In an age where employees, clients and suppliers are demanding greater access to an enterprise`s information, secure content management (SCM) has become critical in making that information available, while also ensuring it doesn`t fall into the wrong hands. SCM is also vitally important in regulating the movement of content in and out of the organisation.
So says Metrofile marketing director Paul Mullon, although he concedes that the term SCM has led to some confusion due to its broad definition.
"Everything, including document imaging, output management, document management, workflow, business process management, collaboration, Web content management, e-mail management, digital rights management and rich media management was bundled under the collective term content management. And now we have secure content management," he says.
But companies, confused by the semantics, put the issue out of mind at their peril. It`s one of the critical factors determining success or failure in business today.
Computer Associates (CA) eTrust Brand manager Mark Smissen says content can be classified into two categories. Firstly, there is the content within an enterprise and then there is the content that moves into and out of that enterprise.
Mullon says managing content and who has access to it, as well as the movement of content in and out of an organisation, has risk involved and that risk has to be managed.
"Of all the information within a business, around 65% is contained within hard copy [on paper]. A further 15% of the enterprise`s unstructured information is contained within domain name system servers, word documents on users` computers, PowerPoint presentations and so on, while the final 20% is contained within data systems.
The loopholes
"The type of risk involved in the management of information, be it document theft or a hacker entering one`s system, is different, but no less important," says Mullon.
<B>The Gartner take</B>
According to a Gartner report released in May, more than 75% of enterprise data is unstructured and document-related.
It says better e-mail and document information access can lead to greater customer satisfaction and ultimately to more revenue opportunities.
In order to achieve this, the report recommends four steps:
1) Define information by determining which information must be shared. Survey the information needs of various departments, ranking how quickly workers need to access the different information sources and estimate the cost and benefits of providing real-time information for each source.
2) Find the information. Implement search tools to provide quick information access.
3) Manage the content by designing a proper content management environment to manage unstructured data in a granular fashion.
4) Implement taxonomies for document classification to allow for the mapping of information in the content management repository to one`s business needs more effectively.
"Content management tools are fundamental to a real-time enterprise and maximise the value of information that workers produce. CIOs therefore need to set processes in place and buy or upgrade technologies to meet each department`s needs," says Gartner.
The risk in managing either hard copy or electronic data is twofold. Firstly, there is the risk in managing the information and secondly, there is the risk in protecting it. And both tasks need to be done effectively while still providing a large number of people inside and outside the organisation with access.
"Most business processes depend on paper-based documents to verify or support them," says Mullon. "Losing that documentation, whether it is misplaced because of bad management or stolen, is just as sure to bring that business to its knees as the loss of electronic data."
There is also the risk of an information breach because of loopholes created by the fact that the people who manage the content are not the same people who manage the security.
"Added to that, there is the client and the supplier to the organisation wanting access to more and more information, which creates further possible avenues for security breaches," he says.
Careful consideration must also be given to what content is being brought into the organisation by its employees.
"The type of files that are allowed into and outside of the organisation, as well as the size of files, need to be regulated. Certain files also need to be prevented from leaving the organisation."
It`s a grudge purchase
Frank Pinto, an executive at fashion retail group Edgars Consolidated Stores (Edcon), says it is important to implement a workflow-type system for SCM.
"First of all, one needs to ensure one`s infrastructure is in place. Once this is done, processes need to be in place to make sure content is managed securely. Content can then be produced, validated and placed within the public domain in a secure environment."
Pinto says without a process to protect content, sensitive information or content not in line with an enterprise`s image will end up leaving the organisation.
And, as both Mullon and Smissen point out, because SCM is a simple necessity for the survival of an organisation, it is a grudge purchase as there is no return on investment (ROI).
Smissen says the transmission, reception and filtering of documents is vital for every organisation, no matter what the core business is.
SexTracker reports 70% of Internet pornography traffic still occurs during office hours...employee productivity is continually being driven down.
Mark Smissen, eTrust brand manager, Computer Associates
"Along with this, non-business-related surfing of the Internet, personal e-mails, messaging, spam, streaming media, music and video downloads all compete for employees` time," says Smissen. "SexTracker reports that 70% of all Internet pornography traffic in the world still occurs during office hours. The result is that employee productivity is continually being driven down."
Smissen says a multi-layered approach is needed to filter information and ensure that the Internet and e-mail are used for business purposes and are not bringing in viruses.
Mullon says this can be arduous, but is important. For example, with e-mail, broad categories of type, size, user, inbound and outbound e-mail agreements need to be applied to images, movies, compression formats, executable attachments, document files, legal disclaimers, virus scanning, text analysis, spam, spoof e-mails and so on.
`It won`t happen to us`
Security measures also need to be placed within the organisation so that if a virus or hacker does get into an enterprise database it is not defenceless.
<B>Dealing with e-mail</B>
Paul Mullon, sales and marketing manager at Metrofile, gives an example of how e-mail attachments need to be managed:
With each type of image (jpeg, tiff), policy has to be put in place to govern:
* The maximum size allowed;
* The number of attachments allowed;
* The user(s) - is it everyone, a department, or an individual user;
* What happens when an image is received via e-mail - is it deleted, quarantined, archived or forwarded; and
* What happens if someone attempts to send an image out of the enterprise - should it be blocked, sent to someone as an alert, and so on.
This process also needs to be followed with other attachments, like movie files, compression formats, executable attachments, text analysis, spam, spoof and automatic e-mails.
It should also be applied to the use of the Internet, particularly for the management of access to Web-based e-mail. While this is a time-consuming process, it is vital to the management of information.
Smissen says technology is available to filter information and protect enterprises from malicious attack, and it is increasingly being bundled into single, cheaper software packages.
"But, despite this, security and management of content flowing in and out is generally only done on a rudimentary level," says Mullon.
This is because of the grudge purchase factor, and because companies that do not have IT as a core business often neglect to manage it properly. Many also have an "it won`t happen to us" attitude, he adds.
Properly managing security software is just as important as having it in the first place. "It is unforgivable when a company`s security is breached by a virus when the fix has already been made available," he says.
Looking ahead, Smissen says the next two big challenges looming in regard to the Internet and e-mail is the presence of malicious code on Web sites and e-mails with viruses that will activate as soon as they land on a company`s mail server.
"We are already starting to see malicious code on European Web sites. As soon as the Web site is opened, if settings on the PC are configured in a certain way, the code can establish a back door into the PC without the user knowing about it."
While viruses contained in e-mail attachments are not yet able to activate unless opened, he says it is only a matter of time before someone figures out how to achieve this.
Mullon says that, along with making the effort to ensure security is adequate, companies need to educate outside users with access to their organisation.
The cost of a breach
"Take the recent example of the Absa Bank hacker, who gained access to Absa clients` accounts by sending them an e-mail with an attachment which they opened. The attachment in turn tracked their key strokes and sent the info back to the hacker."
Mullon says this is not a case of a bank`s security being directly breached, but a user whose ignorance was exploited.
"In the case of a bank or large corporate, there could be millions of people with access through the Internet to that organisation. While the cost of providing them with secure access and ensuring they are educated about possible security threats may be substantial, the question one has to ask is: what will the cost of a possible breach in security be?"
Therefore, Mullon says spending on software to protect content and educate users is vital.
When it comes to information within the enterprise, Knowledge Integration Dynamics consultant Mervyn Mooi says both the operational systems and the business intelligence (BI) systems need to be secured.
"Operational systems are where the action often is, where transactions are processed and where the money is often counted. However, BI systems, which often contain much of the organisation`s data, cleaned and loaded into a single database, are just as important."
We are already starting to see malicious code on European Web sites. As soon as the Web site is opened...the code can establish a back door into the PC without the user knowing about it.
Mark Smissen, eTrust brand manager, Computer Associates
Mooi says there are five levels of security access within a BI system.
"There is LAN or WAN access (this includes access granted to people outside the enterprise), domain access, server access, file system and application access, database access and object level access."
Mooi says access for each user inside and outside the enterprise needs to be defined down to object level access (rights access), which grants or restricts users to information within documents. That information can then be further secured by making it "read only", so it can be viewed but not altered.
A big free-for-all
Ovations Technologies technical director Emile Pepermans says enterprises often have disparate systems and methods for capturing and accessing their information. Companies often dump information into file servers with shared folders and that information is often distributed in an ad hoc manner via e-mail, causing more confusion. Pepermans says there is a clear security risk in this approach.
"Critical information can easily go unnoticed, data can be manually tampered with and important facts can be hidden," he says.
The solution lies in formalising the process of storing, retrieving and publishing information.
"This includes the information that has never been captured on a database or computer but is held in hard copy. The first step to improve security is therefore to capture that content and give it a taxonomy."
Pepermans says this often requires change management in the organisation as it means a change to the culture of the company, its processes and the way its people think.
As with the object level access described by Mooi, Pepermans says once information has been captured and sorted, decisions need to be taken on who has access to that information. Processes governing the movement of content need to be in place. The output channel also needs to be controlled, governing who has access into the enterprise, who is allowed to send content out the organisation and which content is allowed to be sent out.
The format in which the information is stored is also important. Pepermans says open standards should be used in databases, so that information can be accessed over time.
However, Mullon says using open standards to store information may not be enough.
Back to microfilm?
"With the advent of the image, everyone thought we could move to a paper-free society and that this would solve storage problems and save money. However, with technology progressing rapidly, the content within enterprises is having to be migrated to more advanced technology. Thus, while the cost of storing information digitally is cheap at first, it increases over time," he says.
On the other hand, paper is costly to begin with and decreases with time. But there is another possibility. Mullon thinks companies might soon go back to microfilm for storage.
"Because of the migration costs and risk of data loss in moving information to new technology, many large organisations with large amounts of unstructured information may turn back to microfilm, which is less expensive than paper and lasts longer over time," he says.
Smissen says the Electronic Communications and Transactions (ECT) Act has placed restrictions on spam and unsolicited e-mail, which is problematic as many employers are unaware of the amount and type of information being stored and how much of that information is being sent out of the company.
Mullon says legislation like the ECT Act, the Promotion of Access to Information Amendment Act, the Financial Advisory and Intermediary Services (FAIS) Act and the Financial Intelligence Centre Act (FICA) - as well as the King report on corporate governance - are forcing enterprises to implement SCM whether they like it or not.
Because of costs and risk of data loss in moving to new technology, large organisations may turn back to microfilm, which is less expensive than paper and lasts longer.
Paul Mullon, marketing director, Metrofile
"There is such a drive for corporate governance to be open and transparent. Yet, at the same time, information needs to be protected from unauthorised access.
"For the sake of security, and the reputational and financial damage of non-compliance, it is critical that time is taken upfront to implement SCM," he says.
What price intellect?
Nanoteq Business Solutions business unit manager Pieter Pretorius says enterprises need to see this as a positive step and while it does not bring immediate ROI, the consequences of not implementing SCM properly are dire.
Rights management, file security and content management are not given as much budget and priority because it is hard to quantify the value of intellectual property and the cost of losing it.
Pieter Pretorius, business unit manager, Nanoteq
"Many enterprises try to cover their bases. But while anti-virus software is seen as a necessity, other areas of SCM like rights management, file security and content management are not necessarily given as much budget and priority because it is hard to quantify the value of intellectual property and the cost of losing it," says Pretorius.
Companies should therefore adopt a positive approach by determining what information lies within the enterprise and its possible value, and then taking steps to protect it.
The type of risk involved in the management of information, be it document theft or a hacker entering one`s system, is different, but no less important.
Share