Documents, documents everywhere. Electronic files such as Word documents, PDF documents and spreadsheets not only outline the past — they are also the lifeblood of most organizations. No matter what the function, practically everyone in every business creates and stores electronic documents. They are something we all have in common, and they are the essence of why we use computers. More importantly, the contents of these documents and how they are being managed are placing a lot of sensitive information and businesses at risk.
The mere existence of electronic documents is not a bad thing. The problem starts when people do not realize what can (and often does) happen to the information in their documents. Think about it — outside of more specific data stored on your organization’s database servers, electronic documents contain pretty much anything and everything related to your business. They often house information about all of your employees and customers as well.
From intellectual property to sensitive details on your employees, to confidential customer records, there is a lot of information you cannot afford to lose or have compromised. But interestingly, this information security issue is not on the radar of the people creating these files. And more alarming, it is typically off the radar for network administrators and information security managers. That does not reduce its importance.
Inside the Firewall
The biggest problem with electronic documents is that they are scattered everywhere — literally. From servers, to desktops, to mobile devices and beyond, in any given organization there are literally tens if not hundreds of thousands of electronic documents stored all over the network because it is convenient. People create files on their local computers, they may save them off to a server share, or they may even share them right off their hard drive so others can access them. Many files are often copied to smartphones and removable storage. Perhaps worst of all, most people use the new-world file repository — the ultimate place to save documents — their e-mail boxes.
In a given environment, any plain vanilla user on the network typically has access to more information that he or she needs. In fact, as part of my internal security assessments, I will login as a regular user (with no administrator privileges) and perform searches across the network to see what I have access to. It is often pretty alarming what is available. I have seen:
• Critical software source code stored on a developer is local hard drive;
• Customer health records accessible on a quality assurance test system;
• Network diagrams including passwords to network infrastructure systems;
• Personal, financial and family-related information an executive had stored on her computer; and
• HR files, including salary and employee review information.
Sure, this is sort of a needle-in-the-haystack type of exercise, however, this kind of sensitive information can usually be found (and accessed) in less than an hour using rudimentary search methods. Imagine what can be done by a “trusted” employee on the network that has nothing but time. The big deal is that users (typically all users) on the network have access to documents containing information they should not have access to otherwise. There is usually no malicious intent on the front-end when people are storing documents. Again, it is a convenience issue. But when bored, curious or spiteful, employees have access to this juicy information, and the outcome can be detrimental.
Here are the underlying problems of document security inside the firewall:
• Many network files and folders are shared out to everyone in a sloppy ad-hoc fashion for temporary access and then forgotten.
• Many network users share their local hard drives or specific folders so anyone, regardless of intent, can browse around to see what is available.
• Drives and folders are often made accessible to everyone on the network by administrators in the name of convenience, since creating and managing groups can be tedious.
• When a need-to-know control system is not established and everyone has access to all documents, there is little to no accountability.
• Network administrators are usually so overburdened that they do not have time to proactively monitor who is accessing what. Even worse, they are rarely going to detect when unauthorized access has occurred.
• Relying on password protection at the document level can be futile unless the strongest of encryption and passphrases are used — which is very rare.
• Management often believes that employees are not going to do anything bad — especially since they passed a background check and had good references (yeah right) — so why bother locking down all the documents across the enterprise?
Oversights and ignorance serve up a great recipe for security breaches that will often go undetected until it is too late.