Policies written. Tools provided. Training conducted. As IT leaders, you have sufficiently enabled your users to properly sanitise and redact their documents before sharing outside the organisation, but what happens when they forget? Worse, what happens if they intentionally ignore the policy and process altogether?
No longer can the sanitisation and redaction of documents for secure sharing rely only on user initiated processes. While your legal team might be diligent in following the redaction policy for eFiling court documents, all too often (roughly 1 out of 10 times based on Computerworld and Skyhigh Networks) teams publishing documents to the website, collaborating with partners in the cloud or simply emailing reused sales templates to potential clients, are sharing files without proper sanitisation. Including the commonly overlooked metadata, comments and revision history that can be harvested for phishing attacks or just flat-out embarrass an organization.
If you need a reminder of such incidents, you can always re-cringe your way through the late Shauna Kelly’s ,“How tracked changes have made businesses and government look foolish,” or recall some of the more recent incidents highlighted in the Slate article, “Redacting Digital Documents Is Easy. Why Do People Keep Doing it Wrong?” that highlights a number of alarming document redaction mishaps that range from United States House Transportation Security Administration releasing CIA protection protocols foreign dignitaries, to the British Ministry of Defense inadvertent leak of nuclear submarine details, to numerous legal filings such as the US District Court’s copy-past snafu that exposed Apple’s sensitive business dealings.
While “nearly 70 percent of IT professionals say employee workarounds to avoid IT-imposed security measures pose the greatest risk to the organization,” according to a recent Dell survey, we should realize users at times will simply forget or make basic mistakes.
It is not only the individual user who will suffer when proper document sanitization and redaction is left solely up to their manual initiation – customer privacy, the company and IT department can take a substantial financial and reputational hit.
Safety Net for Everyone’s Sanity
In light of the continued incidents and risk of placing the responsibility completely on the user, all stakeholders involved can greatly benefit from a sanitisation safety net. A network wide level of assurance that all documents will be redacted and sanitized in real-time one last time prior to being shared thru email, web, corporate website, MFT or cloud collaboration/storage. A safety net that will not only prevent a sensitive data leak, but can serve as a continuous reminder and training tool.
One of the most cost-effective enhancements that can be made to enforce their data privacy and security policies, organisations can easily add-on Document Sanitisation and Data Redaction as a plug-in to their existing web or email security gateways (vendor neutral) as a secondary safety net providing:-
Redaction Without Delay – Remove only the information that breaks policy allowing the rest of the document to be delivered without delay. Intelligent policies can also go as far to encrypt and block documents based on the sensitivity of content and context (relationship of sender and recipient).
Sanitise Hidden Content – Overlooked document metadata (i.e. author, login, department, system names, etc.), comments and revision history are completely removed without disrupting delivery and business communications.
Complete Document Visibility – Deeper inspection that is not limited by zip/encryption, file size, evasion techniques or multiple embedded document layers to ensure real-time detection and sanitization.
For the sake of everyone’s sanity, continue to trust your users to manage and secure their sharing of documents, but verify with a safety net that protects everyone.