Expertise | News
Date : 11/07/2019
How to avoid corporate document piracy
by Sébastien Poggi
The past year has witnessed a number of high-profile data breaches at blue-chip companies worldwide, ranging from FedEx to Marriott Hotels. These are just the tip of the iceberg: many smaller firms experience similar problems on a daily basis. While national law enforcement agencies are increasing the resources devoted to tackling cyber-crime, the responsibility for first- and second-line protection lies with companies themselves.
Know your weaknesses
Companies frequently underestimate how easy it can be for hackers to access sensitive documents. For example, vast amounts of personal data are contained in legal documents or life insurance policies, and much of this information is very often protected by weak passwords.
In addition, internal security requirements may complicate or obstruct interaction with external counterparties such as business partners, intermediaries and clients. While companies may maintain demanding security requirements for their employees, the fact that these standards are not shared by other players may interfere with the user experience and jeopardize customer and other relationships.
Companies frequently try to implement IT security features on top of their legacy information systems, but this can easily lead to maintenance headaches while leaving some weaknesses for hackers to exploit. Remember that security is only as strong as its weakest link.
Even when new software is installed, it is often neglected and allowed to become out of date, especially in high-stress environments where the focus is on production. IT departments are typically too busy to bother with performing updates on their own initiative, which means companies fail to benefit from the latest updates and software becomes unsupported quickly.
Maintain high security and authentication standards
The approach of Victor Buck Services focuses on people, processes and products, building on our almost 20 years of experience maintaining and improving high standards of security in line with client requirements.
We recognize that human error is natural and can result in many security incidents if other layers of control are overlooked. For example, we encourage firms to use multi-factor authentication as standard to reduce the potential consequences of weak passwords. This has already been introduced in the banking sector and in our own services, but it needs to become more widespread.
Along with multi-factor authentication, storage encryption – known by experts as “data at rest” – that makes it harder for individuals to access specific documents, even if they enjoy general rights to use a system, is also becoming a requirement.
In addition, greater control should be exercised over the granting of access privileges, given the frequent examples of the sale or leaking of confidential information, whether through customers, providers or partners. External IT consultants may also need access throughout a client's storage, but it is still possible to prevent individual documents from being retrieved.
A company's senior management and IT security experts should be able to keep track of the activity of individuals working in sensitive areas, including the identity of the documents they are viewing, when and why. This log should be constantly updated, and alerts generated by any suspicious activity.
Multi-layer your defenses
Effective document protection is a multi-layered exercise that can be compared to the construction of a Vauban-style fortress. It should not rely on a single line of defense which, once compromised, opens up all of a company's information to hackers.
Financial regulators are increasingly examining how regulated entities are storing and managing their data, including their compliance with the enhanced requirements of the European Union's General Data Protection Regulation.
To meet these challenges, Victor Buck Services offers clients certified processes and a range of secure solutions including Docunify, a software-as-a-service document collaboration platform. Docunify incorporates best practice in data security for documentation and workflow management. For instance, the Docunify solution incorporates end-to-end encryption and is protected by double factor authentication, and meets both EU data protection requirements and the rules laid down by Luxembourg financial regulator CSSF for the financial sector professional entities (PSFs) subject to its oversight.
The cost to companies in both financial and reputational terms when data breaches occur is increasing, especially as the tolerance of legal and regulatory authorities for privacy and security failings diminishes rapidly. As the protection of data becomes more central to businesses’ success or failure, the somewhat casual approaches to security seen in the past are no longer acceptable.
Sebastien Poggi, who has 15 years’ experience in data security, oversees the governance department of Victor Buck Services, implementing security measures within the business and playing a key role in integrating security requirements for the benefit of clients, including the Docunify software-as-a-service data security solution.