hands on a keyboard with superimposed document and folder icons

Four Considerations for Secure Document Management

All organizational leaders need to put security measures in place to protect data. This is particularly important at nonprofits where sensitive or personally identifiable information is managed. Depending on your mission area, you might have names, addresses, and medical records on file, as well as Social Security information and financial data. This information has the potential to make you a target for cyberattacks. It also raises the stakes in the event of accidental data loss.

drawing of a woman sitting on a cloud using a laptop with a padlock symbol protecting it

Here are some ways to manage your document storage, access, and use securely while ensuring the smooth running of your daily operations.

1. Classification- and Access-Based Security

A key way to improve your data security is to add an identity management step before someone is able to access your files. One route is to incorporate multi-factor authentication (MFA) into your security processes. Google and Microsoft both have their own authenticator apps that you can link to your document management tools. DocuSign has built-in functionality allowing you to require signers to confirm their identity via text, phone call, or app verification. Dropbox and Box also allow you to require two-step verification at login, including compatibility with an authenticator app.

Most document management solutions allow you to create a classification scheme and tag your files. For example, you might tag some documents as "sensitive" or "confidential" or "internal-only." Many tools will enforce these access policies and send alerts if a policy is breached.

Another useful capability is a single sign-on (SSO) tool, which enables users to gain access to multiple systems using one login. This allows you to maintain tight security requirements without employees spending hours of their working week fulfilling those requirements. Okta offers, among other workforce identity management services, an SSO solution that enables you to significantly increase security from a user-friendly platform.

You can ensure that no unauthorized eyes can reach your documents by protecting them with a password. Adobe PDFs can be restricted with a certificate or password that users must provide before accessing the document. You can also create organizationwide protocols, so that security policies, encryption, and password protection are applied the same way each time.

2. Information Governance

As well as using security tools to protect your data, you can practice responsible information governance strategies to reduce the number of vulnerabilities in your network. For example, share your documents only with the people in your organization who need access to them. Also consider how your data is stored and how long you keep it for when it is no longer actively in use.

TechSoup recommends implementing a data retention policy.

Privileged Access Management

By implementing sharing policies, and ensuring that all of your employees understand and follow them, you can restrict who has access to your documents. In Google Drive, for example, you can define access levels that allow some people edit access, some commenting access, and some view-only access.

To save time, you might want to create folders that are only shared with a select group. For example, if you handle clients' personal information, you can create a folder containing assessment forms, meeting notes, or any other sensitive data. This can be shared with only those in your organization who need access to these files. These kinds of policies protect you from data loss or theft by reducing the pool of people with access to the documents and, by extension, the opportunities for error or theft.

Many document management tools have similar capabilities. Box, in addition, allows you to set an expiration date on a document sharing link. It also has seven sharing roles with varying levels of viewing, sharing, and editing access, so you can assign everyone the level of access that they need.

Storage, Encryption, and Disposal

Creating organizationwide policies on where documents are stored and how long they are retained helps you to protect sensitive data.

Box encrypts every file you store, both at rest and in transit, and includes AI features that inform you when there is a risk of malware or other cybersecurity threats in your files. You can use this to identify and mitigate potential threats early-on, as well as noting how those threats entered your system. This ongoing evaluation helps you to create an increasingly secure system. You can also use it to set retention schedules, meaning that files will automatically be deleted after a time period you specify. For example, you might set a policy that triggers the deletion of a client file one year after they stop using your services.


You'll need to ensure that your staff has up-to-date understanding of policies for data sharing and storage to be successful. You should also have regular training regarding general security best practices. Human error is one of the most common causes of a cybersecurity breach, and so your team should know how to spot the signs of an attempt at data theft. KnowBe4 offers comprehensive security and compliance training, ensuring that staff members act as a layer of protection against ransomware and other cybersecurity threats.

3. Data Backups

To protect you from data loss and cybersecurity attacks, it is crucial to back up your files. Following the 321 rule, you should have three copies of your files, in two different locations, at least one of which is offsite. Veritas is a backup and recovery solution that protects your physical and virtual environments against data loss.

For additional convenience, choose a tool that integrates directly with the platform from which you are backing up. This makes it easier to automate your backup process, saving time and ensuring that you don't forget to create copies of your files. For example, DocuSign integrates with Box to keep up-to-date copies of your DocuSign files in Box, with robust security to ensure the safety of your data. Your backed-up files will retain access information and transaction history, and you can also correct or void files that have already been sent out. This allows you to quickly and securely recover individual files or your entire system in the event of a cyberattack or data loss.

4. Antivirus Protection

It's important to invest in robust antivirus software to protect yourself from data theft and disruption. It's also important to be careful about opening sensitive documents on public Wi-Fi. Using a virtual private network (VPN) greatly minimizes risks.

There are a wide variety of options for antivirus software, depending on your size and needs. NortonLifeLock allows you to protect up to 100 devices against malware, spyware, and other viruses and security risks. Avast CloudCare offers content filtering and antivirus, alongside patching services to help you identify and fix vulnerabilities in your network. Bitdefender is effective for both networked and non-networked devices and customizable features. Organizations that want to protect servers can make use of Bitdefender's GravityZone Business Security solution.

Make Data Protection Part of Your Operations

Your files that contain sensitive information are among your biggest vulnerabilities in terms of cybersecurity threats and data loss. Use the built-in security features in your document management solutions, as well as smart access and retention policies and external tools, to build watertight protection for your clients, volunteers, and staff.

Additional Resources

Top photo: Shutterstock