Document Security — Does Your Security Policy Protect Digital and Physical Documentation?

Disclaimer: As there are books about document/data security, consider the following as an introduction. Discuss the points raised and estimate how your company would be rated if tested by an ethical hacker or penetration tester. Perhaps you might want to hire a penetration testing company to evaluate your digital and on-premise security?

Digital transformation is simplified as the aim to eliminate paper-based documents and go ‘fully digital’. As much as we would like to, it’s generally impossible to achieve a paperless office. Barriers include financial, accounting, legislative and compliance requirements that require retention of original paper documents for a specified number of years. Some industries (legal, for example) have yet to make all their processes digital and physical form-filling is common in many situations. Therefore, any worthwhile security policy must consider both physical paper-based documents and their digital counterparts.

How can companies ensure adequate protection of physical and digital files? What are the common attack vectors involved? Does your security policy consider remote and onsite attacks?

Risk Management

The first step in creating a security policy is to identify risk. Attack vectors include but are not limited to:

  1. Remote hacking – Industry best practices recommend a comprehensive cybersecurity strategy. Many companies use industry standards such as HIPAA as a guideline. Recent requirements in Europe in relation to data privacy (such as the GDPR) also force a strategy as part of compliance. The key message is that companies are responsible (and can be penalised) for failing to protect data adequately as most jurisdictions have corresponding data privacy regulations, especially for medical and financial data and any other personally identifiable information (PII).
  2. Internal threats – disgruntled employees are a viable attack vector. In addition, employees can unwittingly allow a hacker to breach your network after falling victim to phishing, ransomware or other remote attack based on social engineering techniques.
  3. A combination of the above – where the remote attacker has a willing accomplice onsite.
  4. Decommission, donation, recycling or theft of onsite equipment such as PCs, laptops, smartphones optical media, hard drives and memory cards can all introduce risk. This is true because even when wiped, forensic techniques can successfully recover data.
  5. Insecure storage areas – when filing cabinets and digital backups can be accessed by anyone.
  6. Sharing – consider the numerous ways we can share or capture data. Our smartphones can act as personal computers, take photos, share via chat program, upload to any number of free cloud storage providers, share on social networks and, of course, use the internal storage of the phone to store files for later review. Shadow IT, where users install their own unauthorised programs, could also allow dispersal of confidential data.
  7. Security Updates and Patches – Prompt updates prevent hackers from exploiting security vulnerabilities. Best not to ignore them.

Okay, so now you have an idea of the potential threats. It’s worth noting that hackers will take the easiest route to acquire data. In film and TV, sophisticated hackers acquire passwords and systematically break through all cybersecurity defenses, but the reality is very different. It’s much easier to hack the user or use ‘low-tech’ or ‘no-tech’ methods than breach firewalls and other security features.

Social Engineering

As reported in MeriTalk, citing ISACA’s survey STATE OF CYBERSECURITY 2019, PART 2,  cyber threats remain consistent but have increased in volume in 2019, with the top three most prevalent attacks coming from cybercriminals, hackers and non-malicious insiders. All three accounted for 70 per cent of all attacks reported by survey respondents. 44% said phishing was the most common attack, 31% said malware and 27% claimed social engineering was most prevalent.

However, since phishing is a form of social engineering, and malware creators often use social engineering techniques to fool the user, the truth is that social engineering of the human factor is the most lucrative option for any hacker. We are the weakest links in any security system.

How to Protect All Your Files

Firstly, be paranoid. Then, be very paranoid. Be aware that the size of your company does not matter. You may be in an industry attractive to hackers or be a client or supplier of a target company. In addition, it’s generally a numbers game, with cybercriminals, hackers and wannabe hackers all launching volume attacks using easily acquired tools and hacking packs. Being a hacker doesn’t necessarily mean you need skills. The “as-a-service” model also applies to the hacking community and on the Dark Web, you can acquire all you need to start hacking. Clearly, to protect your files and documents, a detailed security policy is necessary or perhaps, different security policies for each process. The SANS Institute offers a wide variety of free security policy templates that can be personalised for your company, which saves time in policy creation.

I’ll save you some more time… Assume that your company is a viable target and protect files and documents accordingly. The following is not an exhaustive list but will offer some suggestion to enhance your security posture and protect confidential data.

  • Identify potential risk and create the appropriate security policies.
  • Ensure OS and software updates are promptly installed. Likewise, security patches and firmware updates if appropriate.
  • Use antivirus, malware and spyware tools.
  • Use permission/user management to control data access. The aim is to prevent unauthorised data access.
  • Use device level monitoring to prevent the install of unauthorised software (shadow IT) and ensure all company-owned mobile devices have a remote wipe feature if lost or stolen.
  • Ensure security awareness training is an ongoing process, where users are informed of the latest attack methods. Basics include not clicking on links within emails from unknown parties.
  • When disposing of equipment, ensure data is destroyed by sending to a certified recycling company. Ensure data recovery is not possible by shredding or incinerating the device.
  • When disposing of paper-based documents, fine cross-cut shredding or incineration is best. Low-tech hackers are not above searching rubbish bins for clues.
  • Ensure non-employees cannot sneak onto your premises.
  • In public areas, be aware that shoulder-surfing (looking over your shoulder) is possible. It’s an easy way to gather info directly from your screen. Similarly, visual hacking is a threat, with smartphone cameras allowing easy capture of information.
  • Confidential documentation should be locked away, with on-premise security essential.
  • Consider the many ways files are shared online and aim to restrict as many as possible. Some companies operate using a whitelist of essential websites, blocking any that allow sharing of data.
  • Protect your hardware – Some companies use tamper evident labels to prevent low-tech hacking using memory sticks, cards and other solutions to directly acquire data from target systems.
  • Consider Wi-Fi access. Do you allow guest access or segregation from your network or even prevent it entirely?
  • In electronic manufacturing, all employees and visitors are scanned with a wand (just like in the airport) and must store all electronic devices in a provided locker before access is granted. Is this worth considering?
  • Social Media – Ensure employees are aware that social media info posted is often used in convincing spear phishing campaigns. Never post anything that will aid social engineering or disclose company workings, even something as innocuous as a planned vacation or lunch times can help a hacker.
  • Encryption and password management – both are highly recommended. It’s also important to remove data access promptly if an employee leaves the company.

By no means a complete list, but still difficult to implement securely. NOW consider how difficult it is to prevent against an insider threat, when that user already has access to your network…

In conclusion, cybersecurity is an ongoing process, but it is very important that paper-based documents are also considered. Ensure printouts and other files are disposed of correctly and not thrown out with the general rubbish. Security awareness is not limited to cybersecurity but must also consider real-world activities such as copied ID cards, premises security and storage and disposal of physical documents. Penetration testing is a worthy exercise that will highlight any insecure areas in your organisation. With the number of data breaches increasing each year, ethical hackers can identify problems and close off any vulnerabilities. How confident are you that all documents are secure?