Unstructured and Insecure
Unstructured data is an easy target for data breaches because just about every data breach that’s ever occurred starts with information left somewhere unencrypted and without password protection. And it’s lucrative for cybercriminals to get their hands on—it may contain customer information, patient records, financial loan packets, or insurance claim records. It can also contain information used in reconnaissance efforts by hackers looking to gain unauthorized entry into your digital systems.
Many businesses believe that by digitizing paper documents, they’re eliminating the unstructured data security threat—but that’s only the first step in the digital transformation journey. Organizations must also put the right processes into place to gain full control over who can view, change, and share digital documents.
There’s Data About Your Data—and it’s Insecure too
All the data in your organization has data attached to it that describes and categorizes it. For example, PDF metadata provides information on who created the PDF (name or even user ID), which application they used, when it was created, and what’s in the document. XMP (Extensible Metadata Platform) embeds additional metadata into files, such as page-level or object-level labels or descriptions, or pre-flight information for production printing. With graphics and photographs, this metadata is called EXIF and contains information like GPS coordinates of where the photo was taken, the name of the camera, time the photo was taken, and more. Mobile phones apply metadata to text messages, phone calls, etc.
Encrypting metadata is an important, and often overlooked step, when protecting documents. Metadata may contain PII about a customer, or PHI about a patient, or could contain information that might lead a hacker to exploit other systems, such as the path on the file system where the document was created, which could lead to a massive data breach. For example, an infamous customer data breach at Target began (aka the “kill chain”) with document metadata that allowed a hacker to map Target’s internal network.
Enterprises Aren’t Ready
Even with harrowing stories like the Target data breach, many organizations simply aren’t moving fast enough. For most, the reason is a valid one – they want to ensure that security policies and protocols are not hampering employee productivity. In a recent study by security solutions provider Bromium, nearly ¾ (74% to be exact) of CISOs say employees have expressed frustration that security policies are slowing them down as they try to get work done. Who among us isn’t tired of Outlook asking us for our security credentials ten times a day? Or leaving your desk for a cup of coffee only to return and find that Windows restarted due to a security patch and shut down all of your applications?
For enterprises that have taken steps towards securing their documents, efforts may have fallen short of truly ensuring that information doesn’t fall into the wrong hands. For example, a business may have implemented rules and processes for password protecting all PDFs containing personal employee information. But that same business may not have taken steps to restrict the printing of confidential documents, which is often the root cause of accidental data breaches. Where there is a will, there is a way: a motto that continually rings true with hackers around the world.
How to Take Control of Unstructured Data
To really take control of unstructured data across an enterprise, organizations need to incorporate secure processes into workflows using tools that can quickly and seamlessly apply the right level of protection at scale. These security solutions must also stay out of the way, and not hinder employee productivity.
For example, companies can purchase a server-based document conversion and protection solution that can be hosted on-premises or in the cloud to perform high-volume, unattended document conversion. At a file or a folder level, the solution can encrypt and password protect PDFs; encrypt metadata; redact sensitive information; and enable or disable PDF printing, editing, and page modifications. These server-based solutions can process millions of images/pages per day and can be up and running in a matter of a few minutes. For companies that have more unique needs, they’ll likely want to build this document conversion and protection capability into their own bespoke solutions with a flexible OCR toolkit.
Lastly, it’s always good practice to put these tools directly in the hands of knowledge workers as they go about their daily tasks of creating all of this unstructured information. PDF productivity applications have these same password protection, metadata encryption and information redaction capabilities and can be licensed and deployed enterprise-wide, providing a document security “endpoint” solution that just makes good business sense.