So you’re thinking of digitizing your paper files. How will your information security be impacted?
Before we can answer that question, we have to be exact about what “information security” really means. Security, control over your information, is about controlling who can get it, and making sure you can access it when you need it. In other words, security = confidentiality + preservation.
If sensitive information is at risk of being stolen or leaked, then it’s not confidential, and not secure.
If important information is at risk of being lost or destroyed, then it’s not protected, and not secure.
Secure information is protected from both unauthorized access, and damage or loss.
How will converting your paper files to digital change your ability to protect them from theft or loss?
Right now, your physical files are stored in one place, and if anyone wants to access the information they contain, they’ll have to get their hands on them. When someone who’s authorized to access them needs to, they’ll need to go to where the files are or bring them along.
If someone who isn’t supposed to can get their hands on the files, they can steal your information, and you may never know. Worse, they could steal the physical file, depriving you of access to the information (unless you made a backup).
The upside is that if you do control who can get their hands on your files, then there’s no way for anyone to get unauthorized access. Storing sensitive documents in a safe or behind a locked door and controlling who can get through leaves thieves no way to get your information. By controlling proximity, you control access.
In terms of damage or loss of access, keeping your files in a controlled, weather-proofed storage location will ensure that flooding, water leaks, hostile temperatures, or physical damage, don’t wreck your files. Unless your files need strict temperature and humidity controls (e.g. old paper documents, film, photographs, etc.), you won’t have to depend on electricity or internet connection to preserve them or access the information they contain. Physical damage is your only concern.
How will your concerns change if you make the information digital?
For one, you won’t really have to worry about storage space anymore. The storage efficiency of digital technology is so much better than physical files that it’s hard to wrap your mind around. The last post talked about how a single, one-terabyte hard drive can store around 83 million pages of text. To give a sense of scale, all those pages (printed double-sided, on 0.05mm thick paper) stacked up together would be over two kilometres tall, more than three times the height of the tallest building in the world. Conversely, a one-terabyte external hard drive can probably fit in your coat pocket.
But we’re talking about security, not convenience; why is storage efficiency relevant? Well, the space occupied by your important files is space that you need to protect. If your physical files take up 1000 sq ft of storage space, that’s 1000 sq ft that you need to protect from unauthorized access and environmental hazards like flooding. A smaller space means less to protect, so smaller costs and smaller risks. That 1Tb external harddrive can fit in a small safe or strongbox, making it much easier to secure against bad actors than 83 million physical paper pages.
Storage efficiency also helps with preservation, because it makes creating and storing duplicates easier. If you’ve got 83 million pages of paper documents to preserve, any duplicates you make for posterity will take up just as much space (not to mention costing a huge amount of money and time to print).
Or you could copy the digital files from one hard drive to another, which, depending on the processing speed of your computer, should only take a few minutes. Then you have a complete backup drive, ready to go when you need it, and small enough to conveniently store almost anywhere. Instead of having to build a new locked storage space for filing cabinets, just get another safe or strongbox, place the backup drive inside, and move it somewhere else. It’s that easy.
But digital storage has other benefits too: password protection, encryption, and access tracking. Assuming your drive is connected to a computer so you can view the files, password-protected user accounts let you record who’s gotten access to a file, making access by members of your organization more accountable.
Encryption lets you password protect the files themselves. Even if a drive or a user account password is stolen, the files will be useless without knowing the decryption key. Now proximity isn’t the only factor determining access; people need permission, or the technical aptitude to bypass permission controls.
But what about the internet?
This kind of digital storage is great for files you won’t need to access very often, but it doesn’t let you capitalize on one of the greatest benefits of digitization: instant connection via the internet. If your files aren’t just archives, you’ll probably need to share them occasionally, either with members or partners of your organization.
If everyone’s in the same place, this can be done through isolated intranet servers that let multiple computers access the same hard drives. But if your organization isn’t just localized to one facility, or if you need to share files with partners that can’t come by on short notice to pick up a hard drive, you’ll need to be able to access the internet.
Connecting your data storage to the internet presents serious risks. Now that you’re connected, bad actors looking to steal or meddle with your information don’t even have to be physically present to do so. All they need is sufficient aptitude with programming and they can bypass any account protections you put in place or use automated software to brute-force your passwords.
You aren’t completely vulnerable though. A competent I.T. team will know how to minimize cybersecurity risks. Adopting strong antivirus software, frequently changing passwords, and minimizing or eliminating the use of insecure storage devices like thumb drives, are all effective and low-cost measures for mitigating risk from online cybersecurity threats.
Encryption is another great way to reduce the risk because it means that even if someone can bypass all of your other cybersecurity measures, they’ll still need to know the decryption key before they can get your information.
Finally, requiring your organization’s members to complete training about good cybersecurity practices and principles will help protect you from phishing attacks and risky online behaviours (e.g. sending sensitive information with insecure emails, visiting or downloading from insecure sites, etc.).
But no cybersecurity is perfect. Exploring the risks and benefits of every available cybersecurity practice or software is well beyond the scope of this post, but it’s important to remember that there’s no way to be 100% sure when it comes to online information security. The field of cybersecurity is incredibly competitive and always changing. This is because cybersecurity professionals and practices are locked into a constant struggle with cyber criminals trying to steal information.
Keeping your internet-connected information as safe as possible means competing for extremely high demand, industry-leading I.T. professionals, and being able to change your digital infrastructure and practices rapidly and frequently. The closer you get to perfect cybersecurity, the more difficult and expensive it gets to keep improving.
Perfect cybersecurity is impossible, and the next best thing can be very expensive. And even if your protection is as good as possible, just one breach can still compromise enormous amounts of information.
How do I know what level of risk is acceptable for my organization?
For most organizations, it’s more reasonable to simply accept that internet-connected data storage will always have some degree of risk. Your organization will need to decide what level of risk is acceptable and cost-effective for its specific needs and circumstances. Though a full guide on cybersecurity practices is beyond the scope of this post, you should consider two broad factors in any cost-benefit analysis: the likelihood of being targetted, and the cost to your organization if an attack is successful.
How much of a target are you? Though thinking of your information as unsecured may be uncomfortable, any money and time spent on cybersecurity you don’t need is time and money wasted. If your organization and its data are not likely to be seen as a high-profile target, you don’t need to worry as much. But what makes you a high or low-profile target? Here’s a non-exhaustive list of some important factors to consider:
- How visible is your organization? – Less well-known organizations have less to fear from online hackers or malware for the simple reason that fewer people know they exist. This means that small businesses or businesses that don’t interact with the public very much are less likely to be targeted by cybercriminals.
- How big is your organization? – Bigger business means bigger budgets, thus, a bigger payout for cybercriminals. Even if an organization isn’t very publicly visible (e.g. industry-facing parts manufacturers), financially motivated cyber criminals will always look for big payouts. Even if they don’t or can’t directly steal your money, a ransomware attack can cost you millions of dollars. Cybercriminals expect that organizations with more money will be able to pay bigger ransoms and that they may even be more likely to pay large ransoms since the amount demanded represents a smaller portion of their revenue.
- How many people do you employ? – In terms of information security, every employee that does their job using the internet is a potential point of failure. Phishing attacks are becoming increasingly common and sophisticated, and many people don’t know how to differentiate between deceptive and genuine correspondence over email. It’s not their fault, of course, not everyone has the time to familiarize themselves with cybersecurity news and practices; that’s what the folks in I.T. are for. Every employee is likely to be a target sooner or later, so it’s vitally important to educate your workforce against these kinds of imitative attacks.
- How important is your information to the world? – The more a piece of information matters, the more it will sell for on the black market. If your organization handles critically important files or data (e.g. SIN numbers, banking information, etc.), you’re likely to be a target regardless of your size or public visibility.
How important is information security to your business model? In economic terminology, Risk = Cost x Probability. If you’re a likely target, your probability of a cybersecurity breach is higher, but the cost depends on the nature of the information, as well as the importance of information security to your clients. Of course, any information entrusted to your organization as part of its business is important, and ought to be protected. But security breaches can be more costly for some businesses than others.
Anytime a financial institution has a digital security breach, people lose money, and the bank loses clients and reputation as a result. A non-profit organization that can’t safeguard confidential information will likely lose funding, donors, and reputation as a result, and be less able to accomplish its mission as a result.
The information collected by other businesses may not be as important, however, and so a cybersecurity breach wouldn’t be as devastating to their bottom line. Even if your organization’s probability of being targeted by cybercriminals or automated malware is low, if the cost associated with a security breach is unacceptable, you’re better off taking every precaution you can afford. Ask yourself “How would our clients/donors/constituents feel if we couldn’t protect their information?”
So, what does this all mean?
We started out by asking what digitization of your paper files will do for your information security. The answer to that question depends on how you choose to store the newly digitized information and how well you protect it.
Let’s assume you’re going to take good care of your data. It’s a fair assumption, since you cared enough about it to read this far, and since information security is important to any organization that uses digital technology. This means employing (and listening to) competent I.T. professionals, taking reasonable precautions with local and online digital information, and providing your employees with some degree of training on good digital security practices. Anywhere you can improve security while remaining cost-effective, you do.
As for the choice of storage, which kind you choose will depend on your priorities. Almost every organization in the digital age needs to have some degree of internet connectivity, so you’ll probably need connected storage systems.
However, adopting a hybrid storage model where/when possible can give you peace of mind. Hybrid storage just means having both isolated and connected storage systems at the same time. Files that you don’t need to access very often, or that you cannot afford to risk, can be stored on an isolated drive or server so that there’s no chance of losing the cybersecurity race against hackers or malware.
In order to keep the isolated storage truly isolated, you have to tightly control who can bridge the gap between them and how. The fewer members of your organization who can do this, the easier it will be to ensure it remains secure. Members given this responsibility should have a decent working knowledge of cybersecurity risks, and be rigorously vetted to make sure they’re trustworthy.
The method in which the bridging happens also needs to be strictly controlled. Momentarily opening up a direct connection from an internet-connected server to an isolated server is out of the question, no matter how brief that connection is; because undetected malware can implant itself or send messages across that gap nearly instantly. If your information is important enough to put on an isolated server, then it’s just not worth the risk.
Instead, using a secure external storage device to ferry files from one drive to another, only by those qualified and authorized members discussed earlier, is the safer way to go. If you want to be extra careful, you could maintain strict digital hygiene by requiring these members to check the ferry device for malware on a trusted machine between every use.
So, the final answer to the question: “Will Digitizing my files increase my information security?” Yes, if you maintain good digital security protocols, and use internet-isolated storage where possible.
For businesses like Consentia, a single information security breach could compromise an entire contract, not to mention the relationship with the client. That’s why we take every step we can to make sure that the only people who ever get access to our client’s information is the client themselves.
When you give us your sensitive or confidential physical files for scanning, we make sure they stay locked behind two different locked doors at all times. All of our employees have passed criminal record checks and signed NDAs, and are also just people we know we can trust. Any and all cameras, including cell phones, are not allowed near physical documents. Any non-employees who come to the office are signed in when they arrive, supervised throughout their entire visit, and signed out when they depart.
Our digital storage system, as well as any conversion process involving a computer, is done on an air-gapped server, completely isolated from the internet. Employees working on your data have password-protected user accounts, so access is only provided to authorized employees, and can be traced back to the individual.
We are committed to ensuring your files stay safe and confidential the whole time they’re in our care. For secure digitization services you know you can trust, choose Consentia.