Comment: Reducing Document Security Risks without Raising User Resistance

IT can do everything right, such as provide first-class security infrastructure, develop reasonable security policies and engage in extensive communication and training – yet users will still fail to comply
IT can do everything right, such as provide first-class security infrastructure, develop reasonable security policies and engage in extensive communication and training – yet users will still fail to comply

Human factors play a central role in security, and recent research confirms what IT managers have long suspected: users, as they naturally go about trying to do their work, present grave security risks.

As an example, a study conducted by the Ponemon Institute found that users do everything from downloading data onto unsecured mobile devices (61%) to using web-based personal e-mail for business documents (52%). These activities present security risks and probably violate company security policy.

When trying to mitigate these risks, IT is too often portrayed as the security heavy, imposing what users view as onerous steps in the name of security. Feeling these steps hinder their productivity, users go to great lengths to avoid or circumvent even the most reasonable security measures, creating significant vulnerabilities in the process.

It’s hard to blame users. They are just trying to get their jobs done as effectively as possible – something both IT and the business want. Still, that leaves IT having to force security compliance on people, which is a difficult and thankless task. IT can do everything right, such as provide first-class security infrastructure, develop reasonable security policies and engage in extensive communication and training – yet users will still fail to comply.

Balancing Security and Productivity

Ideally, organizations should strive to adopt security measures that do not impose an undue burden on end users. The challenge is to blend security measures as smoothly as possible into people’s working procedures without reducing usability.

For example, if IT offers collaboration within a user-friendly, transparently secure work space to eliminate the need for users to send sensitive documents by e-mail, then users can benefit from the collaboration and workflow tools built into the platform. And because the environment is inherently secure, users are following best security practices without making any conscious effort to do so.

Following are five examples where IT can facilitate user productivity while automatically promoting safe security practices within specific business practice areas. The examples illustrate unsafe processes that introduce security risks, along with ways to reduce risks without raising user resistance. In each case, security procedures are built into the core business procedures. Even better, if the environment streamlines processes and improves efficiency, then users will make it their preferred work environment.

In some cases, such as those involving negotiations, the secure environment actually gives workers a distinct advantage. And as people experience the advantages of working within such an environment, such as increased efficiency or negotiation leverage, they readily return to make use of these advantages. As a result, IT no longer needs to force compliance with document security procedures. Users willingly comply, often without even realizing it.

 

  1. Group collaboration on documents: People often use e-mail even though delivery isn’t assured and e-mail contents can be intercepted. It’s easy to accidentally send e-mails to the wrong person with a similar name. But by creating a central document repository accessible from inside or outside the firewall, IT can reduce the risk by offering an alternative to sending unsecured e-mails. A central repository also simplifies version management because all authorized users can access the current version, without having multiple versions in circulation. The ability to track receipt and viewing of documents via an audit trail accelerates workflow and supports corporate and regulatory compliance requirements, adding usability that helps increase user acceptance.
  2. Outside communications with third parties or offsite employees: When documents must be shared outside the firewall, particularly with people who require authorization to download or edit them, the danger of losing control over the documents increases. When that happens, the business cannot confirm who has seen the material and whether unauthorized copies are in circulation. To reduce this risk, IT can use rights management for sensitive documents to disable saving, printing and forwarding, and to retract access after a specified date, if warranted. Participants can still track access using a repository, as previously described, to ensure they have the most recent version.
  3. Confidential bidding and negotiations: Preventing physical documents from being leaked to unauthorized parties is costly, and it’s also difficult to gauge interest level. But due diligence documentation can be protected in an online environment as long as key security provisions are in place. These include managed access control, permission management, encryption at rest and in transit, and document protection measures, such as watermarking and rights management.
  4. Mobile or multi-location workers: Users often take files home on a USB storage device, creating the risk of losing the device and its contents. Alternatives include the use of a cumbersome VPN or continually synching remote laptop and desktop systems with data-center systems. The best approach is to offer safe and convenient online access to centrally stored and secured files. This eliminates the need to copy files to USBs or synch to remote systems. And because internet access has become a near-ubiquitous commodity, employees can work productively in almost any location.
  5. Boardroom minutes and sensitive communications: Board books and other documents are at risk during distribution by e-mail, and sending hard-copy documents by mail or overnight delivery services is usually undesirable due to time and cost constraints. It’s also hard to create effective decision-making structures outside of scheduled meetings. But by deploying a secure access system to all documents, IT eliminates the risk of e-mail distribution and the expense of courier services. IT can also provide online voting and other collaboration tools to facilitate decision making and communication outside of scheduled meetings.

The aforementioned examples show how IT can provide document security in an online environment that is centrally managed and with policies transparently enforced.

By building security into users’ working procedures, and by applying best-of-class usability methods, security may be viewed by users as a convenience, rather than a nuisance.

From the IT department perspective, deploying a properly secured online workspace with these properties eliminates the need to enforce heavy-handed security policies on reluctant users. Instead, policies can be enforced transparently and automatically, resulting in enhanced security while reducing tension between IT and users.


Claudia Böttcher has over 20 years of experience in document management, data processing and security. She is currently director of product management at Brainloop and is responsible for the company’s secure collaboration application. Before joining Brainloop, she worked at Fraunhofer Institute for Information and Data Processing and at IXOS Software AG, where she was responsible for designing, developing and operating the company’s online services. Dr. Böttcher holds a PhD in information systems from the University of Paris XIII.

What’s Hot on Infosecurity Magazine?