Secure dataroom whitepaper_protecting_confidential_documents

dataroomsecure

leaders in data security

Documents in the Extended EnterpriseWhite Paper - Protecting Confidential

Common Misconceptions and Best-Practice Strategies

Executive Summary mistake to a fatal blow to your business.

Introduction

Consider this recent real-life story: A new Silicon Valley start-up recently raised about $30 million in three rounds of venture funding after receiving a valuation of $150 million. Unfortunately, the company’s VP of sales mistakenly leaked the company’s 2007 sales spreadsheet, which showed projected sales of just $1.34 million for the year. In a matter of hours, screenshots of the start-up’s embarrassingly low sales figures were available to anyone and everyone on the web.

Increasingly, important business processes that involve confidential documents are extending outside the corporate boundaries. As important documents travel further from the corporate firewall, their protection becomes paramount. Data security breaches are all too common; today’s business climate demands a better way to collaborate without compromising sensitive information. Common misconceptions about data security exacerbate the problem. A paradigm shift in how business executives and IT view data security is needed. Documents can in fact be kept more secure through best-practice, persistent document security strategies that provide end-to-end protection beyond the firewall. By deploying such a strategy, companies will be able to securely accelerate business and gain competitive advantage.

It’s no secret: As today’s corporate borders become more fluid and transparent, the risk of inadvertent or intentional security breaches of confidential information grows. Executives residing in remote locations, increased electronic data penetration of imperfect firewalls, 24/7 availability, web-enabled applications and virtual collaborative communities all contribute to an electronic document protection nightmare. Important people deal with important information every day and the more important the document is, the more it wants to travel across corporate boundaries. At the same time, those well-travelled documents can cause the most damage if they fall into the wrong hands. The impact can range from a mildly embarrassing

Perhaps this silicon darling wasn’t IT-savvy enough to have a bullet-proof data security strategy. But how about this recent news item? High-tech giant HP had to release its 2007 second quarter forecast early after a copy of an e-mail containing the latest financial information slipped through the confines of thecorporate firewall.

These two real-life stories illustrate all too clearly that ensuring confidentiality and control over business sensitive data is no easy task. Why? Because “the business of business” is moving faster than ever, and the technology needed to keep ever-more-widely dispersed documents secure just hasn’t kept up.

This white paper will discuss the enormous cost of data breaches, the rising importance of data security,and common misconceptions that exacerbate the problem of protecting your company’s most important and confidential information. It will look at traditional IT approaches and reveal why they are inadequate for today’s business culture. It will suggest a paradigm shift in how companies view data security, and explore new technologies that meet the needs of the new enterprise.

elaw.com.au 1

dataroomsecure

White Paper - Common Misconceptions and Best-Practice Strategies

Confidential Documents in the Wrong Hands: What It Costs, Why It Matters

Hard Costs

Soft Costs

The Cost of Non-Compliance

Protection of Confidential Documents: More Critical Than Ever

Confidential documents routinely fall into the wrong hands in a variety of ways. Intentional data theft from either inside or outside the company is an all-too-frequent occurrence. Malicious intention is not always the culprit, however. Unintentional breaches happen as well, due to poor data security measures, human error, or both. The imperative of “getting the job done” compels individuals to forward business-sensitive information, whether or not airtight security measures are in place. Regardless, the costs associated with data security breaches can be enormous.

Forrester Research recently estimated that a security breach can cost anywhere between $90 and $305 per record. That means that the cost of a single, significant breach may run into millions or even billions of dollars. The research firm surveyed 28 companies that had recent data breaches. Hard costs cited included outside legal fees, notification costs, response costs, lost employee productivity, marketing and PR costs, and discounted product offers. Other significant hard costs Forrester warned of that were not part of theestimate included regulatory fines, restitution fees and additional security and audit costs.

There are significant non-quantifiable costs to a company whenever a data breach occurs, including inadvertent disclosure of key assets, potential loss of customers, negative impact to the stock price, shareholder lawsuits, unfavourable press, and more. These costs can be even more detrimental than hard costs, given their implications, and can eventually run into the tens of millions of dollars.

Today, more widely dispersed executives and employees are collaborating, accessing, and sharing important, sensitive corporate information beyond the brick-and-mortar walls of the company, driving the need to share confidential information securely. Business processes within an organisation that require safe sharing of highly sensitive information include executive level information sharing, finance, human resources and research and development, to name just a few.

Increasingly, these business processes extend across the corporate firewall to external partners, contractors, and other outside professionals who need accessto confidential documents. For example, many contributors are involved in preparing documentsfor executive board meetings and seamless collaboration of remote team members must be ensured. Distribution of information to members of an executive board is often costly and time consuming, and most of all, it is frequently insecure.

Today’s organisations are required to meet stringent corporate governance and compliance requirements,or pay a high price. Recent regulations such as Payment Card Industry (PCI), electronic access of patient information (HIPAA), and the newly amended e.discovery rules (Rule 26 of the Federal Rules of Civil Procedure (FRCP) underscore the fact that airtight data security is critical in today’s highly regulatedbusiness environment. Moreover, regulations such as the Sarbanes-Oxley Act (SOX) now require a fullydocumented information flow for critical corporate information, creating a need for tamper-proof and persistent audit trails.

elaw.com.au 2

case study:Corporate Boardroom

challenge:Sensitive documents were repeatedly being leaked to the press by company insiders, causing disruption and badpress.

solution:The board of directors at the bank deployed a secure virtual data room to lock down all sensitive documents intended for board members.

The result? Leaks were stopped and documents stayed secure. The bank then extended the use of secure data rooms to other functional areas that dealt routinely with confidential information, such as financial reporting, strategy and acquisitions, top management, and human resources.

1

Kark, Khalid; “Calculating The Cost of a Security Breach” (Forrester Research, April 2007)1.

dataroomsecure


Leading industry analyst Gartner refers to groups of individuals who collaborate together outside the corporate boundaries as “communities of trust.” According to Gartner, there is a rapidly growing need for ways to “meet the communications and security needs for the ongoing sharing of sensitive data acrossthe Internet between multiple organisations.”

Examples of collaboration-heavy business processes that transcend corporate firewalls are: boards of directors; mergers and acquisitions; business partnerships; management consultants; outsourcing processes; joint ventures with competitors; real estate management; and life science clinical trials.

This trend will continue to grow as more and more collaboration occurs among dispersed individualslocated around the globe. These processes need to be secure; additionally, they can’t be impeded by anunwieldy IT security infrastructure that slows down the job that needs to be done.

Keeping data secure in today’s dispersed environment is a much more daunting task than it was in the past. Part of the problem is the prevalence of commonly held ideas about data security that simply are not true. Below are three of the most common misconceptions that actually impede organisations in the implementation of a truly secure solution:

Most business executives want to know that confidential documents are protected from data breaches without having to worry about the mechanism by which this is achieved. As a result, data security is delegated to IT. But this “hands-off” approach can lead to a number of problems.

First, IT departments are primarily concerned with security from an infrastructure perspective and are not necessarily as concerned about end-user experience. They may spend significant time and resources devising an infrastructure solution that is cumbersome for end users; for example, they may implementencrypted e-mail or encrypted hard disks. Or they may build a company-wide solution for every desktop, which is not necessary and can take years to develop and deploy. It’s like using an all-in-one wrench to fix a specialised problem.

IT-centric approaches to data security tend to take too long to deploy, focus primarily on internal employee desktops, exclude external partners, and/or are too unwieldy to allow ease of use. Or, on the other extreme, an IT solution may not be good enough, and have its own security loopholes.

In short, business executives need to find a way to conduct confidential business that is efficient, includesoutside approved participants, and meets stringent security requirements without being at the mercy ofcumbersome IT solutions. Because executives are held accountable for data breaches, data security must be a management concern.

Highly confidential documents are in fact more vulnerable behind the firewall than outside. Why? Because there are so many individuals behind a company firewall who could gain inappropriate access.

Perpetrators of data security breaches are often disgruntled employees, “super users” with high access permissions, or individuals who have left the organisation or changed positions, but whose access privileges have not been updated.

elaw.com.au 3

case study:Mergers and Acquisitions

challenge:A law firm was heading the sale of alarge, well-known automotive company. In the due diligence process, they needed to broadcast sensitive documents to a large number of potential bidders. The challenge was to distribute the data in such a way that recipients could not “keep” the data, to track downloads and gauge interest and to follow up with more detailed documentation to qualified bidders only. The deal team at the firm wanted to self manage the due diligence process rather than rely on IT.

solution:The firm deployed a secure deal room, not just for the due diligence process but for the entire lifecycle of the transaction. This included initial strategy, gathering all confidential information quietly, highlycontrolled due diligence, negotiation, closing, and post-merger integration. The whole process was 100% secure, totally controlled, easy to use, and did not require any IT resources, thus expediting a major merger safely and successfully.

Common Misconceptions about Data Security

Misconception #1: Data Security is IT’s Problem

Misconception #2: If it’s Behind the Firewall, it’s Safe

2

Heiser, Jay; “The $10 Billion Market for Communities of Trust” (Gartner, January 2007)2.

dataroomsecure


The firewall does not take into account the selective-ness and breadth of individuals in collaboration-heavy business processes. Only a select few individuals should have access to sensitive documents. For this reason, file servers, document management systems, and e-mail are vulnerable repositories for storing andmanaging confidential documents.

The best and safest solution is one that seamlessly connects authorised users on both sides of the firewall while preventing unauthorised access by individuals both inside and outside your organisation.

Business professionals who are tasked with important, deadline-driven projects are generally trusting that the security measures in place are enough to protect the documents they are working with. However, as stated above, some IT security measures are not in fact bullet proof. It is dangerous to assume that any data security measure is better than nothing. The reality is that partial security equals essentially no security.

For example, the practice of sending emails with a disclaimer is widespread, and yet completely unsecure; the disclaimer does not in fact “protect” the security of the data or email attachments from unauthorised access. It’s the equivalent to having a “This house is protected” home alarm sign on your front lawn, without the real alarm system installed and functioning.

Another example of partial security is encrypted emails, whose information and attachments are only truly “safe” while encrypted. Once they are unencrypted at the desktop, they are vulnerable. Hard-disk encryption also only solves part of the problem, because it only protects information “at rest”. Once documents are in transit, whether from one laptop to another or from one person to another, the information is vulnerable, since the encryption does not travel with the document.

These misconceptions illustrate the need for a major paradigm shift in the way businesses view data security. Traditional approaches to data security like firewalls (perimeter security), encrypting data-at-rest (on the server) or in transit (encrypted e-mail) are insufficient. They assume that highly confidential business information remains in a tightly controlled, definableenvironment. That assumption is false. The reality is this: Data must move. And it will find its way. Therefore, data protection has to be attached to the document itself and it has to follow the document wherever it goes. This is known as persistent document security.

The new paradigm sees important documents as safer when placed in a repository outside the firewall, a place that is highly secure, accessible anytime, anywhere by a select number of individuals and allows users to control exactly what documents are viewed, accessed, and updated. In this paradigm, documents are stored on a highly protected, encrypted server outside the firewall. Workflows are managed by authorised end users, rather than by IT, so that sensitive documents are shielded from internal or external IT personnel.

elaw.com.au 4

Misconception #3: Traditional Security Measures are Good Enough

A New Paradigm

case study:Research and Development

challenge:A drug research firm needed a way to share highly confidential research information, including clinical trial data on a new drug with a pharmaceutical firm interested in licensing the drug. Protecting their Intellectual Property, while expediting the process, was paramount.

solution:This firm designated a securevirtual data room as the centralrepository for all facets of the drugreview stage. They controlled allaccess to all documents, ensuringthat IP information remained highlyprotected. Once the partner decidedto license the drug, the firm continued to utilise the data room as a way to ensure secure project collaboration with its new partner in a highly confidential manner. This approach allowed high productivity, shortened the drug review and partnership process, and reduced the risk of exposing a drug initiative with high earnings potential.

dataroomsecure


Documents can only be accessed via strong authentication methods that ensure only authorised access. And access rights can be easily managed at a group level or down to an individual level. With these measures in place, documents outside the firewall become in fact more secure, because although they are accessed anywhere, anytime, a complete audit trail captures all activity and documents remain secure in the repository.

suitable for meeting this need. However, effective solutions can be found in security technology that overlays the existing infrastructure, instead of being dependent on it.”

As important information moves farther and farther from the physical boundaries of the IT infrastructure, the technology required to keep that information secure becomes paramount. According to Gartner, “The traditional security mechanisms provided by the operating system or network are just not

Enterprise rights management software (ERM) offers controls at the data level, so in essence, the security “travels” with the document, from the server to the desktop. In this regard, enterprise rights management software enriches encryption to include access control and persistent protection. Recipients can viewor modify documents only as allowed. While ERM software is an important step in the direction of end-to-end data security, such a system by itself often requires proprietary software on both the server and the desktop and can be a relatively expensive solution. It also requires significant management overhead: Access privileges need to be assigned according to each document. ERM software addresses the security of moving documents better than does deploying only hard-disk and/or e-mail encryption, but it requires more investment and more management overhead in order to execute. Also, by itself it does not allow “anywhere, anytime” access from any desktop, and therefore impedes executives in remote locations from using various desktop platforms.

elaw.com.au 5

case study:Fund Management

challenge:A large financial services firm needed to ensure secure business processes and communications for an investment fund involving multiple interests, including limited partners, investors, law firms, accountants and consultants. These groups needed to perform due diligence on potential acquisition targets and/or investments in the fund.

solution:The firm used a secure data roomto organise the business processesneeded for successful fund management. This involvedpartitioning the data room into separate areas for different parties and then controlling access to information. This was accomplished with no deployment of additional hardware or software and zero upfront training for all parties involved.

Best-Practice Data Security Strategies

Enterprise Rights Management Software

The key to successful adoption of an ERM infra-structure within the extended enterprise, therefore, is to deploy such software within an application environment that enables users both inside and outside the enterprise to benefit from such an infrastructure.

A Different Approach: Secure Virtual Data Rooms

The most sophisticated VDRs offer the highest security standards, including two-factor authentication,encryption and tamper-proof audit trails. Extremely important features to look for are operator shielding,in which software and operating processes ensure that the VDR operator is not able to read customerdata and end-to-end security, in which documents can be access-controlled even after delivery to users’desktops. VDRs combine these security functions with communications and administration tools that allow

Secure virtual data rooms (VDRs) are web-enabled applications that operate outside of the corporatefirewall, provide highly secure access and viewing controls at the data level (persistent security), but donot require proprietary server and client-side software. VDRs are offered as a web-based service, and sorequire no IT infrastructure; however, they can also be integrated with an ERM infrastructure to provideeven greater functionality.

3

Heiser, Jay (Ibid)3.

dataroomsecure


A secure VDR provides a central repository for confidential documents located outside the IT infrastructure. It gives business executives the control they want and need over highly sensitive documents,regardless of where documents “live,” in a way that facilitates business rather than hinders it. Some VDRsoffer additional features for specific applications, like voting mechanisms and acting-by proxy rules forvirtual board rooms. VDRs are device-agnostic, so anyauthorised individual can enter the data room anytime,with any web-enabled device, wherever they are.

the end user to easily set access rights, organise workflow, and ensure complete control over everything that happens in the data room, from beginning to end.

Critical business processes involve highly confidential, important documents that need to be safely accessed anytime, anywhere. Poor security measures based on a “traditional” view of data security have lead to high-profile, significant data breaches.

Business will go on, with or without the proper controls. Documents will move and the farther theymove from the corporate boundaries, the more imperative it becomes to keep them secure, wherever they reside. Your most important information cannot be vulnerable; the cost in real dollars, non-compliance and business risk is simply too high. You need to ensure that your most important data is not only secure,but also easily accessible by those individuals who need such access. Security can not be achieved at the expense of business acceleration.

The technology implemented to ensure security in this new era of business must change. What’s needed is a paradigm shift in the way you think about data security. Putting confidential information outsidethe firewall is actually safer and more expedient for all parties involved. Fortunately, there are solutionstoday that understand this new paradigm and are providing new ways to allow you to conduct important business securely without being impeded by IT complexity.

elaw.com.au 6

Summary

case study:Supply Chain Security

case study:Global Project Management

challenge:A manufacturing company needed to exchange plans, specifications and CAD files with its partners in the supply chain. The challenge? The partners in this project happened to be the company’s competitors in other areas of the business. It was imperative that the information stayed within the business unit of the partner company without travelling to divisions of the company that had competing interests.

challenge:A global company needed to form an inter-national consortium of partners, customers, and suppliers to collaborate on a major project. Of top concern was protection ofthe IP of the consortium. This company had to ensure that confidential information was not leaked to partners that had competitive interests in other areas of their business.

solution:The company used a secure data room service for secure document delivery of all related manufacturing information with a complete audit trail. It also used the securedataroom service to connect with an SAP application to create and distribute docu-ments automatically. This process allowed fast, secure access to relevant documents, while providing a tamper-proof audit trail of all activity in the data room.

solution:A secure data room for this project was set up and managed by a neutral service provider, so as to avoid conflict of interest. The data room enabled real-time documentaccessibility, with fine-grained accesscontrols and end-to-end security. As a result, project members from the various companies could easily access project-related documents on demand, IP was pro-tected, and documents were successfully kept from potentially competing businessunits within the company.

About Us

e.forensics

e.discovery

bureau services

e.courts

document review & case management software

online data rooms

e.law Asia Pacific is a privately owned company providing specialised products and services to many of Australia and Asia’s largest legal, corporate and government organisations.

At e.law we seek to work in partnership with our clients offering services that are competitively priced, high quality, fast, reliable, innovative, wide ranging and adaptable. We look to build and sustain long term relationships with our clients where risk and reward is shared.

Contact e.law Asia Pacific

[email protected]. 1300 136 993overseas call +61 2 9221 1366

Sydney

Melbourne

Brisbane

General Enquiries

Perth

Hong Kong

Shanghai

Office Locations

elaw.com.au

Subscribe to e.law e.news and receive updates on products, services, industry trends, upcoming events and more at e.law! We provide our monthly news-letter service via a short HTML email, if you would like to receive a copy, please register by completing the registration form online at elaw.com.au You may also unsubscribe at anytime.

e.newsletter

e.law service centres

e.law offices

Quality ISO 9001

Technology

Secure dataroom whitepaper_protecting_confidential_documents