Are You the Weakest Link?

Criminals intent on stealing financial and health information that are valuable assets in activities such as insurance fraud, drug trafficking, or identity theft may be thwarted in attempts to hack into banks or insurance company databases. For the most part, large organizations that compile and store that kind of information recognize the risk and are vigilant about protecting the data from unauthorized access.

But what about the information used to create insurance documents, hospital bills, financial statements, and so forth? This type of work has long been a staple in the print and mail business. While equally aware of the danger, not every document output company maintains the same level of monitoring and security as their customers who provide them with the data necessary to create the documents. This makes the document service providers a better target for the crooks – the weakest link.

Just as burglars may wander down the street looking for an easy mark, data thieves will also seek access to desirable information in ways that present the least amount of resistance and a low risk of detection. Document processing centers may be making their customer’s data vulnerable – effectively leaving a window open for the thieves to find and exploit. And they may not even know.

Data Encryption Can Be a Nuisance

In an industry that has always concentrated on elements such as throughput and productivity, any step that slows down the workflow can be disruptive. Constantly encrypting and decrypting data is one of those things that can fall into this category. Depending on the technology deployed, document centers may use hardware or software based keys, maintain permission and authorization tables, or use passwords to unlock the data that is necessary to perform steps in the document production workflow. Any of these security measures may at times deny legitimate employee or application access because of outdated or incorrect keys or the unavailability of authorized employees. Delays caused by this type of event ripple through the shop, putting downstream processes behind schedule.

As outsource service providers compete to win the business, they may accept Service Level Agreements (SLA’s) that carry severe financial penalties should deadlines be missed. With already slim profit margins, it is no wonder that extra-strength security measures throughout the document workflow are invoked only when absolutely necessary.

Whether due to a company-endorsed practice or the habits of employees who circumvent the rules while under pressure to get the work out, any point in the document workflow where confidential data is unprotected can be all a data thief needs to pilfer the goods. It is quite possible that executive management at the service provider is unaware of this vulnerability.

Staff Members Statistically More Likely to Offend

Data theft can be a crime of opportunity. There are actually a relatively low number of instances when unknown hackers initiate an intrusion. More often than not, it’s an inside job.

The opportunities for an internet-based criminal to detect vulnerabilities behind the firewall of a document service provider may be few. Employees are a different story. Their familiarity with the security measures in place may allow them to access confidential information and transport it out of the company without being noticed. We would all like to think that we can trust our employees. But just like embezzlers, data thieves can be tempted due to money troubles, drugs and alcohol, or other outside influences.

Companies that maintain airtight control over their customer’s data, monitor access, or do spot-checks may be doing their employees a favor by raising the risk of termination and prosecution should they be caught compromising confidential data entrusted to their employer. It isn’t a matter of trust; it is a matter of exposure.

There are numerous approaches to avoid being the weakest link in the confidential data workflow. Awareness is usually the first step, so an assessment of actual practices throughout the shop is necessary. After that, each organization can decide what additional security measures are necessary and make plans for enforcement and monitoring.