Keep it secret, keep it safe: the essential role of cybersecurity in document management

Jeffrey Bernstein | Featured in CSO Online | November 8, 2023

Untold quantities of sensitive data reside in the huge variety of documents that accumulate over the lifetime of an organization. Keeping them safe no matter where they’re stored should be a top priority.

As document management continues its long transition from physical filing cabinets to digital databases and the cloud, the potential for cyber threats increases with every step and every migration. As such, it’s critical that organizations understand and address the connection between document management and cybersecurity.

Security around document management is absolutely essential as documents contain some of the most sensitive corporate materials, says Cheryl McKinnon, principal analyst at Forrester Research. It could be intellectual property, financial data, or employee or customer data — so-called unstructured data — that is sitting in the form of spreadsheets, Word documents, or PDFs.

“We need to ensure that we have layers of protection around these repositories of corporate data because poor handling practices can lead to inadvertent leakage or inappropriate sharing through email,” she says.

Since the emergence of document management systems in the 1970s, the adoption of personal computers in the 1990s, the growth of the internet, and the widespread move to cloud-based document management systems, the digitization of information has been gradually transforming how organizations handle documents, says Allen Ureta, managing director at Deltamine, a provider of IT assurance and advisory services.

This trend now incorporates integration with artificial intelligence and machine learning to enhance document searches, focus on automation, data analytics, and enhanced security measures, according to Ureta. “These measures, once referred to as ‘information security,’ have existed since the days of Caesar,” he says. “Cybersecurity, the modernization of information security, specifically addresses the security of digital assets and the infrastructure that supports them.”

Information security remains the broader scope and would apply to document management in this sense, Ureta says. Cybersecurity targets the digitization of these documents. Understanding the intersection of cybersecurity and document management remains critical to safeguarding sensitive data.

Key concepts in the intersection of cybersecurity and document management

The fundamental concepts shared by both cybersecurity and document management are data security, compliance, and risk management, according to Ureta. Data security is central to this intersection, as it ensures that documents are securely stored and transmitted, whether in use, at rest, or in transit, he says. This necessitates the application of encryption, access controls, and other security measures to safeguard data from unauthorized access, use, disclosure, disruption, modification, or destruction.

“Compliance covers the legal, regulatory, and policy environment surrounding document management,” Ureta adds. “Organizations must adhere to these requirements, encompassing data retention, disposal, and the creation of audit trails. Compliance ensures that not only is data protected but also that it is managed within the boundaries of the law.”

Another key concept in the intersection of cybersecurity and document management is risk management, which includes identifying, assessing, and mitigating risks, he says.

“This involves developing and implementing security policies and procedures tailored to the organization’s unique needs, especially compliance,” he says. “Regular security audits and employee training on security best practices are vital components of risk management.”

Document management and cybersecurity have shared interests in key concepts throughout the document lifecycle at an organization – from the necessity of effective classification to the articulation of appropriate access to the application of retention and destruction requirements, says Reese Solberg, managing director at EY.

For example, enabling efficient and effective management of documents starts with the appropriate classification of those materials, he says.

“Similarly, security relies on the appropriate classification to identify and protect those documents based on relevant requirements,” Solberg says. “It’s hard to imagine the document lifecycle at an organization without an appreciation of the intersection between document management and cybersecurity.”

How security fits into strategy assessments for document management

From a market perspective, a lot of vendors from “data-security-adjacent” technologies are gaining traction in the data security space, says Jennifer Glenn, research director for data and information security at IDC. “Content and document management is one area,” she says. “To me, this says that organizations are very aware of the security/privacy risks associated with their document management and are actively looking to secure that piece of business activity.”

In addition, data security strategy should inform document management so that it’s clear who has access to various data stores, how that data is encrypted — if at all — if that data requires anonymization, how long data must be retained, and how data should be destroyed once applicable retention timelines are met, says Krishnan Ramachandran, Deloitte risk and financial advisory vice president in Deloitte Transactions and Business Analytics. “To determine how an organization manages the document management lifecycle end-to-end, all these factors should be weighed,” he says

Solberg says security considerations should be an integral component of any strategic assessment for document management. “For example, when identifying the key objectives organizations may typically identify increased efficiency, reduced costs, increased collaboration,” he says. “Given the significant cyber risks organizations face in our rapidly digitized world, it’s essential that the organization also clearly articulate an objective to protect the data, documents, and systems from the outset.”

Security must also be incorporated in the phases of the document management assessment, including the analysis of the current state and the articulation of the roadmap, according to Solberg. “The integration of cybersecurity in these phases not only helps to identify the baseline compliance requirements that will inform the strategy but the capabilities that the organization will need to meet those requirements,” he adds.

Security is a key enabler of success within any organization and has become a top strategic priority for all successful Internet-connected companies, says Jeffrey Bernstein, director of cybersecurity and data privacy in the risk advisory services practice at Kaufman Rossin, a CPA and advisory firm. “Because of this, most successful organizations are transforming their businesses to enhance security and compliance efforts, improve productivity, and optimize operations via the adoption of document management programs,” he says.

Steps for implementing cybersecurity into document management systems

Because there are different teams with different budgets and different business goals, the first step is always to align the departments’ desired outcomes, according to Glenn. After that, Glenn says the steps really follow the key questions that must be addressed for effective data and information security:

  • Where is my data? To secure any data or information, you have to know where it is and how these documents are being stored prior to sharing.
  • What is my data? Next, you need to understand what you’re dealing with. What type of information is included in these documents? What images or content are in the documents being managed? And would that information be considered sensitive, e.g., credit card numbers, or confidential, e.g., intellectual property? Data discovery and classification technologies are often used here to find this content as well as categorize it based on its risk to the business.
  • Who has access to my data? It’s also important to understand who is sharing documents and who they’re sharing the documents/information with. Data leakage, i.e., trusted users sharing information with people who shouldn’t have it, is a real concern for document management. Cloud access security broker and data leakage prevention technologies can be useful here to see who is sending what. Then these technologies can flag and block anomalous connections.
  • Is my data properly protected? Organizations, including Box and Egnyte, provide controls that limit access to specific documents based on content, users, their roles and privileges, and timing, e.g., do they have access to documents during an active project?

Best practices for secure document storage and sharing

The best practices for secure document storage and sharing can be grouped into categories that contribute to a comprehensive approach addressing different aspects of document management security to protect sensitive information from potential cyber threats, says Ureta. According to Ureta, these include:

  • Data classification and security measures cover practices for categorizing documents based on sensitivity, encrypting stored documents and data in transit, implementing strict access controls, and using multi-factor authentication for document access.
  • Collaboration and user training provide such practices as utilizing secure collaboration platforms as well as educating employees on cybersecurity and document management best practices.
  • Monitoring and response practices include continuously monitoring document access and changes and developing a well-defined incident response plan.
  • Policy and compliance involves establishing clear retention and disposal policies and ensuring that document management aligns with industry regulations.
  • Backup and data security practices relate to regularly backing up your documents and choosing reputable cloud providers with strong data security policies.
  • Software and vendor management includes keeping software and tools current and ensuring third-party vendors meet security standards.
  • Business continuity and secure sharing include practices such as developing a plan for unforeseen events, using secure file transfer methods when sharing documents, and disabling access for departing employees.

Read the full article on CSO Online.

Jeffrey Bernstein is a Risk Advisory Services Director of Cybersecurity and Data Privacy at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.