The security of the information that our clients have entrusted us to host in our document management system is paramount. Clients demand that their information remain private and confidential and we absolutely understand and abide by that. The SEC, auditors and sound business practices demand it too.
Our clients concern certainly includes stopping bad actors, but it also includes the people that they set up as valid users – they should only see and share what they are allowed to see and share. However, as far as sharing goes, some flexibility is needed so that users can be productive. Here are some thoughts on why wiggle room is needed and how sharing information can be protected.
Generally, people don’t work in a vacuum, they need to communicate and work with others, both inside and outside the organization. The two most popular ways that people communicate and share information remain email and cloud based file sharing sites. We use email when the quantity of documents is few or we upload to the cloud if there are many.
The easiest way to share information is via email, just attach and send. That makes email so efficient. However, a user that is emailing a few documents outside the company doesn’t know how many times that email was forwarded on nor who the potential recipients were. You want the users to have the flexibility that email provides, but you want some controls in place.
For instance, if the files being emailed are PDF’s, you could watermark them as “Confidential”. You could limit the number of files that can be emailed at one time or per day. Your system might email links to the files and the links expire after a set number of days. If your company doesn’t have a document management system, these suggestions may not be feasible.
Bulk file transfers are a different story. More files potentially means more trouble and therefore more caution is needed. Users frequently need to provide large collections of files to outside parties for audits, transactions or other special projects. Typically, much more control is required for these purposes.
You could have a requirement that bulk downloads and sharing of files must be requested through the IT department. You should restrict which users have the right to download in bulk. You should also track all bulk downloads and ideally, if the system is capable of cloud or war room type sharing, the system should track all activity in the shared files. Restrictions on the guest list is also recommended.
There are more extreme methods for locking down files from inappropriate sharing. There are also plenty of systems and companies that have very limited protections and instead rely on the integrity of the users to maintain control. Look to find solutions that provide the right amount of protection but still allow the flexibility to keep your users efficient and productive.