Most companies don’t secure confidential docs

George V. Hulme

March 23, 2017

Most companies don’t secure confidential docs

A vital, actually a most fundamental, aspect of enterprise security is helping organizations to keep confidential information confidential. This is why security at the data and document level is something to which much more attention should be paid by enterprises. 

And a report, Getting Control of Document Flow: Exploring Exposure and Risk In Document-Related Data Breaches, just issued from the Business Performance Innovation (BPI) Network (sponsored by Foxit software) found that 60 Percent of survey respondents said sensitive documents have accidentally been sent to someone who probably wasn’t authorized to see the document. No big surprise there, in fact I think most of us have forwarded something we shouldn’t have to someone at some point in our work lives.

The BPI Network survey, based on responses from business owners, CEOs, executives and knowledge workers from more than 200 companies from various nations was fielded in the final quarter of 2016 and part of first quarter 2017. It found that 89 percent of those surveyed believe that increased connectivity and mobile devices is increasing document risk.

Other key findings from the survey found that 95 percent of respondents have serious concerns about the security of documents in their organizations; 75 percent report that their organizations generate confidential documents weekly (I think this is a serious underestimation); while not even one-third of respondents say that their organization is effectively using their security technologies to protect documents. Finally, about 43 percent report that the policies for document security in their organizations are widely understood and 16 percent said that their organization is “very effective” when it comes to mitigating the inadvertent distribution of confidential materials.

While many may assume that confidential documents come from the executive suites or deep within research lab somewhere, the fact is confidential documents are generated by nearly every department. Survey participated sited, in order, the following types of high-value confidential data: financial, employee records, legal documents, business contracts and agreements, trade secrets and intellectual property, business, marketing and sales plans.

This survey harkens to a survey that was published last year in CSOonline, Study: Most companies can’t protect confidential documents, which found that most companies don’t have the security controls in place that would stop employees from sharing confidential documents. In this study, about 36 percent of the 600 IT professionals surveyed said that their organizations could restrict confidential document sharing, with only 27 percent being able to do so between employees, the story says.

That survey also found that at 58 percent of companies, employees use online file sharing services and that at times staff will keep confidential documents on their personal computers and devices, the story reports.

Finally, nearly 70 percent of those surveyed in the CSOonline story said they don’t know where their confidential data and documents are located.

While some may find this surprising, I don’t. Whenever one steps outside of the military or certain government agencies organizations are very poor at classifying information (everything ends up classified has confidential and everything becomes “classified”). So most civilian organizations just don’t bother to try to classify and maintain information classification levels.

What happens, predictably, is enterprises don’t know where their most sensitive and important data resides so they can’t always make the best business risk decisions. This was the case when I surveyed several thousand enterprises around the globe in 1999 and I suspect the results won’t be much different if the same survey were conducted today or in another 20 years.



George V. Hulme

George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.

View all posts

You might also like