Coronavirus & Document Security

Coronavirus – changing the way we work

The end result of the Coronavirus is to expose known information security weaknesses when staff are already at full stretch.  The onset of Coronavirus has been swift and silent, like any well experienced Internet virus.  But unlike Internet viruses it travels by touch and through the air trying to infect all it meets to pass the infection on. The responses of our governments in their attempts to fend off this virus are:

• Containment – identifying who is infected and treat them and their contacts
• Delay – try to slow down the ability to spread giving longer to fight back
• Research – find out what we can about how to ameliorate the severity of attack
• Mitigate – treat who you can for the best effect.

Many countries have now switched to Delay as their favoured policy, and all that varies is the degree of the implementation.  The approach to delaying spread of the virus is to try to slow down the rate at which the virus can spread to something that medical services can cope with.  As far as computers are concerned, moving people away from the workplace to their homes is an essential step, but this is more likely to increase security problems. As more and more people connect to central systems, they use insecure public networks and download sensitive information onto local machines or forward information on to work colleagues – who may or may not be working to the same security standards or are not supposed to have access. This is made more complicated by the difficulties of maintaining a coherent management of anti-virus and spam filtering technologies and allowing connections through VPN that can be observed by hackers.  It is also more difficult to prevent sensitive information from being passed on, unintentionally or otherwise.

Sensitive and confidential document protection

Maintaining control over sensitive and/or confidential company documents is now a necessity.  Encryption only goes so far – protecting documents in transit and at rest – but it cannot prevent users sharing documents with others, stop printing of hard copies, control the locations and devices from where documents can be accessed and used, stop copying of content, etc. etc. ‘Secure’ data rooms and other cloud-based ‘secure’ document collaboration systems are seen as an alternative, but there is nothing to prevent users from sharing login info with others and therefore your documents could still easily be at risk.  And a browser environment can only provide limited security.  These types of system also force you to upload unprotected documents to the cloud – so your documents are exposed if something goes wrong with the encryption process and temporary files are left lying around.

Protection of training course content

Equally affected are the conference and training industries that have previously depended on getting people together for delivering their results.  Now comes a revolution to use electronic distribution for courses and contents, and to move to podcasts, letting all the participants operate from home or office or educational establishments seamlessly. Locklizard is well placed to support the controlled distribution of training and conference materials, allowing presenters and delegates to share information securely, regardless of where they are all located.  We already have many globally based publishers making use of these facilities, whose own customer base is distributed worldwide.  And where courses must be used in locations with poor Internet access, course providers simply distribute a USB device containing protected courses and a secure Viewer to open them.

Social impacts on information and document security

The direct effects of the response to Coronavirus have been to isolate people and to provoke ‘social distancing’ to keep people away from each other.  The impact of this is to move people from face to face situations in favour of purely electronic connections.  Some may argue that the latest generations communicate more by text, social media and email than ever they do by meeting, and they may have a point.  But that will cause a revolution as so much of our interactions are physical and rely upon collecting triggers such as body language or intonation that may be lost in electronic exchanges.  The interactions between a presenter and their audience may also be lost. Another big change comes with distributing materials before meetings (product development, board meeting) or a lecture/training session.  Often these are controlled by being distributed at the beginning of the meeting or lecture or made available from an internal secure location where the information is secret or sensitive.  Now they have to be provided to any number of remote locations for which there are few controls over security.  Documents can be easily passed on by mistake such as responding to unauthorised requests in good faith or forwarding to people because they might be interested. Separating people from their workplace support infrastructure reduces the ability to control what they do with the information they are now using away from the workplace.  This is where DRM can help, for example:

• restricting access to certain locations
• restricting access to specific devices
• stopping users sharing documents
• preventing printing and screen grabbing of documents (even by remote access)
• preventing editing and copying of content
• ensuring content can no longer be accessed after a certain time period
• revoking access on the fly
• logging document use

When you have a situation where documents can rather too easily find their way into the wrong hands you need to be able to place controls over the way the documents are used.  Rules need to work by document and not by user as it is the document content that determines use rules.

Changes to behaviour – controlling document access and use

We must never underestimate the impact of changing social engineering on our information systems and information management methods.  Social engineering is already widely used by fraudsters and confidence tricksters in normal office environments (and with the elderly and people subject to stress) to gain access to or control of sensitive information for their own benefit. Much of our security relies upon checks and balances as well as two-person operation and hierarchical authorisation, and computers are used to give effect to decisions.  Obvious controls include stopping use unless the user is specially authorised and identified and preventing sharing and copying of content onto unauthorized devices. DRM controls allow document owners (publishers) to specify the controls to be enforced on everyone who receives their controlled documents, whether authorized or not. Setting strict conditions around data access and use by providing a secure means of content control is one of the main advantages of using DRM for documents. The ability to selectively revoke access when it is no longer required or change permissions on-the-fly is just one of the many ways document DRM ensures that you are always in control of your documents regardless of where they are located. You can no longer rely on physical or organization controls to securely manage content in fragmented structures where central control cannot be exerted.  Embedding DRM controls in your sensitive and commercial information is a required step as the workplace evolves to a Decentralised model.