Hardly a day goes by where a retailer or online service provider is not breached by hackers or that a popular software has a security vulnerability. Recently we saw a few more high-level IT system security breaches and vulnerabilities. eBay, the online auction site, was the victim of a security breach and WordPress, the popular, widely-used content management and blogging platform was found to have a security vulnerability. It’s no wonder, then, that security is on many peoples’ minds – even non-IT people are concerned about it.
In past posts we’ve discussed security considerations and concerns related to document management systems, mainly with regard to using cloud-based systems. Security for those systems generally centers around encryption and permissions. To increase security, some services provide two-factor authentication, which uses a user’s mobile phone or other device to provide a time-limited secondary password or key. Incidentally, the WordPress vulnerability allowed attackers to bypass two-factor authentication.
But these strategies are only useful when the information is already in the system. What about security for the process of getting the data into the system in the first place? A recent post on the Document Imaging Talk blog details some security concerns surrounding data entry as well as some mitigation strategies.
The security problem with data entry is basically that people are involved. Whether it’s someone who is actually keying in the data, or someone who is verifying data that was input automatically or manually, a person is looking at the information. Now, naturally, there is a lot of information that’s not a security concern, but any data that contains personally identifiable information or data that’s sensitive to the company, is what is of concern.
To mitigate the risk of security breaches due to data entry personnel being exposed to sensitive or identifiable information, there are a few steps you can take:
- Only provide fragments of the data to reviewers. This is intended to break up the data so it’s more difficult to put it all together into something usable.
- Building on number 1, you can distribute the fragments around the company (if possible) to minimize or eliminate getting multiple fragments of the same data into close physical proximity.
- Implement redaction on any stored images of documents. Some document imaging systems can automatically detect (with some configuration) sensitive fields and data and obscure them. This makes the documents safe to distribute.
With more companies moving their document management to the cloud, data entry systems and services are being heavily utilized. Additionally, government regulations like HIPAA for health care providers, the Gramm-Leach-Bliley Act for financial companies, and the Freedom of Information and Privacy Act for the government itself require institutions to careful manage the security of information it handles. These suggestions are a good start to securing sensitive information as it’s entering information systems.