Your information could be at risk of leaks. Here's why.

Tuesday 25 June 2019 | document management

shutterstock_665882623

If you work in a medium-to-large sized company, and any of your work is document orientated, it's likely that there are a few loopholes in your security and you're at risk of leaks.

"But my information is protected!", we hear you say.

Well. That's exactly what the New Zealand Government Treasury thought before confidential and 'secure' budget information was accessed a few weeks back by people using three IP addresses - numbers that identify computers - including a Parliamentary one.

The real shock was that it didn't take a sophisticated IT hacker to breakdown our Government's innermost security levels. A simple 'correct guess' of a file name in the right search bar saw the entire filing system crumble.

It seems easy to jump to the conclusion of blaming the Government entirely for their huge security oversight but, the truth is, the majority of New Zealand businesses are guilty of the same document storage practices.

So, how can you truly be sure your most confidential documents are safe? We unpack this, here.

How document security typically works

Typically, businesses (the New Zealand Government treasury, included) use document management systems based on folders. The structure of these folders can span both wide or deep, with layer upon layer of folders packed into a file path.

There's a large search bar located at the top of the display - think Google Docs - where users can plug in a key word. The system then searches for file names that are relevant, and presents its findings to the user.

Whether you're able to open and view said files is entirely dependent on the security settings of not only each individual folder, but each individual file within the folder. If your email address is listed as 'able to access' against a folder, you'll be able to access the folder and most documents within it. Of course, if you're not on a document's security list, you still wont be able to open the file.

Understanding human error

It's pretty evident how this system can become a mess quite quickly, especially in a large company with thousands of files in one location. You're relying entirely on your workforce to manually enforce rules and systems all day, every day.

Think about it - your chosen file management system relies entirely on file name to identify a document and its relevancy. If one person has a tired or lazy day and doesn't comply with your triple layered naming conventions, the whole system collapses.

In addition to this, each folder's security rules are set manually by staff. If you wan't a client to be able to access a file, you have to added them to the 'allow access' list individually. The same goes for when someone leaves your company - you're relying to workers to remove that person 's access from both folders and individual files.

Just thinking about that level of admin is a headache! If there's one thing we know about human nature, it's that if it's too hard, we won't do it. That feels like a pretty big loophole to gamble your confidential document's security on.

Metadata as a security function

Fortunately, there is an alternative. Thanks to metadata, there are better ways to organise and secure your sensitive documents than writing a cleverly organised title that the right punter can guess.

In short, metadata defines the properties of any given file; name, date, age, security clearance, status - any tag at all that you think would be useful to define the document.

Straight off the bat, this removes the possibility of 'if you know what it's called, you can see it', and the file information becomes encrypted metadata. It also reduces the risk of human error and pesky file-naming administrative tasks. Rather than telling the system what a file is called, users select metadata that describes what a file is. A far smarter filing system.

"But there's still the possibility that my team will forget to add metadata?" Yes, good point - but not when there are mandatory fields.

A filing system that requires mandatory metadata fields to be filled out before it can even be saved really rules out any lazy moments. No metadata? No save. A simple and effective technique - plus, you set what counts as 'mandatory'.

There's also, of course, the added bonus of how quickly you'll be able to access your files. No more sifting through layer upon layer of files, and sorting documents by file name, you can see what you want as soon as you want it with metadata-based storage systems.

Using groups as an extra layer of security

The final layer of security is having a group-based system, rather than folder-based access.

Imagine this - you set up a group of people within your workplace who are compatible with the tag 'management'. Now, this group will be able to access any file within your entire system that holds the metadata tag 'management'. Easy.

It doesn't just work in hierarchical groups either. You could set a group to cover an entire project and add specific users. Now, any files relating to to this specific project (as defined by metadata) are open to view by the group pertaining to the project.

No more folder security settings, no more individual file security settings - just people, groups and tags.

Perhaps the New Zealand Government could have used a 'management' and 'budget' tagged group?

What if someone leaves?

This is the most brilliant level of security functionality. Say someone leaves your office, and you're relying on one person to go through the system and remove their access to confidential information. There's a huge margin for error there, with thousands of files and levels of access.

With group-based file management, all you have to do is remove the user from the group, and voila, no more access to any documents and files.

Get secure with PIQNIC

If there's anything we can learn from the Treasury's recent slip-up, it's that it's finally time to do away with tradition forms of document management, and opt for metadata and group-based security.

It's the simpler, faster, smarter option.

 

Where did the information go