In the past 10+ years I have not met a single organisation that does not work with external 3rd parties in some form e.g. cloud service, channel distribution, product dev, legal etc. An NDA is usually signed. However, in the absence of a common method (technology) to secure shared content does this actually restrict who you can work with or the success, quality or speed of the activity output?
When you sign an NDA you agree to retain and control usage of confidential information. 80% of this is unstructured digital files or emails. Its difficult to deliver securely and have legally binding method of tracking delivery and receipt of digitally secure information as defined within the NDA. In addition some of this content may be of high value to you and once you send it you have to trust the person to look after it – that's risky and potentially commercially damaging.
When you collaborate with individuals in other organisations you have no control over how they manage their IT (backup, encryption, data security etc. ) It's almost impossible to retain control of your digital content once it is stored within another IT environment i.e. 'its left your building'.
To implement common secure IT methods usually requires significant investment in specific technologies, networks and management i.e. its not simple to do and prohibitively expensive for SME or small projects and even some of the largest companies in the world to do well.
We believe that many collaboration projects have extensive increased management costs and expensive data breaches (loss of IPR) because of the absence of a secure data centric security ecosystem that collaborating individuals can easily use.
1.Simple risk assessment of the data and digital content you are going to share / collaborate.
In the UK typically find 80% of businesses do not have a policy or process to do this.
2 Use of Private sky, a free digital delivery of content and storage. This will ensure all users have unique authentication and secure storage of content. Access via any HTML5 browser with full two factor authentication. Free secure digital content service – authenticate who you are dealing with, digital signature all receipt of content.
3. Use Private sky for initial file transfer, NDA signature, and any content that is sensitive. You may want to revoke access to the content.
4. For very sensitive data propose to use Boole Server. ** each party would control their own source data content. Create and manage access rights to their content.(watermark, stop photographing, print, copy ,forward and control part of content e.g para in word document)
5. Use Boole to revoke usage when end relationship i.e. enforce terms of NDA
1. data centric approach to security I.e. less concerned about storage and network, delivery etc. Not a technical or IT design issue.
2. lower level of internal operational IT management process to engage with third party i.e. can be managed by 'data owners' easy to understand and use
3. Improve relevance and use of NDA and ability to work more confidently with sensitive data content with 3rd parties.
We have proposed a couple of software/cloud services. They are innovative.
PrivateSky is based on a certificate-less encryption technology service from www.certiVox.com It provides a simple practical approach to solving the key management issue. It also is aimed at domain owners i.e. end user and not technical IT , so we believe will be easy to adopt. It also requires zero IT footprint for end users. A free version exists so no cost barriers to try it.
Boole server www.booleserver.com has been identified by Gartner Group as one of a new type of data centric security products. It originated from a NATO project and is well placed to be easy to adopt and use by domain owners as it simplifies the whole process..It can be deployed with a very low spec server or hosted VM.
Anticipate all parties could quickly engage and securely share content with the confidence that their data will be secure and available only to individuals they have agreed to work with.
They will have full track record of what has been sent and received and optionally easy to revoke access if anything was sent in error. Fully legally compliant audit of receipt and digital signature. This means enforcement of NDA and clarify of what is confidential or otherwise is clear i.e. all info sent using private sky is 'confidential', no ambiguity.
The only reason to use Boole server would be in situations where the digital content is deemed to be so sensitive. Boole will ensure practical method to ensure less management time spent to organise around security risk, easier and quicker turnaround of working on content with 3rd parties.
Hypotheses: Someone will share more 'quality' information with you if they trust you more i.e. you will keep their content secure and safe' (example; pre sales if you engaged using private sky would you get the customer to send you a confidential content document completed more 'background' data than if you asked them to do this via email attachment')
▪ Measurement: How will you measure the impact of your experiment?
1. speed of response
2. objective assessment and subjective assessment of responses verse control group
Choosing a select group of 1 or more organisations where the company already has an existing relationship.
Compare the experimental group to an existing partnership within the organization that is working in a more traditional manner.
To test the business impact to acquire better information using secure communication;
30 days: Identify volunteers within the organisation who may have a specific project where they need to collaborate with one or more outside organizations. Or teams / individuals who engage with clients or prospective clients where you are seeking to gain more information about the outside organisation . (for example gaining new or more detailed data from the external organisation where you are requesting them to share more detailed information that typically you have difficulty obtaining using your existing process)
60 days: Have the technology set up and the ground rules for participation established and understood by both organisations. Begin collaborating using this new technology.
90 days: Measure the impact at an agreed upon checkpoint. What is the speed of collaboration? What is the health of the relationship? Have you managed to solicit more qualitative information from the external organisation? Impact of the process simplification and cost reduction using the new methods compared to the existing process.
Ian Stobie working with Gianvittorio Zandona.