“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).”
So what’s affected? For starters, it’s already been confirmed that some pseudo document storage options like Dropbox and Google Drive have been exposed. That’s right, if you’re storing your content in either of those (and you can bet Box, too), your entire organization is at risk. So what can be done to prevent leaking your organization’s data? For all the talk about workflow, records retention capabilities, and the litany of fancy ECM features, the biggest reason companies evaluate and deploy document management software remains securing their critical business information.
And yeah, it’s safe from the dreaded Heartbleed.
Organizations have good cause to make security their top priority. According to a recent survey conducted by the Ponemon Institute, data breaches have increased in both severity (54%) and frequency (52%) in the past 24 months, and only 40% of respondents said they had the tools, personnel, and funding to pinpoint the root problem. Not only do many breaches remain undetected and unresolved for months, there are significant expenses involved, from the hard costs associated with lost time and productivity, to the softer costs surrounding loss of reputation and brand damage if the breach casts the company in an unflattering light.
2013 Cost of Data Breach Study
In the 2013 Cost of Data Breach Study: Global Analysis, a report published by Ponemon Institute in collaboration with Symantec Corp., researchers found organizations’ most pressing security problem has less to do with external threats, but rather relates to system problems or human error—conventional mistakes like an employee mishandling data or inadvertently exposing a protected file. These simple oversights have huge ramifications to the business. The study found the cost of data breaches rising to up to $136 per record, on average, which could translate to monetary losses in the millions, depending on the size of a company’s customer database.
Organizations that employ only unstructured means of storing, sharing, and tracking documents—for example, email, basic file sharing systems, or even physical filing cabinets—are most at risk for a breach due to complete lack of document security. With no formal access controls or higher levels of security, there’s nothing stopping an employee from mistakenly emailing a protected document or getting their hands on a file with confidential financial or legal information they shouldn’t see given their role in the organization.
That’s where the formal controls and layered security approach provided by enterprise-grade document management software comes into play. While vendors make all sorts of claims about the security capabilities of their systems, a enterprise document management software should have some core security capabilities, from basic encryption and restricted file access to more granular controls around traceability and audits.
Security features that should be standard with an enterprise-class DMS include:
Basic user access and document rights & permissions.
The base level of the document management system should ideally be the Users and Groups established in the network operating security schema with additional security levels built up from there. For example, in addition to user name and password-protected access to the application, document management software should allow designated taxonomy (filing structure) access in addition to rights and permissions at the document level based on specific job requirements. Such capabilities would allow someone to edit a file while offering someone else view-only access. In much the same vein, someone in marketing would not have access to confidential HR files.
A robust document management system should encrypt files, not just store them in the native file format. Some systems offer single and/or multiple levels of encryption at the storage level and along with compression, which prevents hackers from gaining direct access to information.
Beyond just locking down files, enterprise document management software should keep a comprehensive record of all actions taking place in the system by all users, establishing a so-called audit trail. This affords organizations visibility while keeping users fully accountable for any changes or deletions they might make to a document. Users with the proper access rights should be able to run reports that will depict who has used the system, what documents or files they’ve accessed, and what specific modifications have been done.
Notifications fall into the category of active security monitoring, alerting the administrator or any designated users if the nominated action takes place. In this way, the organization can stay on top of potential problems and even more important, avert a security breach as opposed to reacting once the problem has already occurred.
With the cloud and mobile devices opening up new possibilities and document management use cases, document security issues like the Heartbleed Bug are only going to become more complex. Choosing a document management system like Contentverse that emphasizes multi-layered controls and active safeguards is the only way companies will have peace of mind that their key information assets and documents are properly protected.
About the Author: