no toggle will ever do for you.