Digital Shreds: Armor Inside Documents
You can shred or destroy documents, but in this age of sharing and sending computer-based information via myriad communications means, the better strategy aims at placing protection into documents so that they automatically “digitally shred” when appropriate.
Protecting government, corporate and customer information is a top priority for today’s security directors and their chief executives and information technology departments. The risks of data leaks are greater than ever and failure to protect information has serious consequences for companies of all sizes, including lost revenue, damaged corporate brands, customer lawsuits and jeopardized product development.
Last August it was reported that the former IT director of Lightwave Microsystems, an optical components company that is now part of NeoPhotonics Corp., San Jose, tried to sell trade secrets contained on backup tapes to his employer’s competitor. This corroborates findings from the Ponemon Institute, which earlier this year found that almost 70 percent of the 163 U.S. Fortune 1000 companies they surveyed reported security breaches by insiders, 39 percent of these leaks being confidential business data.
Customer concernsCustomers don’t think companies take enough precautions to protect their personal information. According to PrivacyRights.org, over 50 million Americans have had their identifying data compromised since last February’s ChoicePoint incident, where ID thieves made off with the personal information of 145,000 consumers.
Organizations devote tremendous resources to preventing unwanted access to enterprise applications, yet routinely distribute unsecured electronic documents containing sensitive information. While it is critical to secure enterprise systems and the network perimeter, this is only part of the solution. Much of a company’s valuable information resides in electronic or paper documents, and these materials have to be protected. If not, sensitive data can be opened, printed and shared at will. Organizations need a virtual document surveillance team or digital shredder.
When it comes to handling paper and electronic documents, many organizations are implementing Information Classification Management (ICM) strategies to specify who can and cannot view information. The best ICM strategies combine simple document labeling procedures – “For Public Consumption” or “For Exec Team Only,” for example – with technology to help enforce document access policies. This allows organizations to go beyond limited security approaches that focus only on document storage and transport, and protect the lifecycle of a document as it moves inside and outside an organization.
The goal is to have security always residing within a document. For instance, financial and government organizations are gaining better control over information by using Portable Document Format (PDF) files that control who can open and print materials or how long recipients can access materials. The files can contain tracking mechanisms to show who received materials and if the files were opened. The files can be revoked at any time by the author or anyone in the organization with the proper access, or the files can have built-in expiration dates when they can no longer be opened. PDF also supports digital signatures with strong encryption technology and public key infrastructure support to assure information hasn’t been altered since it was sent.
Recent events highlight that the financial costs and business risks of improper information disclosures are high. Although securing the network from the outside is a must, organizations can’t ignore that often the bad guys are on the inside. Integrating an effective ICM system that incorporates both procedures and technology, and addresses the issue of securing and controlling information at the document level, is a major step towards creating a fully secure enterprise.