Choosing Which Documents to Protect
Every organisation has a mixture of sensitive and non-sensitive documents, but surprisingly few go to the efforts of classifying them. The truth is that while any leaked file has the potential to cause damage, some are much more dangerous than others. With each document you protect requiring time and resources, it’s important to prioritise those documents.
So, how do you decide which documents need to be protected and for which locking them down will cause more hassle than it’s worth? This is what we’ll be discussing today.
What Documents Should You Protect?
Simply, you should protect the documents that may cause economic damage to your organisation if they are disclosed. This damage could have roots in reputational issues, loss of competitive advantage, the breach of regulations, and more.
At the top of the ladder, naturally, are official government documents. You should also be thinking about board meeting minutes, analyst opinions, and strategic analyses. Then there’s sensitive training material, merger and acquisition documentation, manuals and research information.
Next, you should be looking at intellectual property: trade secrets, formulations, printed music, magazines, books, information under NDA, and more. Private and personal information also needs to be considered – whether it’s from clients, customers, or your employees. Finally, information relating to your organisation’s physical or digital security needs to be locked down. Though “security through obscurity” isn’t a golden bullet, it certainly makes things harder for attackers.
Document Classification and Controls
Once you have determined which documents need to be protected, you need to break them into different categories and determine the level of protection each should have. The variety of protection you can provide will depend on the solution you’re using, with document DRM typically having the best protection and widest range of features and customisability. For example, a good PDF DRM solution will offer the following:
- Location and device locking
- Automatic document expiry based on opens, prints, date, and views
- Dynamic watermarks
- Print and screenshot prevention
- Copying and editing prevention
- Passwordless access
- Manual access revocation
- Document tracking
- API integration
A good first start is to break sensitive documents down into ones that should and shouldn’t be leaving the organisation. For those that shouldn’t, device and location locking controls can be implemented, with access limited to IP addresses on the internal network only. You’ll likely also want to apply dynamic watermarks to these documents, as well as printing and screenshot restrictions, to ensure a user can’t create a copy that they can take off-premises.
In the case of M&A documentation and board minutes, however, the situation gets more complicated. In such a case, various parties may need access, from lawyers to accountants, non-executive directors, and more. These people are most likely going to require access outside of your IT-controlled network. For these documents, you may want to forgo location enforcement but keep enforcement on a device level and block printing and screenshotting.
For training material, you may require the above controls, as well as time-based expiry for your documents. As training information may get outdated quickly with new security practices or software updates, it’s important to be able to cut off a user’s access after a certain period. You may also want the training material to be available for only the duration of the course.
Membership material is more complex still. You need a DRM solution that allows you to grant access to certain documents depending on membership status. Allowing distribution outside of these circles jeopardizes the “exclusive” feeling of membership, so sharing controls must be enforced effectively on top, as well as typically some sort of offline access.
Which Document Protection is Best for Your Business?
You can easily spend hours deciding what controls to apply to which documents in the confines of your document protection software. Document DRM, however, gives the broadest range of protection that is more suited for most scenarios and documents a business may face.
However, it’s important to remember that defining which documents shouldn’t be protected is as important as defining those that should. Having too many categories of document or harsh restrictions where it isn’t warranted will only make life harder for your customers, employees, and IT departments.
Ultimately, you want to maintain some degree of convenience when it comes to less important documents. If you’re selling ebooks, for example, the additional sales from allowing offline use will likely outweigh any negative impact. In the cases where strict controls are necessary, having a strong solution at your back is all but essential to ensure the process is smooth for the IT department and the end-user.
David is a dynamic, analytical, solutions-focused bilingual Financial Professional, highly regarded for devising and implementing actionable plans resulting in measurable improvements to customer acquisition and retention, revenue generation, forecasting, and new business development.