Board documents are naturally and obviously confidential. Most or all of the things a board discusses are not ready to become public knowledge and should not be widely shared. Sometimes, however, these documents have to be distributed to those who aren’t part of the corporate network – or even made accessible via the internet.
A leak of these documents can spell disaster for businesses. Documents like strategy papers and market analyses can tip off competitors if made public. Merger and acquisition documents and draft accounts can thank the share price, and internal reviews can negatively affect public image if not properly handled.
Due to the highly sensitive nature of these documents, they are often controlled by a secretary rather than the larger IT department and its processing. They therefore require a system that’s simple enough for one person alone to manage yet provides effective protection against leaks or cyberattacks. Let’s have a look at some of the options:
Adobe PDF Security
A natural place to turn for document protection is Adobe PDF security. Adobe Acrobat has widespread usage across enterprises, is a trusted name, and its PDF reading and editing functionalities are excellent. It’s somewhat natural, then, to assume that the document security Acrobat offers is just as good.
By this point, however, most should know that it’s far from good enough to protect documents this sensitive. Adobe PDF relies on a dual password system that is easily compromised and a permissions system that is wholly ineffective.
The problem with open passwords is that it only takes one person sharing them for the whole system to fall apart. Suddenly, you don’t know who has the password and who doesn’t, and there’s no way to retroactively change the password after a PDF has been shared. On top of this, the passwords need to be secure enough to be resistant to brute force and dictionary attacks, without being so secure that they’re impossible to remember. This is a difficult balance to strike and often leads to the reuse of passwords, reducing the point of failure to a single point.
The editing, copying, and printing permissions password, meanwhile, may as well not be there. It can be stripped by any number of tools, including online ones, with very little time or effort. All the user needs to know is the open password and how to google, and they can do whatever they like with the document. Even when the permissions are working correctly, they don’t prevent screenshotting – the first point of call for someone who can’t copy the file through other methods.
Secure deal rooms and board portals
A more effective option, you might think, is a secure deal/data room or board portal. These two solutions typically use the same or very similar underlying technology. As they’re specifically marketing at boards, you might think they’re very effective at preventing board documents from leaking or being stolen.
Unfortunately, the security usually leaves a lot to be desired. Generally, the way both of these solutions work is by allowing you to pay for dedicated, secure space on a remote server that requires a username and password to access. Once a user enters those credentials on a web portal, they’re granted access to the documents (or a specific set of documents) to read at their leisure.
The problem, of course, is that this system still relies on passwords, which means the same failings as above. On top of this, while board portals are probably better at preventing sharing, copying, and editing than Adobe PDF (which is basically useless), they’re still not very good. Because users’ access and interact with content via a web browser, there’s only so much that can be done.
For example, if you allow printing from a web browser, there’s no way for the browser to restrict the type of devices you can print to. As a result, somebody can print to a PDF rather than a physical copy, and therefore make a new, editable, distributable copy of your document.
More risk yet comes with the ability to inject third-party plugins and code into browsers. This can allow users to bypass the editing and printing restrictions applied to their accounts. Even if you trust all the users, this represents a security flaw, as an attacker with access to an account with restricted access may be able to extract documents when they otherwise wouldn’t be able to.
A better option than in this scenario is document DRM. Not only is it typically cheaper – it moves away from passwords entirely in favor of a more secure licensing-based system. By pairing strong encryption with a secure viewer application, it’s able to stop users from viewing a document unless they’ve registered a valid certificate on that specific device.
This system is far harder to bypass than a simplistic username-password combination, and that security extends to its editing and copying controls. A full document DRM will allow you to effectively cut out copying/pasting, editing, screen grabbing, and printing, while restricting documents to specific locations or devices.
The secretary can additionally apply expiry controls to a document – making it cease to function after a certain number of days, on a certain date, or after a specified number of views or opens.
Of course, it’s important to remember that no solution will be able to prevent copying entirely. The user can always take a picture of their screen with their phone or meticulously re-type every word. However, DRM typically incudes dynamic watermarking controls to mitigate this, clearly displaying a user’s name, email, and organization so that they can’t share without incriminating themselves.
Compared to the other solutions presented today, then, DRM is clearly the best choice. It’s not 100% guaranteed that it will stop every document from leaking, but it makes it hard enough and incriminating enough that the likelihood is much, much, lower.