|

5 Critical use cases in Companies where Securing Information

There are many cases in which an Information Rights Management (IRM/E-DRM) solution like SealPath can help you managing your business documentation security more efficiently. SealPath allows a dynamic protection of information, traveling with it wherever it goes. The owner of the information can change the permissions on the files and even revoke access to them, even if they are no longer in their possession.

In addition, the user who has protected the documents can monitor the actions on the document: Who has opened it, if someone is trying to open it without permission, etc. The organization administrator can also have a global view of the activity of all protected documents in the organization.

1. Facilitating a secure remote work

Remote working has become a reality for companies around the world. The global pandemic situation of Covid-19 has increased teleworking exponentially, but it is a trend that has come to stay. Remote work poses serious risks when it comes to managing sensitive information, as corporate data reaches unmanaged computers and on networks with a lower level of security than corporate ones.

If before, only a small part of the organization’s sensitive documentation was left out of it, in a remote work situation, and although users access their computers via VPN, a good part of the company’s sensitive documentation goes to computers outside the organization even to personal devices.

Through a data-centric security approach such as SealPath, the owner of the documents has the ability to trace accesses and control their data. It doesn’t matter where the data is. The company continues to be the owner of them and if it is necessary to revoke access to critical information by users who have left the organization, we can do so as simply as pressing a button on the SealPath control panel.

2. Increasing cloud security

Information sharing in the cloud has grown exponentially in recent years. The corporate information that was previously stored in file servers or document managers within the organization, has now become stored in Cloud applications that act as remote data repositories.

There are different types, such as remote disk drives type Amazon S3, or Azure Files, where the organization can store large amounts of files in the cloud. In other cases, EFSS (Enterprise File Sync & Share) solutions are used as OneDrive, Google Drive or Box to store organization files and have them synchronized with the local computer. Also, document managers such as SharePoint Online allow you to synchronize documentation with local folders on disk.

On many occasions, corporate information also ends up in personal clouds such as Dropbox or the personal versions of Google Drive for example.

It is possible that the access permissions to these files are controlled, but what happens when this information is downloaded or is on a local computer? That we lose control over this data.

By applying encryption to the data that travels with them, we can guarantee that it is safe whether it is in a private, public or Box, Office 365 or Google Drive, or if the user has downloaded them to their computer. At any time we can block your access, follow the document in the cloud or even if it has been downloaded from it. SealPath also allows an automatic protection in this type of repositories and the possibility of accessing protected documents in them directly from the browser, without having to download them.

3. Securing financial or legal documentation

Two of the departments in organizations that manage the most sensitive confidential information are financial and legal. Financial reports, projections, contracts for operations in progress, which reach the hands of those who should not, can cause serious damage to the organization.

The risk many times is not outside, but that this information can be accessed internally by malicious internal users. A marketing document, already published on the organization’s website, is not the same as a contract that is being closed with a partner or data on sales, purchases, etc. managed by the organization’s financial department.

As we have discussed in previous sections, this information can be on a network server, in the cloud or on users’ computers, even on personal computers at home. Why not instead of controlling permissions in these locations, we apply permissions and protection control that travels with documents wherever they go?

Let’s not forget that infrastructure teams have administrator permissions on network shares, on Cloud applications. However, on these sites we keep documentation that they should not have access to either.

By protecting this data with a data-centric security approach we will be able to keep it safe from improper access and trace any access even by IT personnel.

4. Ensuring the information of the Management and the Board of Directors

Strategic plans, Management meeting minutes, information on possible mergers or acquisitions are some of the types of confidential documentation managed in the Management field.

In many cases, there are personnel from the Board of Directors of a company who are external to the organization and do not work on a day-to-day basis in it. However, critical societal information needs to be shared with them. Sometimes information is shared related to mergers, acquisitions or sales that if leaked could damage the operation or the organization itself.

This documentation is normally on PCs, laptops and other devices of senior company managers or members of the Board of Directors. These computers, are not safe from carelessness, loss, or possible malware attack.

It is critical that we control who can have access to this information, with what permissions, from which networks, and that we audit any improper access at all times. A data-centric security solution can make Council communications, or Management data, encrypted and protected wherever it travels, both inside and outside the organization.

5. Regulatory compliance

In the case of companies and organizations that operate within the European Union, under the EU-GDPR, it is necessary to keep under control the personal data that are managed by citizens, especially data from certain categories such as medical data, union membership, religion, etc..

Not only is it necessary to notify in less than 72 hours a loss of personal data that we manage from third parties, but organizations are exposed to significant penalties that can reach € 20M or 4% of the group’s global turnover.

Can a large company risk losing the data it manages from third parties and being exposed to these types of fines? There are multiple types of possibilities for exfiltration of this type of data: human errors, malicious employees, a leak in a partner with whom we collaborate, a malware attack…

Let’s not forget that in the last ransomware attacks, not only is data being encrypted within the organization, but attackers are extracting it and extorting with the possibility of publishing it if a ransom is not paid. Already, many organizations have paid these ransoms of hundreds of thousands of dollars to avoid fines, litigation and further repercussions on their reputation.

In other regulations like PCI controls must be applied over financial information. In other countries outside the European Union there are also similar regulations that organizations must comply with. These regulations normally recommend encryption as an efficient protection technique, but if we can also apply access, revocation and auditing controls, we will be substantially improving the security with which this type of information is managed internally.

Applying a protection that travels with the data, which allows us to audit accesses, allows the files with third party data, financial, medical, to be safe in any location and if due to a malware attack, such as ransomware, they are exfiltrated, the attacker will see that they are encrypted and will not be able to access them.

CALENDARIO DE EVENTOS

¿Necesitas más información?


    En cumplimiento del art. 13 del Reglamento (UE) 2016/679 General de Protección de Datos, le informamos de que INGECOM IGNITION tratará sus datos personales con la finalidad de gestionar su consulta. Puede ejercer sus derechos en materia de protección de datos mediante solicitud a nuestro DPO en gdpr@ingecom.net. Puede obtener información adicional sobre el tratamiento de sus datos en nuestra política de privacidad publicada en www.ingecom.net.