The warning ‘for your eyes only’ stamped on top-secret documents has been a feature of spy thrillers for decades. Securing those documents used to be relatively easy:  they were kept under lock and key, hidden from prying eyes. But electronic files such as Word documents, PDFs, spreadsheets and presentations are not so easy to secure.

They are also the lifeblood of most organisations nowadays, shared freely with colleagues, partners and customers.  According to Check Point’s latest Security Report, sensitive data is sent outside organisations every 49 minutes on average, while 85% of organisations have used Dropbox to share business documents. Once a document leaves a company’s network, there is typically no oversight or control over how is it being shared, or who is accessing it.

>See also: The security case for going digital

This puts the contents of the documents, and the organisations themselves, at risk. The issue is particularly pertinent following the recent Sony Pictures hack, in which hackers stole and published a wealth of personal information about employees, as well as private correspondence about several very well-known third parties, which proved highly embarrassing for the company.

Document defence

The main problem is that securing the contents of business documents – whether it’s company-confidential information, employee details or other sensitive material – is not usually a priority for the employees who create them.

It’s assumed that the documents will remain safe within the organisation’s network security infrastructure, and that they will never be inadvertently sent to or shared with unauthorised people.

But as we’ve seen repeatedly over the past decade, unprotected documents have a habit of falling into the wrong hands as a result of accidental or malicious actions. Businesses can’t always rely on their network security, or the security measures on employees’ laptops and mobile devices, to keep documents safe.

So how can these files be protected with a modern, enforceable and traceable equivalent of a ‘for your eyes only’ notice, that ensures only those people permitted to view and use the document can actually do so?

Traditionally, documents have been password-protected using a solution either from an OEM or aftermarket provider.  Once a document is locked, it can only be unlocked by entering a password or having the same decryption software as the sender. The problem with this method is that passwords are lost, forgotten or compromised all the time. Simple password-protection does not provide the level of security that businesses require.

Do you have the rights?

What’s needed is data protection that goes beyond basic data encryption, adding business-centric digital rights management, which allows organisations to customise how they secure their documents. Security should be established when the document is first created, and should travel with it, so that corporate guidelines are always enforced, with full logging and auditing of who accessed and shared the document.

This can be done using a slim document security client, which can be used on PCs and mobile devices, which acts as a plug-in to popular business programs such as Microsoft Office and Adobe Acrobat. When creating a document with these programs, the author uses the security plug-in to choose which users or groups can view and edit it, and establishes how the document can be distributed (for example, preventing printing or forwarding to others). This secures documents and data stored on untrusted devices and cloud services, and ensures that they remain strongly encrypted, and accessible only to named recipients defined by the document’s author throughout their lifecycle.

>See also: Is unauthorised use of file sharing solutions putting organisations on a slippery slope?

If a user tries to open a protected document without the appropriate client on their device, they will see a one-page document ‘envelope’ advising them that the document is secured, and guiding them to download the relevant client in order to view or edit the protected document.

The client plug-in intercepts document operations and determines which functions are allowed or blocked, based on the permissions granted to the user (such as read, edit, save, print, screen-grab, copy/paste, and so on). Removing a user from the organisation means access to protected documents is revoked for them.

This ability to apply granular access control and rights management to how documents can be shared, viewed and edited throughout their lifecycle, and by which users, is a powerful weapon in any organisation’s security arsenal. Focusing on managing and protecting the use of business data and documents simplifies the security challenge – especially with the rapid growth in mobile and remote working.

After all, the device being used to access and process the document does not really matter, as long as the person has the appropriate rights. By taking a document-centric approach to securing confidential files, organisations can keep their data protected from the prying eyes of those not authorised to see it – giving the phrase ‘for your eyes only’ real meaning.

Sourced from Keith Bird, Check Point