Documented proof

If the paper document really is about to go the way of the dodo, organisations need to prioritise managing, controlling and archiving their electronic documents.

According to recent data from Gartner & IDC, the 200 million business users of Microsoft Office send more than 100 million documents over email every day. That's around 250 documents per user per year. And that's just email – take into account IM, web mail and all the other modes of transmission and you've got a positive snowstorm of data flying around.

But while more and more corporate records are being generated electronically, too many are being created in systems that cannot guarantee either security or reliability, leaving them open to unauthorised alterations, hacking or leaks.

"The outstanding challenges associated with managing electronic information assets have the potential to be devastating in terms of professional careers and even corporate reputations. Just look at the impact that deficient records management practices had at Arthur Andersen and Morgan Stanley," says Robert Williams, president of electronic records management consultancy Cohasset Associates.

The significance of secure document tracking was reflected in the case of David Blunkett, who in 2004 was forced to resign as Home Secretary following the discovery of an email trail that showed a visa application for his ex-mistress's nanny had been fast-tracked.

Governments are trying to prod companies into taking action. For example, the US's Sarbanes-Oxley Act and Health Insurance Portability and Accountability Act both include provisions demanding that organisations protect and track their electronic records. Similar laws hold for EU companies.

Well-thought-out secure document management (SDM) policies mean firms can meet compliance and legal requirements more cost-effectively and have a recovery plan in place in case of disaster.

"Good business and good records management go hand in hand," says Peter Hermann, executive director and chief executive of professional association ARMA International, an authority on information management.

"Good governance requires compliance and the proper management of records and information, regardless of the media on which they are created or stored, and is the key to any organisation's compliance efforts."

However, for an alarming number of companies, secure records management is still not even on the agenda, according to a recent survey conducted by AIIM, the international authority on enterprise content management (ECM).

The survey found that nearly half of US companies have still not adopted records retention policies for email and other electronic documents.

In the survey of 2,100 information and records managers, 43 per cent said their company does not include electronic records in its retention and destruction schedules. Yet 93 per cent of the survey's respondents believe that the process by which their electronic records are managed will be important in future litigation.

What's more, more than half (53 per cent) do not include electronic records in their legal hold orders associated with regulatory inquiries and litigation – leaving open the possibility that records critical to a legal matter could be destroyed. And more than two-thirds (68 per cent) don't have a plan in place to preserve electronic records that need to be migrated, to ensure the accessibility of the information over time.

"While the survey shows progress has been made in addressing some aspects of electronic records management, it also clearly demonstrates that many very serious problems still exist – and at dangerous levels for most organisations," adds Williams.

Companies, government agencies and other organisations invest huge resources in developing security policies and procuring protective technologies that point outwards at hackers, spyware and viruses. Yet a company without a secure document strategy is leaving itself open to the destruction of valuable and often irreplaceable intellectual and proprietary data by human error, system crashes or even sabotage.

Ken Rutsky, executive vice-president of worldwide marketing at document security software company Workshare, believes that organisations should be concerned about the "inside-out" leakage of information. "The inside-out threat poses serious risks that have the capacity to cost companies huge sums in law suits, fines, lost business and intellectual property infringement, as well as unquantifiable damage to that most valuable of assets: reputation," he says.

A secure records management strategy requires ongoing system management, together with a clear company policy on secure document management and accountability. Document management must become a company priority – in the same way as financial accounting – and adequate resources, including staff training, must be made available to ensure integrity at all times.

Kevin Cheek, vice-president of product management at enterprise risk-management system provider Reconnex, advises companies to address this as a matter of urgency. "First, they need controls in place that are able to determine access permissions to content, regardless of location and device," he warns.

"Second, they need controls that will track user IDs, the servers accessed, the name of any files accessed, date and timestamp, and provide an alert if that content is inappropriately removed, and provide the context and transmission method of the disclosure."

Some enterprises have been proactive in tackling the issue. German Sports University Cologne (GSU) has opted to publish learning modules and research in digital format, rather than traditional textbooks, but quickly realised that it needed to protect the authors' and producers' intellectual property rights. After extensive product analysis, it opted to go with SealMedia's enterprise digital rights management (E-DRM) product, because it can protect its content in a wide variety of formats, including html, pdf, jpg and video.

Some firms are looking to digital watermarking. Running along the same lines as digital signatures, watermarks can be used to embed a digital signal into a file that contains important data such as product copyrights. Digital fingerprinting as a document-tracking technology is also on the horizon.

And vendors are also beginning to pay more attention to this issue. Microsoft is building greater document security and tracking into Office, although many corporations are opting for an additional layer with deep packet inspection products such as Reconnex. This can identify more than 200 object types, including Office 2003 applications, and scan them for content that matches a risk management ruleset, such as "find all content containing social security numbers and names sent unencrypted", regardless of the transmission method, whether email, webmail, IM or whatever.

Adobe is also addressing secure data management. It offers Intelligent Document Platform, which uses XML technology for better integration with business information systems, and provides security covering the entire lifecycle of a document, from its creation through to its storage.

There is no doubt that this issue is not about to go away, and is going to be big business. As Thomas Raschke, programme manager of IDC's European Security Products and Strategies research, predicts: "Corporate concerns with endpoint security, regulatory compliance, malware, digital identities, mobility and complexity will help to drive the SCM market to achieve more than £1.75 billion in revenue in 2009."