Around the world, companies are making big investments in digitalising their customer touchpoints, internal processes and IT infrastructure. They know that digital processes make their work faster as well as more efficient and convenient. But alongside these advantages, there’s the growing threat of cyber-attacks as companies are increasingly becoming a target for cyber-criminals. Hacker attacks often cause significant material and non-material damage to firms due to espionage, data theft or sabotage. And hackers don’t only focus on infrastructure-related enterprises like energy utilities, banks, airports and mobility firms – they’re increasingly targeting smaller companies too.
And businesses need to manage internal risks just as much as the external ones. It’s all too easy to send a report to the wrong person by mistake or send out unpublished financial results in an unprotected email. Considerable losses can also be caused by carelessness, a lack of awareness and human error. That’s why all companies should make the protection of their confidential data and documents a major priority.
LET’S LOOK AT THE VALUE OF INFORMATION
Information doesn’t have universal value like money – instead, its value can be measured by the damage to a business when data is lost.
According to a study by Germany’s digital trade association Bitkom, cyber-attacks on German firms caused losses totalling €43.3 billion in 2018 alone. A large part of that was ascribed to the loss of customer and supplier goodwill, negative media reports and violations of patent laws. This shows that the danger has reached an acute level and prevention measures are absolutely essential.
WHAT NEEDS TO BE PROTECTED?
There are several different types of corporate information that you can differentiate according to their importance and relevance to your business processes. When you’re choosing concrete preventive protection mechanisms, it’s a good idea to classify all your data according to the typical criteria like public, internal only, confidential or strictly confidential. These categories make it easier for you to infer what the potential damage would be if the data fell into the wrong hands.
For example, information like tender documentation or internal audit reports, which are classified as confidential, would cause damage of between €10,000 and €1 million if they were lost or stolen. So we can see that encryption or storage in a secure dataroom would be an appropriate protection mechanism for this type of information, especially if you plan to share it with external business partners. Data categorised as strictly confidential includes things like clinical studies and formulations, which encompass a company’s entire know-how. And that means the losses can easily be far more than a million euros. As a result, these types of documents and data should always be kept in a dataroom with highly restrictive access permissions.
Every company has its own risk management system that defines the confidentiality categories and how each one is protected. And the protection of personal data usually goes through a similar categorisation process, as health or credit card data needs to be handled much more carefully than a person’s first and last names.
HOW IS YOUR DATA PROTECTED?
When you’re looking at which data protection measures you need to implement, you’ll find that technical measures play a major role – things like secure document management and collaboration solutions as well as encryption. The basic principle is that confidential documents are kept in a secure digital dataroom, but authorised users across several departments or companies can still view, edit and distribute them. Functions like the addition of a watermark or a unique ID to a document ensure the required integrity and traceability. And if the solution allows configurable permissions, you can also vary the right to read, print or store documents between different users.
While you’re defining your protection measures, it’s a good idea to regulate your employees’ access to documents outside as well as inside the dataroom. Ideally, you’ll do this in accordance with the need-to-know principle: not all staff members need access to all your company’s information.
Written by Birgit März
Compliance, Information Security