hands on a keyboard with superimposed document and folder icons

Four Considerations for Secure Document Management

All organizations need to put security measures in place to protect their data. This is particularly important for nonprofits that manage sensitive or personally identifiable information. Depending on your mission area, you might have names, addresses, and medical records on file, as well as Social Security information and financial data. This information has the potential to make you a target for cyberattacks and also raises the stakes in the event of accidental data loss.

drawing of a woman sitting on a cloud using a laptop with a padlock symbol protecting it

Here are some ways to manage your document storage, access, and use securely while ensuring the smooth running of your daily operations.

1. Classification-Based Security

One key way to improve the security of your data is to add an identity management step before someone is able to access your files. One route is to incorporate multi-factor authentication (MFA) into your security processes. Google and Microsoft both have their own authenticator apps that you can link to your document management tools, and DocuSign has built-in functionality allowing you to require signers to confirm their identity via text, phone call, or app verification. Dropbox also allows you to require two-step verification at login, including compatibility with an authenticator app.

Most document management solutions allow you to create a classification scheme and tag your files. For example, you might tag some documents as "sensitive" or "confidential" or "internal-only." Many tools will enforce these access policies and send alerts if a policy is breached.

Another useful capability to have is a single sign-on (SSO) tool, which enables users to gain access to multiple systems using one login. This allows you to maintain tight security requirements without employees spending hours of their working week fulfilling those requirements. Okta offers, among other workforce identity management services, an SSO solution that enables you to significantly increase security from a user-friendly platform.

You can ensure that no unauthorized eyes can reach your documents by protecting them with a password. Adobe PDFs can be restricted with a certificate or password that users must provide before accessing the document. You can also create organizationwide protocols, so that security policies, encryption, and password protection are applied the same way each time.

2. Information Governance

As well as using security tools to protect your data, you can practice responsible information governance strategies to reduce the number of vulnerabilities in your network. One key element of this is to share your documents only with the people in your organization who need access to them. Another is to consider how your data is stored and how long you keep it for when it is no longer actively in use.

Privileged Access Management

By implementing sharing policies, and ensuring that all of your employees understand and follow them, you can restrict who has access to your documents. In Google Drive, for example, you can define access levels that allow some people edit access, some commenting access, and some view-only access.

To save time, you might want to create folders that are only shared with a select group. For example, if you handle clients' personal information, you can create a folder containing assessment forms, meeting notes, or any other sensitive data. This can be shared with only those in your organization who need access to these files. These kinds of policies protect you from data loss or theft by reducing the pool of people with access to the documents and, by extension, the opportunities for error or theft.

Many document management tools have similar capabilities. Box, in addition, allows you to set an expiration date on a document sharing link. It also has seven sharing roles with varying levels of viewing, sharing, and editing access, so you can assign everyone the level of access that they need.

Storage, Encryption, and Disposal

Creating organizationwide policies on where documents are stored and how long they are retained helps you to protect sensitive data.

Box encrypts every file you store, both at rest and in transit, and includes AI features that inform you when there is a risk of malware or other cybersecurity threats in your files. You can use this to identify and mitigate potential threats early-on, as well as noting how those threats entered your system. This ongoing evaluation helps you to create an increasingly secure system. You can also use it to set retention schedules, meaning that files will automatically be deleted after a time period you specify. For example, you might set a policy that triggers the deletion of a client file one year after they stop using your services.

Training

In order for data sharing and storage policies to be successful, you'll need to ensure that your staff has up-to-date understanding of them. You should also have regular training regarding general security best practices. Human error is one of the most common causes of a cybersecurity breach, and so your team should know how to spot the signs of an attempt at data theft. KnowBe4 offers comprehensive security and compliance training, ensuring that staff members act as a layer of protection against ransomware and other cybersecurity threats.

3. Data Backups

To protect you from data loss and cybersecurity attacks, it is crucial to back up your files. Following the 321 rule, you should have three copies of your files, in two different locations, at least one of which is offsite. Veritas is a backup and recovery solution that protects your physical and virtual environments against data loss.

For additional convenience, choose a tool that integrates directly with the platform you are backing up from. This makes it easier to automate your backup process, saving time and ensuring that you don't forget to create copies of your files. For example, DocuSign integrates with Box to keep up-to-date copies of your DocuSign files in Box, with robust security to ensure the safety of your data. Your backed-up files will retain access information and transaction history, and you can also correct or void files that have already been sent out. This allows you to quickly and securely recover individual files or your entire system in the event of a cyberattack or data loss.

4. Antivirus Protection

It's important to invest in robust antivirus software in order to protect yourself from data theft and disruption. It's also important to be careful about opening sensitive documents on public Wi-Fi unless you're using a VPN.

There are a wide variety of options for antivirus software, depending on the size and needs of your organization. NortonLifeLock allows you to protect up to 100 devices against malware, spyware, and other viruses and security risks. Avast CloudCare offers content filtering and antivirus, alongside patching services to help you identify and fix vulnerabilities in your network. Bitdefender is effective for both networked and non-networked devices and customizable features. Organizations that want to protect servers can make use of Bitdefender's GravityZone Business Security solution.

Make Data Protection Part of Your Operations

Your files that contain sensitive information are among your biggest vulnerabilities in terms of cybersecurity threats and data loss. Use the built-in security features in your document management solutions, as well as smart access and retention policies and external tools, to build watertight protection for your clients, volunteers, and staff.

Additional Resources

Top photo: Shutterstock