Secure Document Governance Safeguarding confidential information

Part three of the Ricoh Document Governance Index series of whitepapersMarch 2010

This whitepaper is informed by research conducted by Coleman Parkes Research for Ricoh covering: Belgium, France, Germany, Italy, Netherlands, Spain and the United Kingdom & Ireland

Contents

1.0 Introduction - document governance and security 3

2.0 Executive summary 4

Key findings3.0 Awareness of document security risks is high 5

4.0 Businesses are exposed to significant risk 6

5.0 Attitudes to document security vary across vertical markets 8

6.0 Conclusion 10

7.0 Ricoh’s approach to security 11

1.0 Introduction – document governance and security

Ricoh is launching the third in a series of whitepapers about document governance. Research conducted by independent firm Coleman Parkes shows that more than half of European businesses (57 per cent) operate a decentralised approach to document governance, which means they are missing out on a wide range of benefits. These include opportunities to increase efficiency, sustainability, productivity and security. This research paper examines how European business leaders are managing security within the specific context of document governance.

Information security applies across all areas of business, covering; Confidentiality, Integrity and Availability. The data within the document governance research provides an insight into how European business leaders are managing document confidentiality and unnecessarily exposing themselves to risk.

If confidential information is leaked it can impact a business in the following ways:

Intellectual Property Rights: Loss of business investment in Research and Development Customer information: Personal Information is protected by legislation. Fines can be

imposed if the regulations are not met. Commercial information: Commercial advantage can be lost if sensitive or confidential

information is leaked. Third-party information: Information handled through outsourcing activities. Customers

will lose trust in the outsourcer and may resort to financial compensation.

There have been several well publicised examples across Europe where personal information such as health records or bank details and even classified government strategies have been lost or left in a public place without any security in place to protect the data. In addition to impacting a company’s reputation, security breaches can be costly. Consider the situation in the motor racing industry1 - a 780-page document containing confidential technical information about Ferrari’s F1 car was found in the possession of a McLaren designer. The sport’s governing body considered the impact to Ferrari’s competitive advantage so damaging, that McLaren was heavily fined and stripped of its championships points for the season.

However a confidentiality breach may not always be so overt. There are also ‘quieter’ daily risks within a business. For example, sensitive commercial information such as business plans, strategies and financial information may find its way into the hands of competitors, without a business ever being aware.

There are regulatory requirements and legal requirements, such as PCI-DSS2, Data Protection and Sarbanes Oxley to protect sensitive information. However, as this study shows, information in some businesses remains unprotected, leaving it vulnerable to breaches. For example, just 47 per cent3 of business leaders are able to confirm that they have a policy in place to control the printing of customer information.

The Document Governance Survey Methodology A total of 311 detailed interviews were conducted during July and August 2009 with senior decision

makers (C-level or equivalent) in Belgium, France, Germany, Italy, Netherlands, Spain, and the United Kingdom & Ireland. All respondents work in either medium or large companies in the Financial Services; Professional Services; Public and Telecommunications/Utilities and Media sectors across Europe. They are responsible for document management within their respective organisations. The survey was conducted under controlled conditions to ensure it provides representative information across Europe and within each targeted vertical sector.

3

1 http://edition.cnn.com/2007/SPORT/09/11/f1.spygate/2 Payment Card Industry Data Security Standard3 Average cross Financial Services, Professional Services, Public Sector and Telecoms/Utilities/Media

4

2.0 Executive summary The findings of the Ricoh Document Governance Survey demonstrate that despite an awareness of risks

to document security across European businesses, only a minority of leaders are implementing policies to address the problem.

Awareness of document security is high

As one would expect, European business leaders demonstrate a strong understanding and awareness of the need for document security. Three quarters (76 per cent) of respondents agree that the increased use of technology in our work environment is causing increased security risks. An overwhelming 91 per cent agree with the adage that effective document security is about prevention rather than cure and 68 per cent of business leaders believe that an optimised print environment would lead to better security measures. For business documents, digital and printed information is of equal concern to almost half of the respondents (49 per cent).

In reality, businesses are exposing themselves to significant risk

However in reality it is the minority that are taking actions to protect their confidential information. Less than half (47 per cent) have a strict policy in place to control the printing of customer information and even less – 41 per cent – for other confidential documents. Furthermore, only 44 per cent of respondents have a strict policy in place to prevent employees from leaving the company and taking confidential information with them.

The lack of policies can be a direct result of the decentralised approach to document governance. A fragmented approach to managing documents across the business means that businesses are not gaining a full insight into all the areas where security needs to be addressed. The result – companies are more vulnerable to security breaches whether accidental or intentional.

Attitudes to document security vary significantly across vertical markets

There are surprising results when we look more closely at the vertical markets. The financial industry is the least likely to have a policy in place to restrict the printing of customer information with just 46 per cent confirming that they have implemented a formal policy. Just 33 per cent of public sector organisations have a fully implemented document security strategy. The number rises to 43 per cent in Professional Services and 48 per cent in Telecommunications/Utilities/Media. Overall, the results show that even the most regulated industries can be doing more to protect confidential information and govern their documents more effectively.

5

Key Findings3.0 Awareness of document security risks is high

As would be expected, European Business Leaders show a high awareness of the need for document security in their organisations. The majority (76 per cent) agree that security risks are increasing as a result of the evolving technologies in the workplace.

Following, is the premise that an optimised or centrally governed print environment will lead to more effective security measures, with 68 per cent of business leaders in agreement and 91 per cent confirming the adage that document security is about ‘prevention rather than cure’.

The responses show awareness of the need for security within the document workflow. Almost half of European businesses (49 per cent) are equally concerned about the threat to information, whether in digital or printed form.

In practice, there is a range of security solutions that will allow the business leaders to govern their documents effectively and manage their document security concerns, for example Document Management Services. There are also more specific applications such as user-authentication, locked print and smart-accounting. Technical controls include password protection, so that only authenticated individuals can access and print restricted information. The integrity of the documents can also be protected with embedded codes that highlight changes and/or prevent rescanning or copying. A data overwrite process will also automatically remove all temporary data stored on the hard drive of multifunctional devices.

Figure 1 – Attitude towards relative threat of printed and digital information

49 per cent are equally concerned about the security threat of digital and printed information

0

10

20

30

40

50

60

70

80

90

100

Telco/Utilities/MediaPublic SectorProfessional Services

Financial ServicesTotal sample

49

15

36

49

15

35

54

17

29

51

13

36

41

10

48

In today’s economic environment which poses the greatest security threat to the company?Base: Total Respondents

Digital information %

Physical/printed information %

Both equally %

Source: Coleman Parks Research Ltd., 2009

6

4.0 Businesses are exposed to significant risk

Although the surveyed business leaders expressed awareness of the threats to their business documents, in reality they have not yet implemented the solutions available to them.

Just 47 per cent of the European business leaders surveyed stated that they have a policy in place for controlling the printing of customer information and even fewer – 41 per cent – have a policy in place to restrict the printing of other confidential documents. Furthermore, just 44 per cent of respondents have a policy in place to prevent or deter employees from leaving the company and taking confidential information or documents with them.

Without security policies, organisations are exposing themselves to significant risks. Whether the threat is intentional or accidental; the ramifications of confidential business information falling into the wrong hands, can be far-reaching and potentially highly damaging to the company.

Figure 2: Presence of policies to control the printing of customer information

Just 47 per cent of companies have a strict policy in place for controlling the printing of customer information

0

10

20

30

40

50

60

70

80

Telco/Utilities/MediaPublic SectorProfessional Services

Financial ServicesTotal sample

47 46

32

22

49

2724

48

35

17

50

28

22

31

23

Existence of a security policy that restricts or controls the printing of customer informationBase: Total Respondents

Yes, strictly enforced %

Yes, but not strictly enforced %

No %

Source: Coleman Parks Research Ltd., 2009

It is possible to link the inconsistency, between awareness and practice, to the results of the Ricoh Document Governance Index4 . It found that document governance tends to be decentralised with no single function accountable for this area. In many cases, several people are accountable for document governance but more often, responsibility is devolved either to department heads or individuals. Duplication and inefficiency are a result of a decentralised approach. It also impacts productivity and sustainability. In this context it is also possible to see its affect on document security.

Figure 3: Presence of policies that control the printing of other sensitive information

0

10

20

30

40

50

60

70

80

Telco/Utilities/MediaPublic SectorProfessional Services

Financial ServicesTotal sample

41

35

25

46

32

22

3733

30

41

35

24

43

36

21

Existence of a wider reaching policy that restricts or controls the printing of corporate documentsBase: Total Respondents

Yes, strictly enforced %

Yes, but not strictly enforced %

No %

7 4 Coleman Parkes Research. October 2009

Source: Coleman Parks Research Ltd., 2009

8

5.0 Attitudes to document security vary across vertical markets

There are surprising results when the data is compared across the following vertical sectors:

• Financial Services • Professional Services • Public Sector • Telecoms/Utilities/Media

The average across all the sectors shows that less than half of the companies; have implemented a fully developed document security strategy (48 per cent); have policies in place to control the printing of customer information (47 per cent) and can prevent sensitive documents from leaving the company (44 per cent).

Financial Services The Financial Services sector, one of the most regulated, provides unexpected results. Just 46 per cent

of business leaders in this sector confirmed that they have a policy to control the printing of customer information within their business. This puts Financial Services in last place within this particular area.

Conversely, the Financial Services sector is more likely than its peers in other industries (49 per cent) to have a strict policy in place to prevent employees leaving the company with confidential information.

It would be inappropriate to suggest that such an oversight is intentional; it is more likely the cause of decentralised document governance, whereby no single individual is monitoring the information across the workflow. The result is that document assets within the IT workflow are invisible, the risks remain unmeasured and the information is therefore unprotected.

Public Sector The public sector follows a similar unexpected trend, just 39 per cent of business leaders said they had

a policy in place to prevent people leaving the organisation with confidential or sensitive information. This figure is well below the industry average of 44 per cent and concerning given the sensitivity of the information held and the flurry of examples5 where information has been lost and leaked.

Public sector organisations are also least likely to have an overall document governance strategy (33 per cent) to manage and secure the print environment and least likely to consider improved security as a key benefit of an optimised print management approach (59 per cent).

Professional Services In addition to the actions to protect and secure the printing of customer data, the study also revealed the

number of policies available to restrict or control the printing of other confidential corporate documents or information. Examples include, business plans, employee information and budgets. Just 37 per cent of business leaders in the professional services – the lowest in Europe – have a strict policy in place compared to 46 percent of Financial Services leaders – the highest in Europe.

5 http://www.publictechnology.net/content/21869

9

Telecommunications, Utility and Media While business leaders in the telecommunications, utility and media industries are more likely than their

peers in other industries to agree that the volume of information in printed form is increasing, just 43 per cent have a formal policy in place to control the printing of other confidential documents. However, they remain slightly ahead of professional services and the public sector (41 per cent).

Figure 4: Presence of policies to prevent employees leaving the company with confidential information

Figure 5: Vertical sectors attitudes to document governance policies

0

10

20

30

40

50

60

70

80

Telco/Utilities/MediaPublic SectorProfessional Services

Financial ServicesTotal sample

44

22

34

49

20

31

45

17

39 39

2833

43

24

33

Existence of formal or ad-hoc procedures to prevent employees taking confidential/sensitive informationBase: Total Respondents

Yes, formal %

Yes, ad-hoc %

No %

0 10 20 30 40 50 60

The strategy is fully developed and implemented

The strategy is being developed and will be implemented soon

No formal strategy, just a series of guidelines

Planning a strategy for the future but it is not in place

Nothing in place or planned

Departments have their own approach

1417

1212

15

08

52

4

1912

1115

14

1617

1217

15

312

1720

14

4833

4334

39

Companies Document Governance strategy/policyBase: Total Respondents

Telco/Utilities/Media

Public Sector

Professional Services

Financial Services

Total

Source: Coleman Parks Research Ltd., 2009

Source: Coleman Parks Research Ltd., 2009

10

6.0 Conclusion While almost half of the European Business Leaders are equally concerned about the confidentiality risks

posed from digital and printed materials, the research shows that they do not have sufficient policies in place to protect their confidential documents. The figures show that despite the risks involved, increasing regulatory requirements and pressure from customers to demonstrate responsibility, just 48 per cent have a fully developed document security strategy in place.

There is significant scope for improvement in all sectors; even in the most regulated sectors. The reason for the results is most likely due a lack of awareness of the benefits of centralised document governance. By implementing a strategy that assigns clear responsibility and accountability for the overall document workflow businesses can reduce the risks and support their efficiency and sustainability goals at the same time. Document assets need to be seen as an integral part of an organisation’s overall security strategy and managed alongside all other properties within the business network.

At a tactical level, document security can also play a central role in helping companies to ensure regulatory compliance and increase employee productivity through a more streamlined workflow. But document security can also help companies to differentiate by showing that they operate in a responsible and ethical manner, with integrity and transparency. This, in turn, promotes customer trust and competitive advantage. Perhaps then, in the same way that they require absolute transparency and accountability from their suppliers, businesses can start to promote their own internal processes around document security as a potential differentiator to future customers.

11

7.0 Ricoh’s approach to security To enable businesses to better protect their data, ‘security’ is a significant feature in Ricoh Research &

Development, service and support and within its own internal processes. It also considers the full scope of document security to manage Confidentiality, Integrity and Availability of information.

Ricoh recognises that information security is a high priority for its customers. This may be due to regulatory compliance needs or commercial sensitivities. Whatever the business need, European organisations’ requirements can be addressed by Ricoh’s security solutions portfolio.

The portfolio has been developed to help organisations manage and protect information. By implementing security measures, businesses can monitor office equipment, and safeguard against information leaks and loss. The Ricoh portfolio provides a range of important tools for organisations to use in their own Information Security Management Systems:

Trusted components

Security is introduced in the earliest stages of design of hardware and software. In 2002, Ricoh was the first organisation to receive ISO/IEC 15408 certification for a digital multifunctional printer. Since then Ricoh has continued to design and develop certified devices. This includes the DataOverwriteSecurity option which is also ISO/IEC 15408 certified.

Defining and enforcing policies

Ricoh consultants work with customers to define a printing policy which balances the need for security and management against the need for a flexible and efficient user experience. Once the policy is defined users must be educated on the business needs for the policy and how to use them. The enforcement of the printing policy can be automated using various products in the Ricoh portfolio.

Restricting access to devices

One of the greatest security risks comes from “insiders”. These are people who have unrestricted access to work areas and devices. Multi Function Devices can be used to export or copy information for use by third parties unless security measures are activated. These measures can force users to be authenticated by security card or password before the Multi Function Device is activated for them. They can also restrict the functionality available to individual users according to their business needs and role, for example, gain tighter control over scan to fax and email services.

Secure document delivery

Uncollected output from a printer is a visible sign of wastage but it is also a security risk. Confidential output can be stored and collected when released by the unauthorised user. Simple steps to identify a document owner can be inserted at the printing device, either through a code or swipe card. Uncollected print files can be automatically deleted from the server after a defined time.

Additional measures can also be implemented to secure the document on its journey through the network to the printer. A data overwrite process will also automatically remove all temporary data stored on the hard drive of multifunctional devices. They protect data against more sophisticated and deliberate attacks.

Audit

Audit logs are an essential part of any security manager’s toolkit. Information on who is scanning, faxing and printing can be provided to help the Security Manager to detect misuse and internal security threats.

12

Ricoh’s internal approach to Information Security Management Ricoh takes a consistent and global approach to secure information. It has gained ISO27001 accreditation across all its sites globally since 2004, a unique accolade for a company in the document industry. As Ricoh increases its contact with its customers’ information through networked printer service and maintenance, and through outsourcing services and managed print services, the trust of its customers is essential. The ISO 27001 certification is its credential of trust.

Useful linkswww.ricoh-europe.comhttp://www.ricoh-europe.com/solutions/index.xhtmlhttp://www.ricoh-europe.com/products/output-management-and-security/index.jsp

Customer queriesTel: 0207 465 1182Email: cco@ricoh-europe.com

Press queriesJanice GibsonTel: +44 (0)20 7465 1153E-mail: press@ricoh-europe.com

About Ricoh Ricoh Company, Ltd (“Ricoh Company”) is a global technology leader, specialising in the office and production printing markets. Ricoh works with organisations around the world to modernise work environments and optimise document efficiency. With over 108,500 employees worldwide, it operates in Europe, the Americas, Asia Pacific, China and Japan.

Ricoh Global Services provides strategic support and long-term partnership to Ricoh’s multinational companies across the world. With an unrivalled direct sales and service network model, Ricoh Global Services continuously drives value for customers with its standardized, consistent end-to-end solutions. Ricoh’s customers can rely on one partner for all their global needs.

Ricoh Europe Holdings Plc is a public limited company and the EMEA headquarters of Ricoh Company with operations located in London, United Kingdom and Amstelveen, the Netherlands. The EMEA operations comprise over 35 sales subsidiaries and affiliates.

In the fiscal year ended 31 March 2009, revenues from Ricoh’s EMEA operations totalled over YEN 523.4 billion accounting for 25.0 per cent of Ricoh Company’s global revenues. Ricoh Company’s worldwide sales totalled over YEN 2,091.7 billion during the year ended 31 March 2009.