Interviews

Signatures, a weak link

by Mark Rowe

Security, risk and compliance – dealing with signatures, a weak link in the chain; by Ronan Lavelle, UK Country Manager, ARX.

Despite the vast amounts of time and effort that organisations spend on IT security, not to mention the associated risk and compliance processes, there are still some weak links in the chain. The issue of signature security is one of these potential failure points, but it has not received much exposure thus far despite its importance regarding signer identity and document integrity. After all, physical signatures and basic electronic signatures (for instance, scanned bitmap images) are very easy to copy, and the latter may not always stand up to legal and regulatory scrutiny, thus undermining many audit and compliance efforts.

Most organisations, regardless of industry affiliation or geographical location, still print out documents for signing. According to AIIM’s latest research, 48% of process documents are printed for the sole purpose of adding signatures, while for 26% of organizations this rises to over 80% of printed process documents. More than 3 days are added on average to most processes in order to collect physical signatures, and as much as a week or more for 22% of respondents. Considering these statistics, is it any wonder that 80.6 million tons of office paper, or about 24% of the UK’s total waste, is thrown away each year in the UK?

So clearly, apart from valid concerns about risk, compliance and security, the sheer time and costs involved make printing paper an unwieldy, old-fashioned way of working. Think of the wasted human resources and the expenses involved in printing, scanning and filing documents, not to mention the need to transport them to the people that need to sign them wherever they may be. As an example, one of our prospects had to courier 20Kg of paper to a senior executive in Brazil who then had to sign and return them to Europe via the same costly method. Plus, dare I say it, how many CEOs allow their personal assistants to cut and paste their signatures into documents, thus negating the real validity of that document should it be put to legal test.

Growth of digital signatures

But all that is changing slowly but surely. An increasing number of organisations are now turning to digital signatures in order to tighten up this vulnerable area of their business processes. Organisations that have invested in content management and business automation systems are finally coming to realize that having to print out documents undermines their plans to adopt truly paperless digital processes.

Industry analysts and organisations including AIIM, Forrester and Gartner are all pointing towards rapid growth in the digital signatures market due to the need to reduce transaction costs and the time to close business. In fact, the Forrester Wave™: E-Signatures Q2 2013 report defines signature automation as a “foundational technology along with records management, eDiscovery, and other content services” and notes that “enterprise architects should include (it) as part of an overall ECM and BPM strategy.”

This makes a lot of sense, since the right signature technology allows organizations to reliably automate their signature-dependent processes by plugging in the security and efficiency gaps that remain as they work on creating truly paperless enterprise processes. So it all sounds good, but what about security? That is understandably going to be high on anyone’s list of questions.

Digital signatures are inherently secure as they are the result of a standards-based cryptographic operation that takes place on a highly secure hardware appliance, located either on premises or in the cloud. The operation creates a coded message that binds the document and the signer and is unique to both of them. Importantly, documents that are being digitally signed do not leave the secure corporate environment.

Since they provide the highest levels of security, digital signatures are fast becoming – the de facto choice for organizations that value their internal security and/or require compliance with external regulations.

By using PKI technology together with the organization’s own authentication mechanisms, digital signatures provide a fully secure and legally enforceable solution. Not only do they provide long-term proof of the signer’s identity and intent, as well as the integrity of the document as a whole and the signature in particular, they also make these parameters easy to validate using widely available tools such as Adobe Reader and Microsoft Office. Signed documents are kept within the organisation’s IT domain, and are never saved on any third party servers.

These features ensure that the organisation remains compliant with a long list of industry- and geography-specific laws and regulations. Plus, from a risk and audit perspective, digital signatures create a single repository that makes it easy to locate signatures in the future. Should a company be challenged to present evidence of when and who signed a particular document, then that information is easier to find than having to trawl through a variety of systems or, even worse, paper-based document archives.

Implementing secure digital signatures – ten best practice steps

So having demonstrated the benefits, what should organisations look for in signature automation systems? Here are some considerations to help guide readers in their decision-making process:

1. The system should ensure that the document is tamper proof following the signing process so that the signature is invalidated if anyone changes the document.

2. The solution needs to support the document-related enterprise systems and applications currently in use within the organisation – from Microsoft Word and Excel to Adobe Acrobat and AutoCAD, through to SharePoint, Oracle, OpenText and other ECM/DM systems.

3. The signers’ graphical signatures should be easily viewable to help with user adoption, because they make it easy to see if a document has indeed been signed.

4. Users need to be able to add multiple signatures to a single document, particularly in document intensive organisations (e.g. financial services and life sciences) where many people in different locations are required to sign the same document, often at different points in time.

5. Installation should be quick and follow-on maintenance and support should be minimal, whether it is cloud (virtual) or server (on premise) based.

6. The system must comply with all the legal and regulatory requirements relevant to the organization’s geographical location and industry/sector affiliations.

7. The signatures need to be transportable so that they can be viewed and verified by any third party using widely available tools such as Microsoft Office and Adobe Reader in order to engender the same usability and trust that people expect from paper documents.

8. It should be very easy to sign up to the service and then to maintain the user directory, especially for larger organizations that have hundreds or thousands of users listed on management systems such as Active Directory.

9. The system should be easy to use for non-tech-savvy employees, requiring minimal training, and easy to administer for the IT team.

10. Return-on-investment (ROI) should be quick with gains coming quickly through cost reductions and time savings. As mentioned earlier, AIIM’s research indicates rapid ROI for digital signature systems, but this will of course vary.

Regardless of which system is chosen, one thing is clear: digital signatures have a lot to offer organisations, providing a rapid and easy-to-implement method to improve business processes and reduce wasted time and effort, as well as finally move towards a truly paperless efficient and secure environment.

For further information, download this free white paper: http://www.arx.com/resources/white-papers/10-Tips-for-Selecting-the-Best-digital-signature-solution.htm

About the author

UK Country Manager is Ronan Lavelle, who brings 18 years’ experience in information, document, content, contract and workflow management technologies. ARX is the provider of CoSign, a digital signature with millions of signers at security-minded businesses, governments and cloud services. CoSign was recognized by Forrester Research as the ‘Strongest Digital Signature Solution’ in the Forrester Wave: E-Signatures, Q2 2013 report.

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing