How Risky is Taking Notes for Your Company and its Competitive Edge?
Notetaking apps have revolutionized the way we and our employees get things done. Whether we handwrite notes with a stylus, transcribe recorded audio, or type, they keep us organized, promote collaboration but may inadvertently be putting your company’s security at risk.
Notetaking apps will continue to increase in popularity as the need for, and availability of information continues to increase exponentially. Note taking apps are now accessible from multiple devices, as convenient as pulling out your phone, and they are searchable, unlike paper and pencil. They now come in all sizes and complexities, from the simplest, web-based, open source to fully integrated and shareable. We all have our favorites, whether it is because we have used it forever, maybe it is free, has the most storage, best integration, or maybe it comes down to platform. In all likelihood, a quick survey would show a variety of different notetaking apps are being used by your employees every day. A recent survey in InfoSecurity Magazine found that 45.3% of Americans saved sensitive information in a notetaking app, and almost 70% were unaware their notes were not secured. What does this mean for your company?
Whether at meetings or notes-to-self, what are we writing in our notebooks? Passwords, to-do lists, notes from meetings. These notes likely include proprietary client data, intellectual property, and prospecting information that, in the wrong hands could prove damaging to your company’s competitive edge.
In a recent evaluation of the risk profile of a popular notetaking apps in use by one of her clients, TIFFIN CYBER’s Susan Whittemore found the app did not stand up to the risk threshold required by her client. While this app may be sufficient for many companies, gaps in protection capabilities and a lack of maturity of IT controls were deemed unacceptable for this particular client.
One of the highest risk factors for these apps lies in corporate data management and protection. As employees move on, access and data ownership changes are managed in the corporate server environment, controlling access to the former employee’s emails and files. Notetaking software, however, does not usually sit on a corporate server. Key data in the form of employee notes sit on a third-party server, or on the local version of the app, leaving your company data vulnerable to exposure.Application administrators, users with whom the data is shared, threat actors who have compromised a users personal end point or obtained login credentials can potentially access company data without detection. Additionally, access termination processes may not extend to note-taking applications if credentials are not controlled by the company. Most notetaking apps are unencrypted by default which is particularly vulnerable while syncing to other devices, and some apps leave your notes open and accessible to employees managing storage servers.
What can you do to keep your company data secure?
First, assess and fully understand your company’s risk threshold. Because notetaking apps can inadvertently house sensitive data, assume they are high risk and understand which ones provide the capabilities needed depending on your risk appetite. Can you detect sensitive data that may be uploaded to the app from the corporate network? Are your users aware of what is sensitive, and consequences if they store it outside of approved mechanisms? Are there specific company requirements regarding journaling of communications? If so, can communications be prohibited from the app? How would you know if someone gained unauthorized access to the app? Will you be able to control user access and monitor usage? There are generally several versions of the app, including a free version, licensed, and sometimes a business or enterprise version. Choose the one that has the right capabilities to manage and protect your data.
If approved, configure the app securely, including single sign-on, or at least multi-factor authentication. Determine encryption and access permission settings and establish sharing protocols. Configure uploads, video, downloads, other settings to match your requirements. Finally, if the app is used as part of a crucial business process, can the vendor recover the data in the case of a ransomware attack or other outage?
Ideally, personal notetaking apps should not be used to house sensitive business information, but it’s hard to control. Ensure your employees understand their roles and responsibilities in ensuring your data is safe. This includes setting policies and procedures for using personal devices and taking company notes on approved apps only, and ensuring employees know and understand these policies.
There is no perfect, one-size-fits-all solution to the notetaking app dilemma. The better defined your risk threshold, the better your risk profile, the easier it will be to determine the best notetaking app for your company.