Security Issues in Enterprise Content Management (ECM)
Among the crucial considerations when evaluating migration to ECM platforms is data security, particularly in light of the volume of confidential data that passes through and is stored in such systems. This article describes the broad categories of security issues that should be addressed by a top-tier ECM solution.
At the conclusion of 2018, a CSO article called out well-known organizations such as eBay, Marriott, Equifax, Target, Home Depot, JP Morgan Chase, Yahoo, the U.S. Office of Personnel Management, and several others for ranking high on a rather notorious list. What did they have in common? They had all fallen victim to data breaches that ranked among the 18 biggest in the 21st century.
That’s a club no organization wants to join.
Unfortunately, data breaches—large and small—are occurring daily, and nearly every organization is at risk, especially as the quantity and use of data has reached unparalleled proportions. It is natural and prudent, then, for organizations who are evaluating content management (ECM) solutions to be concerned about the security of their platform and their business and customer data.
One way to begin to organize your thoughts about security issues as they relate to ECM is to ask “Who and what must we protect against?”
- External attacks (hacking). To protect against third-party threats, ECM solution providers need to consider many of the same security issues that your organization’s IT department must consider. A good ECM solution will offer built-in, pre-configured and enabled security features that are based on the best practices, standards and regulations for your industry. Examples include firewalls, virtual private networks (VPNs), passwords and permissions, two-factor authentication, automated network intrusion monitoring, and encryption protocols for data at rest, in transition and in use. Also, ransomware attacks on municipalities, government entities and enterprises are on the rise, which underscores the importance of your ECM provider offering a full backup strategy.
- Internal misuse of systems and information. Your employees are one of your largest security vuInerabilities. That’s why guarding access to data within the organization while at the same time giving employees enough access to do their jobs is as daunting a task as protecting against external attacks. Your ECM solution should comprise robust internal security tools such as passwords (set up, resets, expirations and cancellations), role-based permissions, data-based permissions, user audits, account lock/time-out settings, and more. Furthermore, your ECM provider should provide employee training during on-boarding of the ECM system and offer ongoing educational support, especially regarding compliance requirements and how to recognize security threats such as email phishing scams.
- Compliance and regulatory failures. Many internal and external security procedures are now mandated by law in the form of compliance and regulatory policies. This is particularly true in certain industries (healthcare and financial services, for example) and in certain geographies (for instance, GDPR in the European Union). Your ECM solution should comply with your industry’s standards and regulations, and your provider should have internal resources devoted to pushing updates to maintain compliance as regulations change over time.
- Vulnerabilities in software and integrated systems. This is a category that we often don’t think about until we read about or experience “bugs,” malware or viruses with crippling effects. Software development is a complicated process and today’s software platforms are often an amalgamation of pieces of software from many different sources. Your ERP provider should have—and be able to document and describe—the resources devoted to secure software development, code review and quality assurance, threat modeling, static and dynamic analysis scans and pen testing, as well as well documented processes fixing any discovered vulnerabilities and exploits.
- Disasters. Although not as common as all of the above, disasters do happen. Whether a natural disaster such as a hurricane, flood or tornado strikes, a massive electrical failure occurs, or some other calamity befalls the datacenter running your ECM, a disaster recovery plan is key to maintaining service. The disaster recovery plan and backup systems should be in place and well tested before you need it so that when “the worst case scenario” becomes reality, a stable and clean version of your ECM can be launched with the least amount of damage.
These are the key security issues you should consider when exploring the best ECM platform for your organization. Be on guard: due diligence in selecting a secure platform and a security-minded ECM partner can save you from one day being added to the list of security victims.
Authored by Dale Hopkins