Adam Gillbe, Document Solutions Manager Canon Europe, looks at the often overlooked issue of company confidentiality in the form of document security within European businesses. In the article, references are made to research conducted by ICM for Canon Europe that explores breaches of company confidentiality amongst European businesses.
How secure is the average European business? Let’s start with securing physical assets. Almost all companies have an intruder alarm, door codes, fire alarm and insurance. Just as important is safeguarding businesses’ intellectual assets, many of which are in document form, including contracts, financial projections, strategy documents and salary details. If the wrong people were privy to them, they could negatively impact a business in several ways and ultimately translate into financial losses.
Client documents containing sensitive information leaked to the press could engender a damaged corporate reputation and lost business opportunities for a company thought to have leaked the information – not to mention possible legal prosecution by the client in question. In such cases, prevention is better than cure; once employees have read company confidential information, there is little that can be done to monitor or prevent them discussing it outside the workplace and nearly half of employees in Europe have admitted to this fact. In this article we examine how businesses are leaving themselves open to such document security compromises and how this problem can be tackled.
Many businesses protect company confidential information by securing their IT systems, against external threats such as viruses, hackers and phishing incidences. However, this will not safeguard them from internal breaches of document security. Internal compromises of document security begin with a lack of awareness at board and manager level of threats to document security. On average, 18% of businesses across Europe, thought that breaches of company confidentiality or “employee fraud” was an issue. 28% thought it was a minor issue, however, if we then learn that four in ten employees have seen sensitive business documents and over a third see it on a daily or monthly basis, surely this issue should be higher on the boardroom agenda. When this figure is coupled with the fact that 82% of managers in European businesses believe that “trusting” employees not to disclose confidential business information is the best method of prevention, we can see that there is an alarming problem.
Document security cannot solely depend on trust, as trust does not provide employees with clear guidelines as to what constitutes a breach of company confidentiality. If employees do not understand what is expected of them, they can unwittingly breach company confidentiality. Regardless of whether the breach is deliberate or not, it is happening. 38% of employees admitted to having seen sensitive information themselves or were aware that a colleague had seen sensitive information.
Including a company confidentiality policy in employment contracts - as 64% of European businesses do – is not enough to prevent employees openly discussing confidential information, as such policies are not often explained to employees (and even less so, to temporary employees) to ensure they understand them.
Temporary staff that feature on many businesses’ payrolls should also be taken into consideration when looking at safeguarding company confidentiality, as less than a quarter of European firms say they “always” perform security checks on temporary employees. Temporary employees come into a firm, often at short notice, without contracts and/or company inductions. They may be able to access sensitive files on a company network, printer or come across sensitive documents lying around the office. The number of temporary staff that can access a company’s printer varies from 46% in the UK to only 20% of staff in Austria.
So the first step to securing a company’s intellectual assets lies with having a legally approved confidentiality policy, which is enforced and explained to all employees to rapidly diminish the possibility and temptation to breach company information security rules.
The next step to protecting a company against internal and external threats to document security is implementing IT and printer security effectively. Nearly all companies use password access to individual employees’ PCs and also the company network, some implement password controls/ access privileges to a shared network, individual drives, files and documents. However, protecting a company PC is only a half measure if access to its printers are not protected (which many companies fail to do). This essential office tool is often forgotten when it comes to document security and should be high on one’s security priorities and should be protected as effectively as a PC.
The printer is where over a third of employees have seen company confidential information. This information includes salary and personnel details, financial, strategy and forecast plans, which 88% of employees have seen. Furthermore, 21% of employees believe it is acceptable to read information left on a shared printer/ copier and 38% of employees have seen information lying on printers or copiers or work with someone who has.
There are many ways to secure a company printer. Password protection or issuing employees with swipe cards for company printers is a cost-effective method of controlling who prints what and when. Needless to say, companies need to ensure that these passwords are not on show. Also available on the market is biometric technology, which businesses are starting to adopt, particularly those in the financial sector, where document security is paramount. Here, biometric controls such as fingerprint identification and retina scanning are also options to secure access to multifunctional print devices.
In addition to password controls, solutions software is available and can greatly help control document printing on multifunctional printers (MFPs). This can be installed on a business’ server and allows a company to see when any given document, either in or outside the office, might have been viewed, modified, moved or distributed – either by print, scan or fax – and by whom. Some solutions also include support for the Triple Data Encryption Standard (DES) to protect documents from unauthorised access both inside and outside an organisation. Another benefit is that it leaves clear audit trails to documents on a company network by applying a digital signature to every document that is archived.
Solutions software can also provide support for a company to set and apply authorisation to electronic documents in order to maintain confidentiality, privacy and accountability. For instance, different document privileges and encryption for varying levels of access to documents, such as PDFs, can be deployed. Document owners can manage these permissions to prevent unauthorised viewing and tampering by restricting who can open, edit, print and copy the contents of individual documents. Access rights to print on an MFP can be determined simply by who needs access and at what level. For example, whilst one employee – an executive – may have “read only” access to a document, another, such as the company CEO, may be able to print the document.
Whatever methods are implemented to secure sensitive documents, restricting access to printing them should be followed through by responsible document handling. For, even when documents are accessed and printed off by the correct person, they can sit for some time on a printer and could be picked up by the wrong person. A clean desk policy can be applied in the workplace, ensuring that all company documents are filed out of sight until they are needed by the appropriate person, particularly at the end of the day.
These simple steps, although not 100% foolproof, can make all the difference securing your company’s intellectual property and are more effective than leaving document security to trust. A clear and enforced confidentiality policy can ensure that a benchmark of acceptability is set. Restricted access controls applied to a MFP (just as they would be applied to a company network) can prevent idle snooping. Restricted access to an office’s multifunctional printers, and controlling document activity through installed printer software solutions, can stop sensitive business information – a company’s intellectual property – from falling into the wrong hands.