Latest News

Opinion: Digital security is a requirement

Guest article by Michael T Mantzke of

Does your company take digital security seriously? Having a diverse background in computer records/document management and compliance I have learned three things which unfortunately seem to be more the norm than not.

1.    Business leaders and corporate executives do not understand digital security, or the value proposition, of such.
2.    These same business leaders do not understand the potential liabilities facing their respective organization and themselves as it relates to digital security.
3.    These same business leaders do not understand or appreciate the potential threats and vulnerabilities from both internal and external sources.

Data protection and privacy issues impact all business and industry sectors across the globe. Compliance with the law and protecting individuals’ privacy are not just legal issues. Failure to respect people’s privacy or ensure security of their data can severely damage a company’s brand and influence consumer buying decisions.

Law firms now conduct a vast amount of business electronically. Much data is held on emails, word-processing files, spreadsheets and databases. Storing this data and ensuring its security and confidentiality is a major challenge. There is not enough awareness of the security risks linked to the electronic transmission of data between law firms and their clients.

You would laugh at the idea of leaving your office buildings unlocked and unguarded all night, or providing perfect copies of your client’s credit card details to passers-by; but this is, in effect, what you are doing if you fail to take firm steps to protect your company’s client information or intellectual property. The attendant risks and penalties facing many solicitors’ firms crystallised in April 2010 when the Information Commissioner’s Office (ICO), which oversees and enforces the Data Protection Act 1998 (DPA), introduced fines of up to £500,000 for serious data breaches.

Proactive vs. Reactive approaches.

Reviewing the 2012 RSA conferences and the initiatives announced by William Hague at the beginning of September, one can’t help being struck by the number of products and service providers which targeted the reactive space within the security market rather than embracing a clearly untapped need for simple proactive solutions designed to address the problem of digital asset security.

With the uptake on home working, remote access, emails and Bring Your Own Device (BYOD) culture too little concern is shown for the vulnerability of data once outside the enterprise.

So as not to offend the antivirus, antispam, malware scrubbers and countless other disciplines, I would stress these systems are needed to combat threats already identified, or new threats once they have been identified. It is much easier to develop protection schemes against existing threats or vulnerabilities. Additionally, the news and cyber groups play up these vulnerabilities so attention is highly visible.

These same groups also have jumped on the Cloud computing bandwagon. They emphasize that cloud based solutions are safe, secure, and provide adequate security measures designed to protect your data. One needs to look no further than the recent cyber-attack on the US based service Go Daddy to realize the potential vulnerability and accessibility to critical data.

A truly proactive solution to digital security should be designed to protect assets at the desktop at the time of creation or distribution.  This localized application for protection and viewing should utilize a strong encryption system, with enforceable security rule sets.  A Cloud based component would provide management, tracking, and alerting of digital assets once transported or delivered through any electronic means – Email, Cloud, USB drives, etc.

It is frustrating and worrying that this aspect of security is missing from the security scene.  Although there are some proactive systems which attempted to address a proactive approach, these systems were often tied to cumbersome, expensive infrastructures which placed serious constraints on ease of use and distribution. A few cloud based encryption solutions are offered, but the major flaw in these offerings forced the users to upload the unprotected digital asset into the cloud prior to the encryption.  Where’s the protection?

A simple, proactive security solution should allow users to operate at the speed of business.  If it’s too complex or takes in-depth technical knowledge to utilize, only a handful of people within a company will use it – which defeats the overall purpose of trying to protect your digital assets and your organization. This effect is reflected in a number of failed Digital Rights Management product implementations.

As business leaders you should be asking yourselves some basic questions.

1.    Has the question of digital data security, cloud computing, information liability/vulnerability, and the associated risks been asked and answered to your satisfaction?
2.    Are business, data, and liability initiatives in line with today’s technology trends, security measures, and countermeasures?
3.    How does your business or agency control who can access sensitive information once it is sent out via the Cloud or email?
4.    How do you protect your customer or client information?

To put it simply, if you are not in control of your digital information as it’s created and distributed, everyone else will be. Businesses and Governments shred any document that could be used by information hijackers and identity thieves. These same disciplines need to be applied to your digital assets.

If you are serious about the matter of digital asset security I recommend the following.

1.    Educate your respective staff members on vulnerabilities which present liabilities to your organizations.
2.    Review your policies regarding the creation and processing of digital assets, especially if your digital assets are being sent outside your organization.
3.    Seek a solution which provides strong encryption prior to sending your digital assets offsite.
4.    Automatically enforce polices to truly have consistency in how your digital assets are protected and handled.

I’ll leave you with the following to consider. Have we, as a society, sacrificed security for simplicity?  And if we have, are we ready and able to handle the consequences? Protect your organization by protecting your digital assets.

2 replies on “Opinion: Digital security is a requirement”

YOu make some excellent points. Our product ( achieves some of what you outline (a tool for the toolbox as such). I think you underplay a number of points. Firstly, the IT industry has left the end users exposed to security issues by providing easy to use tools which are insecure (email being our interest here). We in the security industry can moan all we like but unless our tools are equally easy to use then the behaviour changes needed will be difficult to achieve. Our product (I am sure like yours) goes a long way to achieving this. We have found that as soon as you take something as easy as email and ask the user to do something extra or complicated it will not happen.

We work with the legal industry. We have got our encryption down to no software installs and no key exchange. All the sender has to do is type ##encrypt at the top of their email and it is therefore completely device independent. The recipient needs no software, no account to register for and no knowledge that the email is even coming.

Even with that level of usability we still face an uphill struggle to get the legal industry engaged. We see some horrific examples of poor IT run by apparently competent IT companies with no real sense of any data management.

To solve the problem the IT industry will need to make it go away. We will struggle if we rely upon the end users to take these steps.

Simon, you raise an issue which is near and dear to me, and you are correct. The security of end user data and PII have been sacrificed for one thing, and one thing only. Simplicity. It is the simplified approach to delivery and storage of information which has created a complacency or a level of comfort in the business community that is not deserved. Getting business leaders to clearly understand the risks for not taking serious action is a challenge.

Comments are closed.