The state of document security in a post-Snowden world

Careless employees can often be the biggest security threat to a business

In today's business environment, there are several different challenges when it comes to sharing sensitive information. We spoke to Andrew Holmes, Director, Desktop at Nitro, in order to discuss the state of document security and the rise of Rights Management products.

TechRadar Pro: When collaborating and sharing documents, what are some common mistakes people make that can potentially compromise sensitive information?

Andrew Holmes: In today's business environment, there are several different challenges regarding sharing sensitive information. To start with, sharing doesn't just happen internally between employees, but also externally with partners, vendors and customers, which presents added risk. It's hard to control what happens to your document once you share it, and to know where it might end up if it gets forwarded intentionally or unintentionally.

Without the latest document security solutions and tools such as RMS, anyone can still store documents on USB thumb drives, smartphones or other external devices that are not protected and might be easily accessible to bad actors.

Another challenge is that some collaboration tools adopted by IT can actually be too locked down and prevent external sharing, which ends up being counterproductive. Employees will inevitably seek out workarounds in order to stay productive, i.e. downloading a file from the collaboration tool and then emailing it out. Additional control measures that persist with the content – like RMS – can minimise these risks because they enforce who can access the sensitive information, and what actions they can take on a document (e.g. viewing, printing, modifying, etc.).

TRP: What poses a greater information protection risk to organisations – outside hackers or insufficient IT safeguards and careless employees?

AH: While hackers certainly pose a threat, it can surprisingly be an organisation's own internal employees (often times without ill intention) who introduce the most risk of exposing sensitive information. Many employees still attach documents (primarily PDF files) via email because it is convenient for sharing and they're not aware of more secure solutions. The best defence is a good offence, and that begins with having a knowledgeable, well-trained workforce.

In addition to establishing best practices and educating employees, IT needs to provide tools that are easy to use. The challenge is finding the right balance between providing tools to help enable security, while meeting usability needs. Of course, the proliferation of BYOD (Bring Your Own Device) has added another layer of complexity, and organisations must deal with the implications.

One of the worst things IT can do is provide document security tools that are too cumbersome for people to use. It's important to offer something that integrates into employees' daily routines with little to no learning curve. And as cloud and BYOD adoption continues to accelerate, implementing policies and managing technologies will require a more detailed action plan.

TRP: Why is RMS seeing growth in a wide range of industries, from manufacturing and aerospace to banking and telecommunications?

AH: Sharing and collaborating is an inevitable part of every industry, and all organisations also have confidential data they are concerned with. For example, in banking and financial services, employees manage organisational balance sheets and income statements containing information such as revenue, account numbers and client contact information.

In addition, they may handle sensitive documents related to mergers and acquisitions that could seriously impact revenue or competitive strategies if accessed by unintended parties. And high-tech manufacturing companies often share confidential product schematics, technical diagrams and other intellectual property with venture capitalists.

TRP: Are there any limitations to RMS?

AH: We are working closely with Microsoft to establish agreed upon standards that would enable cross-product RMS compatibility. However, currently both the document owner and their recipient have to use the same application (i.e. Nitro Pro) in order to view RMS-protected files.

TRP: Can you explain the process involved in securing documents using a Rights Management product?

AH: In Nitro Pro, this process involves only a few clicks of the mouse. You begin by simply clicking the 'Microsoft Security' button under the 'Protect' tab. From there, you add the recipient's corporate email address (the email needs to have a corporate domain) and then select the level of permissions. These permissions cover everything from editing and printing a document, to allowing comments and text copying.

TRP: How do different Rights Management products in the market compare?

AH: In principle, different rights management products work similarly to encrypt and manage access to documents, allowing the sender to maintain control of source files at all times. They allow users to manage documents and users from anywhere, authenticate every open or print attempt, and delegate user and document access.

Some of these products are format specific (e.g. PDF), and others such as RMS work with all file formats (including Microsoft Office). Nitro Pro is already a natural complement to Microsoft Office for managing documents, and since Microsoft RMS is an integral part of the Office suite across all file formats, the two products offer a powerful solution.

Rights management pricing differs across vendors, some of which require a minimum number of users (such as Adobe). Microsoft is much more flexible, especially with SMBs that need smaller or individual subscription pricing options.

About Andrew Holmes

Andrew joined Nitro in 2011 as QA Manager before rising to become Director of Desktop. Nitro Pro 9 has been his proudest achievement so far – the first desktop application integrated with Nitro Cloud.

Desire Athow
Managing Editor, TechRadar Pro

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website builders and web hosting when DHTML and frames were in vogue and started narrating about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium.