After Enron: hidden perils of corporate data

Every day, employees in organisations around the world are creating, amending
and approving documents. Often these documents are the lifeblood of an
organisation and represent the company’s values and intellectual property, as
well as confidential information.

But mishandle them and the consequences can be devastating – potentially
jeopardising the reputation, legal liability and security of a company. Two
fairly recent high-profile document gaffes by the UK government demonstrate all
too well the damage that can be caused by document leaks.

Take the government’s ‘dodgy dossier’, which outlined the case for war
against Iraq. In this instance, hidden details in the Microsoft Word document
inadvertently disclosed several electronic trails about who was involved in
researching weapons of mass destruction.

It might have been brushed aside as a one-off mistake. But then Home
Secretary Charles Clarke made a similar blunder in September 2005, when he sent
out a letter to the opposition parties about the proposed terrorism bill, which
revealed the government had changed its mind on key aspects of the legislation
several times.

The British government certainly doesn’t have a monopoly on accidentally
divulging sensitive or confidential information. Recently, a heavily censored
Pentagon report into the death of an Italian secret agent in Iraq was easily
decrypted, inadvertently revealing hidden tactics and names, including that of
the US soldier who killed the Italian agent in the incident.

The Pentagon published the report on its website using Adobe Acrobat
software. An Italian IT worker simply cut and pasted the Adobe PDF file into
Microsoft Notepad and the hidden content was revealed.

Public sector gaffes may hit the headlines, but the private sector should
take heed. Hundreds of millions of documents are shared daily over the internet
via email, portals and other channels. According to analyst Gartner, 1.8 trillio
n business documents will be created this year alone.

But each time a document is created in Microsoft Office, hidden information
about that document – otherwise known as metadata – is automatically generated.
This information could reveal financial results, confidential material, customer
details or perhaps employee salary information.

For a business, it is vital that documents sent outside the company –
particularly those containing highly confidential or sensitive information – are
secure, accurate and do not disclose previous deletions or amendments.

For accountancy firms too, the chances of accidentally divulging sensitive
data are huge. On a daily basis, firms create, amend and approve audit reports,
distribute client information, complete tax returns, submit financial reports
and handle client patent details, to name but a few tasks.

The highly regulated nature of accountancy means firms must be able to show a
complete activity log detailing what edits were made by whom and when, in order
to comply with laws such as Sarbanes-Oxley and the Financial Transactions
Reporting Act.

But the answer is not to stop writing or sharing documents. Given the
e-centric world in which we operate, the sharing of documents is vital to
conducting business. Instead, companies need to find a way of keeping sensitive
information from leaking, whether inadvertently or intentionally, and avoid such
costly results as regulatory fines, damage to reputation or and loss of

‘Document hygiene’ is the process of ensuring the creation, sharing,
distribution and auditing of documents is secure and productive. Simply
converting a document to a PDF file will not work – as the Pentagon discovered
to its detriment. Yet content security systems that deliver the necessary
outbound content compliance often do so at the cost of severe disruption to
everyday business.

Likewise, complex and expensive digital rights management systems that
attempt to control distribution, are over-engineered, can dramatically harm
business productivity that have, so far, failed to stop the leakage of sensitive
business documents.

Manual document security and integrity checks are not the solution either;
information integrity and security are too important to be at the mercy of human
error and such practices are also heavily resource-intensive.

There is no silver bullet to document hygiene. In reality, it involves a
multitude of steps, processes and tools to manage the risk associated with
documents and their integrity. First and foremost, businesses need to understand
the level of threat they face from within their organisation.

A good starting point is to look at document security, regulatory and
corporate policy compliance, and document accuracy to assess the gaps in your
organisation’s current strategy – not only to meet specific legislation, but to
evaluate the accuracy and integrity of documents and ensure that a master
document is not compromised by later revisions.

Once the risks have been defined and understood, it is not too great a leap
to develop a risk mitigation policy based on document integrity classifications
– such as ‘highly confidential’ down to ‘internal use only’ and ‘unrestricted’ –
that define the extent to which a document can be distributed.

Enforcing actions is the next step – putting in place safeguards to ensure
document hygiene policies are acted upon, should an employee inadvertently
breach them. Technology can help by automatically preventing the disclosure of
information that violates privacy, intellectual property and financial
disclosure policies, even where the user is unaware a breach has taken place.

From a maintenance and cost perspective, organisations do not want to be
constantly checking email attachment sizes or investigating if security policies
are being enforced in embedded email attachments. Therefore, any system that can
perform these tasks automatically, in line with company regulations, stands to
make the task simpler and potentially more cost-effective.

But as with the best business processes, a document hygiene policy needs to
be regularly audited and reviewed to ensure it remains compliant with new laws
and emerging threats, and that users continue to abide by company rules. Get it
right and it can provide the safeguards your business needs to ensure documents
are secure and compliant, and avoid the ‘carelessness’ of making embarrassing –
and potentially devastating mistakes.

Joe Fantuzzi is chief executive of Workshare

Related reading