Security of confidential documents a significant problem
An executive at US insurance firm sent out a document that contained confidential information, including employees’ names, email addresses, birth dates, Social Security numbers, employee ID numbers, office locations, and the details of their medical insurance plans. The problem was the email was accidentally sent to an external mailing blast list.
As a result of the incident, the insurance firm had a loss of revenue and the employee was fired. Damage control also included additional time cleaning up what they could of the mess.
This is one incident that is highlighted in a new study by the Business Performance Innovation Network. The study entitled “Getting Control of Document Flow: Exploring Exposure and Risk In Document-Related Data Breaches,” was sponsored by Foxit Software, shows there is a growing need to improve security practices surrounding confidential documents in most organisations today. In a global survey of managers and information workers, six out of every 10 respondents said they or someone they know have accidentally sent out a document they should not have.
In another example, a marketing firm was editing a document combining their comments with their client edits. The comments were meant for internal eyes only and included some non-flattering language about the client. One of the executives accidentally sent out the feedback to the wrong distribution list, which included the client.
Not surprising, the marketing company lost that client almost immediately and that employee was reprimanded, but did not lose their job.
Some 89% of survey takers believe document security risks are growing in their organisation due to increased connectivity and the proliferation of mobile devices. The accidental sharing of confidential documents with a wrong party is by far their biggest concern.
Among key findings:
- 95% of respondents expressed concerns about the security of documents in their organisation
- 75% say their organisations create confidential documents on at least a weekly basis
- Less than one-third said their company has security solutions that are being effectively used in protecting document security
- Some 43% report that their company does not have widely understood policies for document security of which they are aware
- Only 16% say their organisation is “very effective” in stopping the loss or accidental distribution of confidential digital documents
“Most companies are clearly not doing enough when it comes to protecting the security of high-value information contained in documents,” said Dave Murray, head of thought leadership for the BPI Network. “Our study indicates that a wide range of information that could compromise businesses is vulnerable to inadvertent leaks, as well as intentional theft. Organisations need to do more to set explicit document security policies and educate employees on available tools and best practices in securing the confidential information they handle.”
BPI noted the public incident involving the Red Cross Blood Service, where 550,000 blood donor data was accidentally published to the public. Data included names, gender, address, date of birth as well as information on “at-risk sexual behaviour.”
Another incident involved an employee of the Australian Immigration Department who inadvertently shared the passport numbers, visa details and other personal identifiers of all world leaders attending the G20 Brisbane summit to the organisers of the Asian Cup football tournament. Victims included Barack Obama, Vladimir Putin, Angela Merkel, Xi Jinping, Narendra Modi, Shinzo Abe, Joko Widodo and David Cameron and many more.
Accidentally sending a confidential document to the wrong party was by far the biggest area of perceived risk in the study, identified by 61% of respondents. Other top concerns were cyber-breaches of critical documents (37%), intentional leaks by employees (33%), and sensitive documents shared without permission by outside partners (31%).
Confidential documents are created in a wide range of departments within an enterprise, resulting in numerous types of high-value, at-risk information, according to the report. Survey participants ranked their concern for a wide variety of confidential, at-risk information. Top concerns in ranked order included:
- Financial data
- Employee records
- Legal documents
- Business contracts and agreements
- Trade secrets and intellectual property
- Business, marketing and sales plans
IDG News Service