In recent years, high-profile cases have shown how departing employees can turn into costly insider threats. For example, Tokyo police arrested a former SoftBank engineer accused of emailing confidential 4G/5G base-station designs from SoftBank to his new employer, Rakuten Mobile. SoftBank alleges the ex-employee used a personal email account on his last day to send over a hundred proprietary documents to Rakuten. This mirrors other incidents: in 2014, Toshiba and SanDisk sued SK Hynix after a former SanDisk engineer allegedly provided Toshiba’s flash-memory secrets to Hynix. These examples illustrate a harsh reality: document security can be breached from within if companies don’t apply strict content protection.
The Growing Insider Threat
CIOs and CISOs know that insider incidents are on the rise. IBM reports that 83% of organizations experienced at least one insider attack in the past year. Whether malicious or accidental, insiders have legitimate access to sensitive data (customer lists, product designs, financial reports, etc.), and once they extract files, traditional defenses often fail.
As Kiteworks points out, “once those recipients download and decrypt files, organizational control ends”. In other words, standard encryption stops external hackers, but it cannot prevent an authorized user from copying or emailing a decrypted file. For instance, a former employee with authorized access can simply forward or upload downloaded documents to a personal cloud – actions that go unnoticed by perimeter security. Such uncontrolled sharing (e.g. emailing files to personal accounts) is a common insider scenario. The result can be devastating: insider breaches often cost companies millions of dollars in losses and legal fees (one IBM report found many organizations faced $100K–$2M in costs from a single insider incident).
“Insider threats take an average of 85 days to identify and contain”, since malicious actions look like normal behavior. In practice, once a user legitimately opens a file, no firewall or VPN can stop them from copying or sharing it”
Content-Level Protection: IRM and DRM
To truly secure confidential data, companies must move beyond perimeter defenses and encrypt the content itself. This is where Information Rights Management (IRM) – a form of document security – comes in. IRM embeds access rules and encryption directly into each file. For example, Digital Guardian explains that IRM applies “a layer of protection to the data, providing protection that travels with your document everywhere it goes”. In practice, an IRM-protected document might require a special license to open, block downloads, or expire after a set time, regardless of where the file is stored.
Digital Rights Management (DRM) is a broader term for this class of technologies. DRM solutions use strong encryption plus policy controls to restrict how files can be used. Typical DRM features include disabling copy/paste, stopping printing or screenshots, setting viewing expirations, and even watermarking documents with user-specific info. For example, one DRM approach is to overlay a dynamic watermark (like the viewer’s name or email and timestamp) on every page, deterring someone from taking photos of the screen. In short, IRM/DRM means you encrypt the file and attach usage rules (view/edit permissions, expiry dates, revoke rights) so that protection persists even after a file leaves your network.
Best Practices for Document Protection
Enterprises should adopt multiple content-security tactics for sensitive files:
-
Use View-Only and Non-Download Modes. When documents don’t need editing, keep them in secure online viewers that block downloads and screen captures. For example, 689Cloud’s SecureDrive and SecureMail let you set files to view-only mode. This means an employee can review the content in their browser but cannot save or copy the file. By granting only view permissions (and revoking them immediately on termination), you prevent mass data exfiltration.
-
Apply Dynamic Watermarks. Embed user-specific watermarks (email address, username, date/time) on all viewed pages. Watermarks visibly identify the source of any leak, which deters employees from photographing screens. According to 689Cloud documentation, dynamic watermarks discourage unauthorized screenshots by overlaying each document with the viewer’s information and timestamp.
-
Track and Audit File Usage. Monitor every access: log who views, downloads, or opens a document. A secure file system records all activity so you can spot suspicious behavior (e.g. an unusual download by an engineer) and audit any breach. 689Cloud notes that “every file access is monitored—from online views and downloads to local openings—ensuring complete visibility of document interactions”. Maintain these logs for forensics in case of a leak.
-
Encrypt with IRM/DRM Controls. Even if a file must be downloadable, ensure it’s encrypted and bound by usage policies. With DRM-protected files, the content remains unreadable outside authorized apps. Use solutions that encrypt attachments or downloads and enforce policies (no copy/paste, limited printing, automatic expiration).
-
Secure Email Attachments. Treat email as part of your document security strategy. Use IRM-capable email tools so that attachments are not “free copies.” For instance, 689Cloud’s SecureMail replaces attachments with secure links and applies IRM to them. Only specified recipients can open the attachment, and any downloaded copy remains rights-managed (revocable, non-shareable). This ensures that sensitive documents sent via email stay protected and cannot be forwarded or opened by unauthorized parties.
-
Multi-Factor Authentication (MFA). Require MFA or two-factor authentication for all access to your secure file platform. Even if login credentials are compromised, MFA adds a barrier to accessing protected content. Every document request should be tied to a verified identity.
-
Immediate Revocation on Departure. Integrate your content security system with HR offboarding. The moment an employee leaves (voluntarily or not), immediately remove their file permissions. IRM allows you to revoke access in real time. For example, if a file was downloaded to a laptop, a good IRM system can force that file to become unreadable when the user’s credential is deactivated.
By combining these measures, organizations can greatly reduce the risk of data theft by insiders. As one security analysis notes, simply encrypting data isn’t enough—proactive controls like IRM are needed to close the “loss of control” gap once files leave corporate servers.
Solutions: SecureDrive and SecureMail
Modern secure file-sharing platforms build these practices in. For example, 689Cloud SecureDrive is a cloud file-sharing service with built-in IRM to protect enterprise documents. It lets companies set strict permissions on folders and files: only authorized users can access content, and access can be revoked at any time. SecureDrive’s features include encrypted storage, view-only modes, remote file revocation, document tracking, MFA, expiration dates, and dynamic watermarks.
Similarly, 689Cloud SecureMail secures email attachments: it replaces attachments with secure links and enforces IRM policies on any shared file. Only designated recipients can open the attachments, and even downloaded files are cryptographically protected from copying or forwarding. In short, these tools ensure data protection by treating the content itself as the last line of defense.
Conclusion and Next Steps
As business becomes ever more digital, protecting your documents and data against internal threats is essential. Companies must assume that threats come from both outside and inside. By implementing content security measures – view-only access, watermarking, IRM encryption, and strict access controls – you can shut down the easiest path for data exfiltration. The SoftBank case is a warning that one careless upload can lead to stolen trade secrets.
Take action today: evaluate your document security posture and consider an IRM-based solution. Learn how 689Cloud’s enterprise tools like SecureMail and SecureDrive provide robust data protection for email and file sharing. Our team can help you set up secure file sharing, enforce compliance, and prevent costly leaks.
🔒 Protect your documents now – Contact 689Cloud to request a demo of SecureDrive and SecureMail. Start securing your data against insider theft before it’s too late.