Posts tagged "security"

Protect Your Business Information: Prevent Document Deterioration, Misuse and Loss with EDM

Security concerns are in the news a lot lately. The government has issued public alerts against terrorist activity. Military experts are debating how to maximize armed forces’ safety amid intensified conflict in Afghanistan. Medical experts are producing vaccine to combat Swine Flu. Each issue focuses on the need to ensure public safety. Yet most businesses – including agencies that rely on timely, accurate information to make decisions about public safety – overlook a serious risk that jeopardizes their effectiveness and ability to survive. The threat? Inadequate document security.

Businesses need secure access to accurate information to make smart decisions. Usually information is scattered:

  • on paper (subject to deterioration, misfiling, security breaches, and loss);
  • trapped in the minds of executives, managers and workers (subject to unintentional alteration and selective memory); and
  • stored in electronic documents and software applications (subject to inconsistent rules, conflicting policies, and difficult to lock down).

A recent 2009 AIIM report entitled Electronic Records Management – Still Playing Catch-up with Paper shows 60% of managers surveyed couldn’t be confident their records hadn’t been altered, deleted, or inappropriately accessed if they were challenged. More than 70% had no provisions for long-term electronic record archival; 31% had twenty or more content repositories that could be usefully linked (and presumably weren’t, complicating access and security). Many respondents described their electronic records as unmanaged; most lacked email management policies. It doesn’t take an expert to uncover a foul brew of document security concerns. Ignoring document security invites trouble.

Set clear policies

Document security has two sides: human and technological. Management has the onerous job of weighing rules and regulations against operational needs and determining acceptable risks versus those that jeopardize their business objectives. Identifying unacceptable risk is a precursor to creating governance policy.

Communicate policies frequently – in writing

Rules are futile unless they’re communicated – frequently, understandably, and in writing. Understanding what constitutes risk, acceptable behavior, and the penalties for disobedience dramatically reduces employee blunders. Convey your rules and reasoning clearly. Document your communications. You’ll reduce company risk by demonstrating intent to comply.

Well-laid plans, smart hiring decisions, and regular communications minimize risk, but they don’t guarantee document security. Where 100% document control is hindered by human limitations, web-based electronic document management (EDM) excels – governing, observing, and tracking file use, 24/7.

Emulate policies electronically

Everyone hears about planned security breaches. Yet typically, compromised document security is unintentional:

  • People view sensitive information while searching for unrelated information.
  • Employees inadvertently destroy original files without noticing copies or imported documents are faulty or illegible.
  • New employees don’t know the rules and handle documents improperly.
  • Temporarily removed or inappropriately stored documents can’t be located on demand for audits, subpoenas, or processing.
  • Workers delete documents deemed worthless, learning afterward that retention rules changed or they were mistaken.

EDM ensures security from the moment of capture, preserving file integrity throughout the business lifecycle and providing a central repository for stored information. Readability and integrity are verified upon capture. Digital storage eliminates deterioration, misfiling, or loss. Files are readable, properly stored, and secure. Customizable security determines who can retrieve, view, edit, annotate, manage, move, or delete files. Administrators can set rules for data use and walk away, knowing employees can access whatever they need.

Remove temptation and filing mistakes

Companies are increasingly subject to strict regulations governing information use. EDM enforces your governance policies, letting you:

  • Restrict file access by creating pre-defined searches to retrieve files staff need.
  • Restrict document viewing to specific personnel by job role and document type.
  • Associate individual editing and annotation rights to pre-specified users and file types.
  • Ensure only authorized persons can delete batches, files, and/or pages of documents.

Assure consistent indexing

Employee logic varies for document classification and search. EDM enables standardization, making filing consistent and search 100% successful.

  • Assign documents to batches during scanning or importing.
  • Index documents by document type, customer ID number, and other unique identifiers.
  • Associate related documents for a comprehensive view of information.
  • Validate the integrity and accuracy of scanned and imported files through automated validation; request alerts when documents require intervention.

Digital capture gives you control over your content.

Prevent document alteration

Document alteration poses huge security risks, especially in the face of litigation and audits. ECM allays fears of inappropriately altered documents. You can:

  • Restrict document annotation and alteration rights to pre-designated persons.
  • Ensure file alteration and editing rights reflect current policies.
  • Store business-critical emails as unalterable documents.

Avert inappropriate file deletion

Missing and lost documents typically comprise 7.5% to 11% of all document requests, with workers spending anywhere from 20-50% of their time looking for information. MIA documents cost time and money to recreate; if they’re needed for an audit, subpoena, or industry mandate and not found, penalties can accrue.

EDM ensures documents aren’t deleted until they’re scheduled to be migrated or destroyed. By limiting user rights, you ensure against accidental and intentional purging. Automated retention assures document migration, purging, and deletion follow your rules. Regulatory changes? No problem: EDM grasps new instructions immediately, adhering to governance directives.

Adjust rules as hierarchies change

Between a quarter and a third of employees change jobs or positions annually. Promoted employees suddenly need access to additional information. Demoted workers lose rights to access particular documents. Some are fired or leave, creating concerns they may take information with them, and new problems arise as knowledge must be transferred to new hires.

EDM tackles these issues with ease:

  • Users and feature rights are pre-designated electronically, making appropriate files accessible immediately to new employees.
  • Administrators make documents instantly inaccessible to departing employees by deleting user rights and features, eliminating the risk of inappropriate file use.
  • Rules and rights are easily reconfigured, ensuring new employees can access repositories and files they need without the risk of stumbling on sensitive information or overlooking policies for document access and use.

Lock down email

Email management eludes many managers. Critical communications about customers, partners, third-party vendors, staff, products plans, licensing information and more often are trapped in email Inboxes, inadequately archived and difficult to find.

By managing business email within EDM, you can:

  • Index and archive critical emails as documents of record.
  • Restrict access to email content, while disclosing contents to authorized persons.
  • Regulate printing, migration, and deletion of stored emails to specific users.

Avoid disaster

The topic of avoiding business disasters drew attention this year when the Association of Corporate Travel Executives (ACTE) recommended that companies limit how many executives can travel simultaneously on the same corporate or commercial plane. Experts recognized that a single calamity involving the loss of multiple top-tier executives constituted unacceptable risk, as it could destroy a company and result in considerable job loss. The same is true with the loss of your business-critical documents.

Document preservation is the left hand to the right hand of document security. Careful planning, quality EDM, and appropriate professional services ensure you have:

  • Effective backups and fault-tolerant, redundant systems that ensure you stay connected to your information.
  • A disaster recovery plan that outlines the hierarchy of document importance to ensure business continuity and accelerate document recovery.
  • Uninterrupted access to your business-critical information if a disaster prevents staff from working onsite.
  • Physical data recovery in case a real disaster strikes or your system is shut down.

Forge ahead

If your company makes the headlines, don’t let it be because of a security breach or shutdown. Creating a document management strategy and investing in EDM means your past, present, and future documents will be in the right hands, whenever and wherever they’re needed. By leaving the arduous task of document management to EDM, you’ll have more time to focus on taking your business to the next level. Good luck!


Optical Image Technology offers an integrated suite of imaging, document management, and workflow software, including document archiving, lifecycle management, electronic forms, and email management products. To learn more about our products and services visit our website at www.docfinity.com, email info@docfinity.com, or call us at 800-678-3241.

Are Your Electronic Documents Secure? Manager’s Checklist for Evaluating Your EDM System’s Security

Since business documents and their content drive the decisions and record the transactions that take place in every business, it’s critical for managers and their workers to ensure they’re secure. In an age where digital file management is increasingly necessary for a business to operate efficiently and remain competitive, it’s understandable the topic is receiving renewed attention, especially with several high-profile security breaches that should never have happened. Rest assured electronic document management (EDM) is far more secure than managing paper-based documents – but only when you have a flexible, rules-based system that provides the levels of security you need. Robust options and flexibility must be matched by administrative simplicity, so that your systems administrators can use it confidently.

Managing an EDM solution bears similarities to driving a car. When you climb into the driver’s seat, your dashboard displays the choices you need to make and the information you need to drive. You can choose multiple speeds and directions; change the air temperature using a few levers or buttons; or manipulate controls to play your favorite music. If the gear shift didn’t display reverse, the air only blew cold, or the music only off ered a loud bass sound, driving would be frustrating. If you had to fiddle with the labyrinth of wires under the hood every time to get the desired results, you would drive only when necessary, and might abandon your car altogether. Fortunately, although the mechanics are complex, driving is made easy through a system of clear and appropriate choices. So it must be with your EDM system’s security.

Establish the right levels of document security

Security comes in all shapes and sizes. You need to make sure your system is robust and flexible enough to adapt to your unique and changing business needs. Make sure your EDM system will let you:

___ Designate who has the authority (and, by inference, who does not) to set and change security rules in the EDM system to avoid tampering.

___ Establish groups of users by department, role, or job function (such as company directors, accounting or HR staff , or field agents).

___ Lock down access of particular files to specific users and groups.

If BPM/workflow is part of your EDM solution, make sure you can:

___ Limit user rights for workflow design so only authorized persons can create or amend design elements (such as naming or renaming a workflow process, establishing timeframes for jobs to be completed, etc.).

___ Specify which feature rights user groups or individuals can have within the routine workflow processes they are authorized to access (such as starting a workflow, accessing or checking out specific jobs, or moving a job from a common work queue to a personal queue).

Decide which rights users need

Although many workers may need to generate business content, you need to ensure that content is properly managed after it’s been created. For example, let’s assume you want department faculty who have conducted student interviews to add comments to a student’s application, but don’t want them to be able to delete or change information on the application. Your system must be able to lock down information that should be unalterable, while allowing content to be added by appropriate persons.

EDM is all about establishing rules and enforcing consistency. As you analyze each document type, ask yourself:

___ Which groups of users should be authorized to view the content?

___ Which user groups should be allowed to edit the content?

___ Are there groups of employees that should be allowed to delete the documents?

___ Which groups need to be given the right to email designated document types as attachments?

After you have analyzed and understood the relationship between each of your user groups and your document types, make sure your solution can meet your business requirements.

Make sure system access is easy, yet secure

If you are planning to implement or upgrade your EDM system to take advantage of multiple components such as imaging, BPM/workflow, electronic forms, signatures, archiving, and more, consider how users will access the system for each of these functions. Ask your vendor:

___ Will users need a separate logon and password for each module or functionality within the system? Or can users move effortlessly from one feature to the next after they have logged into the software system?

___ Will users have to log off and back on each time they exit the EDM system to access other software, or can they remain logged in and work seamlessly between multiple applications?

Remember, you want to ensure only authorized persons can log on to your EDM system, but you also want to help them to work efficiently once they have access. Constantly logging in and out to access, exit, and re-access elements of EDM hinders the very productivity that EDM software is intended to enable.

Make sure your system will reveal tampering

Your documents should be safe from misuse if your EDM security is robust and configured properly. Yet even when your documents are 100% secure from inappropriate staff access or use, security breaches can come from a wayward systems managers or database administrator. Make sure your software can help you spot tampering easily if there is a security breach. Your EDM systems’s audit logs should show clear evidence if someone breaks into the system, then makes changes that are unauthorized by the software and attempts to cover it up. Not every solution reveals dark secrets as they occur. Make sure your system can, and will.

Put yourself in the shoes of your system administrator

Even if you don’t consider yourself to be particularly IT savvy, it’s smart to put yourself in the shoes of your systems administrator as you evaluate EDM systems. After all, you want to provide a solution that is secure, yet easy to administer and support. Ask yourself:

___ Does our EDM software offer the levels of security and degree of flexibility required to address all of our business needs?

___ Can we make changes on the fly that will be immediately adapted and enforced by the software? (If the software’s limitations cause you to compromise the levels of security that industry regulations or your internal policies dictate, you should consider another solution.)

___ Is the EDM solution’s security configuration intuitive? Does the software have drop-down menus or drag-anddrop configuration choices to guide the administrator, as well as text tips and clearly written documentation when questions arise?

___ If a BPM/workflow solution is in place, what happens when rules are security rules are amended while a process is in motion? Is the system design flexible enough to adapt immediately?

Make sure your EDM solution will deliver the levels of security you need without being so complex that it’s unmanageable. Employees, staff positions, and policies change constantly. As administrators add users, groups, and rights to your content management system, your software configuration needs to offer multiple choices for locking down the system, its contents, and user rights. It also needs to be straightforward enough that IT systems administrators understand how to make requested changes, have confidence that their alterations were done correctly, and know the rules they put in place will deliver the desired results. Any solution that leaves its administrator uncertain whether the outcomes will reflect what s/he intended should be reconsidered in favor of something that’s easier to manage.

Drive with confidence

For your business to succeed, you need to know the information you collect is consistent and complete, quickly and appropriately available to those who need it, managed according to your business rules, secure from tampering, and easily auditable. Whether you choose a simple scanning and storage solution, integrate EDM with multiple business applications for centralized data access, or automate your business processes, anything less is unacceptable. Choose wisely.

Firefox security issue - upgrade immediately

The Federal Office for Information Security made a similar ruling on the safety of Internet Explorer in January.

The office warned that the Firefox vulnerability, confirmed by Firefox makers, could allow hackers to run malicious programs on users' computers.

A new browser release at the end of the month will fix the bug which relates to the current version, Firefox 3.6.

A "beta" or test version of that release, Firefox 3.6.2, is already available but has not yet been fully tested.

The BergerCERT team of the Federal Office for Information Security (BSI) has recommended that users stop using Firefox until the tested fix is released - in a move remarkably similar to the January announcement, in which France followed suit just days later.

Fox swap?

The Firefox vulnerability was confirmed by maker Mozilla last week on its security blog, when it promised that the next official release would address the issue.

It is only the current version that is affected, but given that prior releases have different vulnerabilities, reverting to an older version of the browser is ill-advised.

Switching to a different browser may not be a good solution either, said Graham Cluley, senior technologist at security firm Sophos.

"Switching your web browser willy-nilly as each new unpatched security hole is revealed could cause more problems than it's worth," he said.

"What are you going to do when your replacement browser itself turns out to contain a vulnerability?

"My advice is to only switch from Firefox if you really know what you are doing with the browser you're swapping to. If you stick with Firefox, apply the security update as soon as it's available."

Mozilla said it hopes to have the latest version ready ahead of the official 30 March release date.

"Last week we informed our users that the upcoming security release of Firefox 3.6.2 would include a fix for an exploit that was disclosed to us just over a week ago," said a Mozilla spokesperson.

"Mozilla is aware of the BergerCERT recommendation to avoid using Firefox 3.6, and encourage users to download the beta version of Firefox 3.6.2."

A New ASP.NET Security Framework Comes with Bitrix Site Manager 4.6

With all websites increasingly under attack, Bitrix (site) ups the defences with a new security system for its users.

Fighting off the Attack

The number of sites being corrupted and having data stolen, or being used to infect the PCs of visitors with malware is rocketing. To help protect the sites of its many users, Bitrix has come up with a Protective Protection (PRO + PRO) platform for its ASP.NET Web CMS product.

With proactive protection, it locks down sites by monitoring incoming data (working as a firewall) and detecting common attack vectors such as cross-site scripting attacks and SQL injections.

To test the product, it was let loose at the a recent Russian hacking event, Chaos Construction 9, where it staved off thousands of attempted attacks. Naturally, defense can never stand still and already promised for the next update are more security features. These will include one-time passwords, an integrity checker, abnormal activity detector to sniff out suspicious behavior that might indicate a new type of attack and IP-based authentication.


Defense, Defense

Suspicious activity is logged for later inspection, or for evidence. The framework has been certified by Positive Technologies and complies with Web Application Firewall Evaluation Criteria established by the Web Application Security Consortium.

Going Social

The update also has some additional features for social networking including improved blog and forum support, searchable content and management of video and images. Articles can be posted directly from Word or other sources.

Site Manager ASP.NET is available today, there is a 30-day free trial and it can be purchased at the Bitrix store which currently offers a 30% discount at US$ 690. The price includes a one year subscription to technical support, updates and upgrades. Existing users can upgrade live online and the update happens in real-time, automatically using the SiteUpdate module.

Sites running Exponent CMS are under attack

According to a recent post on the Exponent CMS website, a large number of websites running Exponent CMS have been successfully attacked by hackers.

From the post:

The type of hack and process for execution has been identified. With the combination of some clever SQL passed through via url to certain Exponent Modules lacking proper request value sanitation, the hackers were able to pull up information from the user table. The password for Exponent users are converted to an MD5 hash before being saved to the database, but if the password isn't strong enough, the hackers were able to easily take the MD5 hash to any number of websites that will reverse the md5 hash, giving the hacker's the access they need to mess with an exponent site to their liking.

Details about how this hack was accomplished, and how to protect your site against these attacks are explained in detail on this thread.

SMB Tech Roll-up: Social Media Is Good And Bad For Business, With Security Top of Mind

We have a mixed bag of news for SMBs with conflicting views on whether social media is good or bad for business. There was a lot of other research published this week giving a considerable amount to think about for companies in, or thinking about entering the tech fray.

Social Media is good for Business?

American SMBs are turning to social media in an effort to boost their customer base, according to the recently released, Small Business Success Index.

Sponsored by Network Solutions and the Center for Excellence in Service at the University of Maryland's Smith School of Business, the report shows that over the past year alone social media adoption by small businesses has doubled from 12% to 24%.

The research showed that nearly one out of five small business owners is actively using social media in their business with many of them investing in social media applications, including blogs, Facebook and LinkedIn profiles.

The biggest expectation small business owners have from social media is expanding external marketing and engagement with 61% of the respondents indicating that they use social media to identify and attract new customers.

Amongst the findings:

  • 75% surveyed have a company page on a social networking site
  • 61% use social media for identifying and attracting new customers
  • 57% have built a network through a site like LinkedIn
  • 45% expect social media to be profitable in the next twelve months
  • 72% have found ways to operate more efficiently

However, it also showed that there were still some concerns about using social media with:

  • 50% saying it takes more time than expected
  • 17% saying it gives people a chance to criticize their business in a public forum

Only 6% felt that social media use has hurt the image of the business more than helped it.

Download a copy of the Small Business Success Index and also find out how your business scores on the six key dimensions of small business success from the growsmartbusiness.com website.

Social Media Is Bad For Business?

The flip side of the Small Business Success Index is the report from Webroot, which was also published this week showing that IT managers in small and medium-sized organizations believe malware spread through social networks, Web 2.0 applications and other Web-based vectors will pose the most serious risk to information security in 2010.

The data is part of a new survey of 803 IT professionals in companies with 100 to 5,000 employees in the United States, the UK and Australia.

The vast majority of respondents (80%) say Web 2.0-based malware will be a problem in 2010. In fact, seven out of 10 (73%) said Web-based threats are more difficult to manage than email-based threats. Survey respondents also identified data security and confidentiality, data loss prevention and securing mobile and laptop users as the top three priorities for Web security in 2010.

Webroot commissioned the survey to identify the threats security professionals most anticipate in 2010, the weakest links in Web security and how companies are addressing these issues.

Key findings include the fact that nearly one quarter of those surveyed believe their company is very or extremely vulnerable to threats from:

  • Microsoft operating system vulnerabilities (25%)
  • Unpatched client-side software (24%)
  • Browser vulnerabilities (24%)
  • Web 2.0 applications (23%)

The majority (73%) of respondents agree that managing Web-based threats is more challenging than managing email-based threats.

And while many believe they are under threat, many others have already been compromised. These included:

  • 23% compromised by employees who accessed personal Webmail accounts
  • 24% used social networking sites
  • 25% used P2P networking
  • 32% downloaded media

If you’re interested in more check it out on the Webroot blog.

SMBs Maintaining Not Upgrading Software

SMBs are spending more than half their budgets on maintaining existing software than they are on new or upgraded software, according to the latest Forrester's Enterprise And SMB Software Survey.

The survey of nearly 2,200 IT executives and technology decision-makers at enterprise and small and medium-size businesses (SMBs) in North America and Europe is part of Forrester's Business Data Services (BDS) series, which helps Vendor Strategy professionals profile their target market's budget allocation and technology adoption.

The survey shows that the poor economic environment has created a backlog of business application software upgrade activities for firms, and many plan to address the issue this year.

Amongst the areas companies will be spending on are:

  • 21 percent of SMBs plan to upgrade existing finance and accounting software,
  • 19 percent of SMBs plan to upgrade their customer relationship management (CRM) applications,
  • 18 percent of SMBs plan to upgrade industry-specific software.

In addition, more than 20 percent of all SMBs have concrete plans to implement CRM or information and knowledge management (I&KM) software in 2010 or later, representing the fastest-growing SMB software markets in 2010.

While cloud computing has many enterprises interested, growth of software-as-a-service (SaaS) applications is driving the market more, and infrastructure-as-a-service (IaaS) is still slow, the report also shows.

More information about Forrester's Business Data Services is available at the Forrester website.

UK SMBs Save By Not Using WiFi

Instead of relying on Wi-Fi hotspots, small enterprises’ employees should use mobile broadband USB sticks and datacards when traveling to save their businesses an average of UK£ 2145 (US$ 3368) each year depending on the number of employees on the road, according to research by UK telecoms, technology and media consultancy Analysys Mason.

Entitled Small Enterprises Save Money With Mobile broadband, published ahead of Mobile World Congress 2010 just finishing in Barcelona, it shows that each employee who travels throughout the year can accumulate Wi-Fi hotspot charges of up to UK£ 700 (US$ 1099).

All in all, the quality of service, simplicity and performance of mobile broadband in the UK is very good. SMEs can choose highly competitive offerings, with or without contracts from different providers.

This short report is part of Analysys Mason’s Research Enterprise program on the global enterprise and SME sectors.

If you’re interested in more, details of the report can be found on the website.

NetDocuments Adds Extra Document Security With RSA SecurID

There are probably a lot of clients of the SaaS document management company NetDocuments (site) that will be glad that the company has decided to team-up with security giant RSA by entering the RSA Secured Partner Programme.

The long-running program established by RSA is a technology alliance that brings together over 300 companies with over 1000 complimentary solutions.

So what’s the big deal with NetDocuments, you ask? Well this partnership will add an extra layer of security to the already substantial security checks in place to protect documents that are being held by NetDocuments.

SaaS Security

NetDocuments was set up in 1998 to enable clients to manage and collaborate on documents, emails and records, in a SaaS environment.

The company says that its clients now include some of the US’s biggest law and financial institutions, as well as hundreds of smaller firms, and all of them expect their documents to be kept secure.

NetDocuments has done just that with a list of security measures that would keep even the most determined out. Those features include document-based access control lists, ethical walls, smart auto ACL defaulting, Microsoft Active Directory single sign-on, certificate-based authentication and a patented binding of access privileges into each document.

And now, if that wasn’t enough, they’ve signed up with RSA so that mutual clients will have the added security of the RSA SecurID system.

RSA Secure

And very secure it is. The problem, RSA says, is that security built on static, reusable passwords has proven easy for hackers to beat — and anyone who even half-listens to the TV will know that.

So what RSA has done is implement a two-factor authentication system based on a password or PIN number on the first level and on the second level a security token similar to an ATM card that must be used if access is to be granted.

In addition to this SecurID, your password changes every 60 seconds. So you’d really have to be quick if you wanted to hack it.

What the new arrangement between the two companies means is that clients who already have RSA SecurID will be able to transfer those security benefits across to NetDocuments.

Why RSA Now?

As to why NetDocuments has made this move may have a lot to do with the growing list of blue-chip clients has managed to pick up in recent years.

In August, for example, it announced that it was developing integration with Google Wave, which will make the collaborative reach of the service much greater than it currently is.

As early as 2002 it made SaaS available for law firms, and you can only imagine the suits and counter-suits if someone managed to hack their way into their documents.

And in August 2006 NetDocuments also announced that it had become fully integrated with Salesforce.com.

The bottom line here is that if by chance NetDocuments got hacked, there would be a lot of very angry, important and litigious companies baying for blood. Better safe than sorry.