Tales From the Trenches: Document Management Crises

Three real-world incidents highlight how businesses can use confidentiality, integrity and availability controls to protect critical files across multiple environments.

Cybersecurity, information security, data breach, ransomware, cloud, record management, risk level

Almost every day brings news of companies that have lost control of corporate information — either by accident or as the result of malicious activity. From storerooms of documents destroyed by fire to data compromised in cyberattacks, the loss of corporate records has the potential to cause massive damage to your business’s revenue and reputation. 

Fortunately, you don’t have to wait until disaster strikes to learn from such incidents and reduce your risk level.

Document management and security controls aim to enforce the three major pillars of information security: confidentiality, integrity and availability.

  • Confidentiality mechanisms preserve the secrecy of sensitive information, keeping it out of unauthorized hands. 
  • Integrity measures protect information from unauthorized modification.
  • Availability controls ensure that records are available when required for legitimate use. 

Let’s take a look at three real-life incidents that businesses can draw lessons from. Learn how to apply the appropriate controls to your document management processes.

CASE 1: Ransomware Strikes a Healthcare System

The IT director of a major regional healthcare system received an email from an anonymous address mocking his security controls and demanding a $100,000 ransom payment. He had received messages like this occasionally and thought it was a scam.

This time, however, the hospital was the target of a ransomware attack that encrypted all its medical records, preventing access to all documents.

The IT team began the laborious project of restoring the systems from the prior evening’s backups. It took several hours longer than expected, crippling the hospital’s operations and forcing it to close the emergency room to new patients.

LESSON 1: Prepare and maintain contingency plans.

The hospital lacked a comprehensive system of confidentiality, availability and integrity controls. 

Although the hospital had an electronic backup of its data, the ability to tap into physically protected paper documents stored in a secured filing facility would have kept the hospital operating efficiently. The hospital staff could have avoided hours of chaos while the IT team restored access to the electronic records system. 

The hospital team then could have created paper forms for prescriptions, medical charts and other hospital activities. It also could have created processes for using those documents and mechanisms for moving them between departments. Taking the time to complete this initial work and train staff on these processes would have helped keep the ER doors open and doctors and nurses working at a comparable pace.

CASE 2: Coding Error Exposes Confidential Client Documents

Data loss isn’t always the result of intentional attacks, as leaders at a document scanning developer discovered. The company found more than 200,000 documents — many of a sensitive nature, such as contracts, internal memos and files detailing usernames and passwords — fully accessible to anyone on the internet via a cloud server.

The idea of scanning, digitizing and housing documents in the cloud — making them easier to access, manage, use and protect — is not far-fetched.

Unfortunately, the IT team misconfigured the open-source database used to host the documents. It’s unclear how long the documents were exposed, but the company acknowledged that customer files were breached. 

LESSON 2: Establish strong confidentiality and availability controls for your document handling — from end to end.

Digitizing paper documents combined with cloud storage can provide an extremely convenient and cost-effective way to transfer and maintain data, but businesses also must keep those documents safe.

That means understanding what is required to protect your documents once they’re in the cloud, whether your IT builds a custom database application or you enlist a third-party service. It also means understanding how you can keep an eye on those documents.

Many companies implement cloud monitoring solutions that quickly detect obvious configuration errors. Such a tool would have brought the exposed data to the company’s attention immediately. 

But even before moving its documents online, the company should have encrypted its digitized documents. That way, the files would have been inaccessible to cybercriminals. 

CASE 3: Fire Destroys Millions of Documents From Court Cases

When fire tore through a warehouse, it burned an estimated 85,000 boxes containing documents from court cases dating back to before the Civil War. While some were historical records, others were legal documents connected to cases within the past decade. 

The warehouse was used by the state’s Office of Court Administration for permanent storage. Other state documents stowed in the warehouse were also destroyed. While some of the documents had digital or paper backups elsewhere, many did not. 

Several law firms sued because they no longer had access to documents for clients or to meet compliance regulations.

LESSON 3: Even if you keep all your paper files, create a backup and restoration strategy for mission-critical documents.

Many organizations still rely on paper filing systems: A 2017 Wakefield Research and SAP Concur survey found that 60 percent of small businesses keep their important documents on paper tucked in filing cabinets because they like the proof that hard-copy records provide.

By duplicating its documents and tagging them, the state organization could have established appropriate availability controls. A second duplicate version of every document lost in the fire could have been stored at a backup location. There are third-party providers that can quickly locate and ship, or scan and send, a document using the tagging data on duplicate copies.

And while some businesses prefer hard-copy records for day-to-day needs, another option for the state organization would have been to scan and digitally store its documents on magnetic tape at a hosting facility or in the cloud. Either approach would have prevented lawsuits and spared the loss of historical records. 

The Takeaway: Invest in Being Prepared

Each of these stories shows the fallout from a document loss incident. Whether turning away patients in need, facing lawsuits over exposed sensitive information or struggling to pull together records after a disaster, these three organizations experienced both financial and reputational repercussions.

Could similar incidents occur in your environment? What controls can you put in place to better manage the documents critical to your business and its mission? Making plans now can be the difference between a manageable challenge and a full-blown disaster.