How to Secure Sensitive Files and Documents

Much of an organization's most sensitive information resides in unstructured files and documents that are commonly subject to data loss and leakage--especially in today's mobile, Web-based world. IT pros must develop an approach to securing these documents that gives the business the control it needs without stymying employees' productivity.

Are you doing enough to secure your organization's sensitive information? If all your security measures are focused on the volume level rather than the file or document level, chances are the answer is 'no.'

While the security risks associated with sensitive files and documents have been around for as long as sensitive files and documents have existed, a confluence of today's corporate environment—businesses are increasingly relying on mobile workers and collaboration between geographically dispersed workers and business partners—and technologies like mobile devices and browser-based file-sharing applications have increased the scope of the risk.

"A lot of the issues have been around for a while, but the playing field has changed," says Larry Ponemon, chairman and founder of research think tank Ponemon Institute, which last week released its 2012 Confidential Documents at Risk Study, a survey of 622 IT and security practitioners with an average of more than 11 years of experience. "Everyone wants to connect and they want to do it anywhere and immediately."

Common Practices That Put Information at Risk

Common business practices, frequently leveraged by employees seeking to be more productive, are often responsible for putting information at risk. Five scenarios are among the most common, according to the Ponemon Institute's study. The scenarios are as follows:

  • Employees attach and send confidential documents in clear text from the workplace using Web-based personal email accounts. The Ponemon Institute's survey found that 68 percent of respondents believe this happens frequently or very frequently, and 71 percent say it results in the loss or theft of confidential documents.
  • Employees download, temporarily store and transfer confidential documents in clear text from a workplace desktop to a generic USB drive. Sixty-five percent of respondents say this happens frequently or very frequently, and 68 percent say it results in the loss or theft of confidential documents.
  • After registering with Dropbox, employees move several large files containing confidential business information to the application without permission of the employer. The survey found 60 percent of IT and security practitioners say this happens frequently or very frequently, and 57 percent believe it can result in the leakage of confidential information.
  • Employees download confidential documents to a public drive, thus allowing other employees to view and use this information from various mobile devices. Sixty-two percent of respondents say this occurs frequently or very frequently, and 56 percent say it can result in the loss or theft of confidential documents.
  • Employees download confidential documents to a public drive to collaborate with business partners and view and use the information on tablets. Fifty-five percent of the respondents say this happens frequently or very frequently and 51 percent say it results in leakage of these documents.

Data Loss or Leakage Is Common

And these risks are not merely academic. The Ponemon Institute's study, sponsored by WatchDox, a provider of secure access and collaboration products and services, found that 90 percent of organizations experienced leakage or loss of sensitive confidential documents during the last 12 months.

Security firm Symantec, in its 2012 State of Information Global Survey, released in June, found that two-thirds of businesses had lost important information in the past 12 months due to causes ranging from human error, hardware failure, software failure and lost or stolen mobile devices. Symantec also found that two-thirds of businesses had exposed confidential information outside the organization in the past year, and almost one-third had regulatory compliance issues related to their information in the same period.

"It's really unstructured information that is the life's blood of most organizations," says Ryan Kalember, chief product officer at WatchDox. "Financial documents, image files, PDFs —all of this incredibly sensitive information exists in file or document form. Businesses have done a lot of work in securing information in databases, but we haven't really taken a look at files because they're so much harder to secure."

And in many cases, it is an organization's employees that are putting that life's blood at risk, often because they are trying to be more productive. Network security specialist Palo Alto Networks studied application usage in 2,036 organizations worldwide between November 2011 and May 2012 and found an average of 13 different browser-based file sharing documents on each network. The Ponemon Institute's study found that 51 percent of respondents said their employees use at least one browser-based file sharing tool, and 34 percent said they did not know the extent to which these tools were being used in the workplace.

IT and Security Practioners At a Loss

The data suggests that IT and security practitioners are well aware of the problem, but seem to be at a loss when it comes to getting it under control. The Ponemon Institute found that 71 percent of IT and security practitioners believe that controlling sensitive or confidential documents is more difficult than controlling records in databases, and 70 percent believe documents accessed by mobile data-bearing devices like smartphones and tablets present a significant security risk.

Furthermore, 70 percent say that employees, contractors or business partners have frequent access to sensitive or confidential documents, even though access to that information is not a job or role-related requirement. Fifty-nine percent say their organizations' controls are ineffective at monitoring employees, contractors or other insiders who access confidential documents.

"We basically saw that people recognize the problem, but they're almost fatalistic about it," Ponemon says. "They see this problem as on the verge of being unsolvable."

"Organizations are struggling with ways to manage or mitigate the risk," he adds. "The only way to solve it is a combination of a technical solution and having smart people that are monitoring it. It's not really a security issue as much as a workflow issue. People have a job to do, and they feel IT is not being very supportive of them, so they turn to alternatives. That's why it's important to have tools that allow people to operate securely."

Considerations for Your Document Security

Because sharing and collaboration have become essential to a productive workplace, Ponemon says the solution to mitigating the risks associated with sensitive documents and files is not to attempt to stop it, but rather to put solutions in place that keep sensitive documents and files secure without requiring draconian end-user security measures that stifle the productivity businesses want to encourage. He recommends organizations consider an approach that includes the following:

  • Identifying information that needs to be secure and protected at all times and enabling full control over every protected document
  • Preventing documents from being accidentally or maliciously forwarded
  • Accessing, sharing and controlling all important documents across the extended and mobile enterprise on any device
  • Allowing employees to access their documents on devices with an intuitive interface that displays documents on any screen
  • Enabling users to send files and collaborate with business partners or other outside parties
  • Keeping third parties from transmitting documents to other third parties
  • Removing access to documents at any time, even from an unsecured PC or mobile device

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at tolavsrud@cio.com

Insider Resume Makeover: How (and When) to Break the Rules
Join the discussion
Be the first to comment on this article. Our Commenting Policies