Good Information, better governance and effective enterprise content managements can go a long way toward keeping secrets safe.
Although the furor over the release of secret documents by WikiLeaks has slowed, make no mistake -- the whistleblower website hasn’t gone away. In fact, it seems to have blended into the Internet, making “online whistleblower” a term that will be heard often for the foreseeable future. And not just for WikiLeaks but also for copycat sites.
For example, just the words “big U.S. bank” and WikiLeaks in the same sentence caused Bank of America Corp.’s stock to drop. That a website could have such power, costly in BofA’s case, is new. But the seeds of WikiLeaks are as old as human nature, and it’s not only governments that will feel the sting of an exposed secret.
So what can enterprises do to keep their content from winding up on WikiLeaks’ website, or through some other exposé forum?
Consider first: little can be done if your company has a disgruntled employee with legitimate access to confidential information. Large organizations simply have a statistical chance of employing a dishonest person or someone with an ax to grind. While core security technology such as VPN, firewalls or data leak detection will reduce the danger, handling the human element is best done by good human resources people with adequate screening.
But enterprises can do much to keep a leak from occurring. Like leaving your house unlocked and hoping for the best, companies need to not overlook the obvious. In this case, don’t make content easy prey for unauthorized eyes. That’s the first step. But, say an employee has authorized access to a sensitive document. He or she has a “reading” privilege and can save the document or a part of it on a hard drive or memory stick. At that point the security of an enterprise application no longer applies. Now, you must worry about the security of the flash memory drive – and that’s not much security.
Many enterprises don’t realize what valuable data is sitting on hard drives, laptops and mobile devices. That leaves them vulnerable to a myriad of nasty possibilities, ranging from seeing their trade secrets slip out to competitors, losing first-to-market advantage and even creating legal problems. For example, an old company document might resurface, causing potential embarrassment or worse. Organizations are advised to dispose of information after prescribed retention periods; if someone kept a copy of a 20-year-old document, it could become a liability.
By their very nature, enterprise content management tools can go a long way toward heading off these scenarios. It’s inherent in content management systems to maintain security through access control, authentication and authorization to make sure only the right people have access to the right documents. Originally conceived as a way to protect intellectual property, digital rights management (or just rights management) is now allowing companies to encrypt content and thus enforce security no matter where it travels.
If a document is received in an email, it will be checked, and the level of authorization will determine if it can be saved locally, printed or forwarded. Proper rights management could prevent sensitive records from winding up on a stolen employee laptop, for example.
Tethering is another ECM approach that ratchets up content security. With tethering, the content always resides in the original repository, which can be secured so the content never actually leaves. A prime example is YouTube. People can access, view and embed a YouTube video on their blogs or websites, but the content assets always stays on YouTube’s server. This same technology can be applied to content residing in a secure repository in an enterprise. This way, the content assets can be shared as needed without ever having to leave the high-security confines of an enterprise content management repository.
Rights management and tethering are excellent tools in a good content management system. But a more fundamental issue for enterprises is a firm grasp of information organization. If the content is well organized, there is a much lower chance that something will leak out — and leak out undetected. Most organizations have non-disclosure policies, emphasizing the secrets that shouldn’t shared. But having information well organized and well structured is the key. If information is all over the place, with much duplicate data, is the worst possible scenario if there is heightened concern about security or winding up as a victim of WikiLeaks.
What if a company’s best intentions aren’t enough? What if the company’s name along with some heretofore closely guarded secret is splashed on the front page of The New York Times or The Wall Street Journal as the victim of a security leak? What then? Once the genie’s out of the bottle, it can’t be put back. So options have to be weighed. Legal steps possibly can be taken to contain the problem or public relations tools can be applied to clarify its context.
What’s far more important is preventing a leak from ever occurring again. That starts with tracing the leak back to where it originated. This is where content management and the principles of information governance come into play. One of ECM’s key features is its ability to provide a consistent, centralized log of all events — an audit trail. It provides an effective process to trace back how the particular content asset or document escaped, who opened it and where it wound up. With a good ECM system in place, the framework can be created to prevent this kind of leak in the future.
And, even if your enterprise never suffers the indignity of a security leak, aiming to protect its content has the very real side benefit of solid information governance.
The drive to expose secrets has always been with us, though many of the methods of dissemination are new. It’s uncertain how long WikiLeaks will be around — not long if some governments have their way and are successful in shutting it down. But individuals or organizations abusing confidential information certainly won’t go away. Since the Internet facilitates the mass dissemination of information in the blink of an eye, enterprises would be remiss in not preparing for the worst. Digital information has undisputed productivity benefits – and liabilities. Content management needs to be part of the infrastructure, part of the DNA of a company to successfully deal with the possible dangers.