Years ago, when organizations experienced viruses running wild through their email systems, they simply shut down email until the problem was resolved. If they were worried about data leaving via USB sticks, they would blanket block the use of USB ports throughout the entire organization. We see this same model being applied to data protection within the collaboration space — classify data as being sensitive and block it from being shared.
This model fails miserably. A block-by-default policy goes against the business models of today, which rely on employees, partners, suppliers, legal counsel and other outside parties who must collaborate with each other using sensitive information.
Particularly noteworthy are communications between executive management and the board members, who not only are outside of the corporate IT perimeter but who also have access to some of the company's most sensitive financial and strategic information. However, the more a document has to be accessed outside the company, the greater the risk of leakage, so a company's sensitive documents are at much greater risk than other documents. Also note this irony: The more confidential the data is, the more it's likely to be shared beyond the board, with auditors, strategy consultants, external counsel and others.
Companies have no way to ensure a consistent application of security measures. In addition to putting their own documents at risk, using unsecure collaboration applications may result in the firm violating its contractual obligations to protect its partners' confidential information.
To address some of these risks, organizations typically apply perimeter security that's intended to prevent information from leaving the corporate network. Some of these technologies include firewalls, network intrusion prevention systems (IPS), data loss/leak prevention (DLP) and more.
But the main problem with this "protect the perimeter" approach is that these tools focus on protecting the infrastructure layer, not the document itself, which must travel securely outside the enterprise.
Another way to look at this is through document compliance management (DCM), a discipline that proactively manages information risk that arises from sharing documents electronically. A main goal of DCM is to provide a secure means for end users to collaborate within corporate and regulatory policy for all approved parties, including employees, board members and externals.
As boards, by necessity, move documents outside the firewall, members' demands for collaboration come into conflict with corporate demands to protect that data through a consistent policy application and control over distribution. DCM seeks to reconcile these demands by creating security provisions that move with documents throughout their life cycles, both inside and outside the network.
Consider the scenario where inside counsel is required to work with outside counsel to prepare information for the board book, each sharing sensitive legal documents with their counterparts on the other end. They need to maintain control over their documents after they have left the corporate network and they are required to keep a full audit trail of all document activity. They may deal with documents of varying levels of sensitivity and need an easy way for non-technical document authors to apply the appropriate controls to each document. Moreover, the most sensitive documents require additional protection after download to prevent forwarding, saving or printing.
To secure all such interactions, corporate policy makers should risk-rank business processes, define security policies and classifications and roll them out to end users in a secure way. This would ensure the proper use of documents, doing so in a way that is easy and transparent for the end user, without putting the end user in the unenviable position of having to make policy decisions. It must be simple enough that users will be comfortable doing their jobs within the systems they are already familiar with, as opposed to working around a protected system that is blocking them from collaborating.
Companies tend to focus on the tactical problems they face with data protection and often look to solve them with technology delivered by their traditional perimeter security vendor. If an organization really wants to be successful in enabling secure board communications, they must approach the problem at the document level. They must also define and enable their end users, partners and others to securely collaborate within the boundaries of their internal and/or regulatory constraints.
PETER WEGER is CEO of Brainloop, which uses document compliance management to make online collaboration safe and compliant, giving users the peace of mind to focus on their business goals. For more, visit www.brainloop.com.