Confidential documents are not being protected properly, and a recent survey found a lack of funding and other issues make digital document security a thorny problem to solve.
Sixty-three percent of IT specialists surveyed said confidential or sensitive documents at their organization are not fully secured and protected, according to a study conducted by Ponemon Institute, a research think tank that specializes in privacy and data protection.
The study, 2012 Confidential Documents at Risk Study, surveyed 622 IT and IT security professionals in the U.S. It revealed trends in how enterprise IT deals with digital document security. The results show poor practices are leaving companies susceptible to document leaks. Of those surveyed, 90% said they have experienced a leakage or loss of confidential documents in the last 12 months. The survey was commissioned by Palo Alto, Calif.-based WatchDox, a file-sharing service for confidential documents.
Funding issues contribute to the lack of action in protecting confidential documents, said Larry Ponemon, chairman and founder of the Traverse City, Mich.-based Ponemon Institute.
"It does require resources; it's not free, and you can't just start training people," Ponemon said, adding that while training is a good course of action, it shouldn't be the main one.
Digital document security has become a widespread concern with the increasing popularity of browser-based file-sharing services such as Dropbox, Box.net and YouSendIt. WikiLeaks, which relied on anonymous tips and whistleblowers, has also raised questions about the security of confidential documents.
So far, little action has been taken to address the issues brought up by file-sharing tools. Forty percent of those surveyed said they were not taking any of the suggested steps to reduce risks. Suggested steps included manual monitoring and controls, employee training and awareness, and enabling security technologies.
Organizations cited the critical success factors for implementing security controls. The top answers included ample budget resources, compliance monitoring procedures and centralized accountability and control, with resources being noted as "very important" or "important" among 80% of responders. Currently, organizations said they spend only 6.98% of their IT security budget on document protection.
Further complicating the problem of protecting digital documents is the plethora of ways employees can share them. While enterprises were focused on email attachments and USB drives, smartphones and remote storage services make it easy for multiple devices to access the Internet and receive a file. In the Ponemon study, which was published in July, 65% of organizations said they believe there is a serious security risk in accessing documents on mobile devices and tablets.
To accommodate the need for file sharing and the multiple devices it occurs on, Ponemon believes in a multifaceted solution, including governance, a document security tool and security intelligence.
"You can't just have one solution," he said.
Until the right tool is available, Ponemon said organizations can take basic steps to secure their documents. Organizations need to take a look at data they're not using and if they don't need it, they should get rid of it, he said.
"Organizations have way too much data," Ponemon said.
He also said encryption across devices and creating a policy for the use of cloud technology are important steps.