Securing finance documents

Those working in finance are in a bit of a difficult spot when it comes to documents. The information they handle is often very sensitive, but at the same time must be shared with multiple outside parties. This is not something they can even get around, as investors, analysts, and auditors must be able to view the information to do their jobs.

The software community has long been selling solutions to make sharing documents easier. Cloud storage has become a mainstay in businesses in recent years, along with additional backup and synchronization services to maintain resilience.

Unfortunately, while they do this, and do it relatively well, few cloud storage services provide the tools to effectively protect documents during the sharing process. While SSL protects information in transit, it does nothing to address what the recipient can do with the document after it has been shared with them.

When personal data is being stored, often including things like criminal and healthcare records, this isn’t enough. With GDPR, ISO 27001, Safe Harbor, and more, it’s vital than ever that companies adequately protect this data, and prevent it from being leaked or misused. Failing to make proportional and reasonable efforts to keep documents safe could lead to a hefty fine.

Document Security Solutions to avoid

Many document security solutions purport to keep documents safe, and there are several misconceptions about what kind of protection they provide. Perhaps the most misunderstood of these is encryption. Like SSL, strong encryption will protect your document in transit. It will also protect it before you send it, when it’s sitting on your PC.

The problem arises when your document reaches a recipient. They need some way to open it, which means you have to provide a method to decrypt it. This often comes in the form of a password (which can be guessed or intercepted), or a certificate (which comes with its own challenges). To make things worse, as soon as the recipient decrypts the document, it can be copied, shared with others, modified, or otherwise misused without your knowledge. Using solely encryption, therefore, is unlikely to appease regulators.

Adobe Acrobat encryption

Several paid solutions have surfaced as a result of this shortcoming. One that sounds promising initially is Adobe Acrobat, which on the surface appears to protect essential finance-related PDF files. The reality, sadly, is that while Acrobat delivers additional permissions on top of encryption to stop printing or copying, these permissions are trivially bypassed by simply opening the PDF on a platform that doesn’t enforce them. Worse, these permissions and Adobe’s encryption relies on passwords, which are cracked easily when short and hard to remember when complex. Due to flaws in the implementation of its encryption, it can also often be bypassed without entering the password via the use of paid password recovery tools.

Secure data rooms

So-called secure data rooms are admittedly a step up from this, but not a big one. The idea of a secure data room is that a company rents dedicated server space for sharing documents with outside clients. This typically requires a password to access and can pair it with additional security such as IP address monitoring or two-factor authentication.

This system still presents several problems, though:  

  1. Typically, multiple users can log in with the same credentials — meaning login information can be shared with an outside party. 
  2. Usually, documents are decrypted on the server and then passed to the recipient using SSL. As browsers store temporary files, it’s possible that the end-user will be able to access a decrypted version of the document in the cache. 
  3. Finally, there isn’t any software on the recipient’s PC to enforce additional controls. Browsers alone struggle to protect against copying via printing to a file or screen grabbing, meaning that information can still be taken outside of your “secure” environment with ease.

All of this doesn’t even mention the usability problems of such a solution, like users needing to be online.

Is document DRM the answer?

Instead of utilizing Adobe encryption or a secure data room, financial advisors should consider a document DRM solution. DRM solutions provide a major advantage in that they protect the document not just in transit and at rest, but after the document has been opened by the recipient.

Through a combination of secure viewer applications, licenses, and strong encryption, document DRM solutions can provide the following functionality:

  • Copying, editing, and printing protection
  • Screengrab prevention
  • Expiry and self-destruct mechanisms based on opens, prints, or time
  • Dynamic watermarks to identify and dissuade sharing by recipients
  • Locking to a specific device or location
  • Document tracking for printing, viewing, location, and more
  • API for automatic protection and delivery
  • No passwords or certificates to manage

Does a DRM solution make it impossible for an attacker to gain access to financial documents? No. DRM is designed to protect documents after the creation process and does little to protect them during.  However, DRM solutions are likely the best bet when it comes to protecting documents that are leaving your organization. In combination with good general security practices and other solutions, they can drastically reduce the chance personal information will leak and represent a clear effort to protect customers and the business’ data.