Imagine the scene: you are sitting at your desk copying a pasting some new information into a company template. All the old content has been removed and the new detail has been inputted. The document is ready to go and gets sent out as an email attachment. But stop! Do you know that the document you have just sent contains all the confidential information you thought had been deleted? This invisible detail is called metadata.
In 2003 the UK Labour government made the fatal mistake of releasing a document that contained metadata, thus revealing information about the 'original author' who embarrassingly turned out to be a university student.
As we increasingly rely on word documents and email as tools for collaboration and communication the risks posed by metadata becomes increasingly apparent. Largely the problem stems from a lack of awareness. Simply most people do not realise that by using old documents as templates it enables anyone to tap into the hidden layers of the document and expose the history of the text.
IT directors are fundamentally responsible for what leaves the office via electronic resources. With the ever-expanding nature of compliance regulations such as Sarbanes Oxley and Basel II, IT directors have to be confident that the documents that leave the organisation comply with company regulations. It is unrealistic to expect the IT director to check every document that leaves the organisation and therefore the company is reliant on their workers to be aware of what they are sending out and the potential security and legal implications of sending out documents full of metadata.
It is therefore important to educate on the existence of metadata to protect corporate reputations. This month sees the arrival of the website, Metadatarisk.org, developed as a public-benefit site offering information for IT professionals and business users interested in protecting their corporations from exposing confidential information. Metadatarisk.org provides information to help people understand the consequences of sharing certain types of information, the liability issues, and the risks to organisations in mismanagement of this process.
Metadata can have a positive function when creating large documents. It can provide information on who has contributed to the document, any specific changes that have been made and information about the company, all of which is of great importance when considering key compliance areas such as access control, audit trails and archiving. But when this information is used against a corporation it can have potentially disastrous effects.
In the last few years the risks of metadata has risen exponentially with the increased use of documents and email. To prevent this issue increasing the risks need to be highlighted. Metadata tools are readily available on the market but the problem lies in distinguishing between good and bad metadata; hence the challenge is assessing the business process that sits behind metadata "breeding grounds". How do business users in your organisation share information? Where does responsibility lie for amending and sending business critical information outside the firewall? How has your IT strategy tackled automated processes that impact document integrity? Metadata risk is a symptom of all these questions remaining unanswered. But the solution will only come over time with assessment and planning. However, to reduce the immediate risk, organisations need to take the minimal action of removing harmful metadata, whilst still preserving the good, before any document leaves the organisation.
Joe Fantuzzi is CEO of Workshare (www.workshare.com)
