How to technically introduce my boss to computer file security?

Question

My boss truly believes that keeping files on paper and locked in his drawer is the safest place ever. He is the type of guy that processes a file in Word/Excel, prints it, delete the file and store the physical paper in his drawer. Also, he deletes (not archive) all of his emails after reading them. If important, print it.

While I can relate to that sometimes, there are a lot of arguments to which this may not seem like a good idea. Especially if we need to access those pieces of information (as a team) daily, which means that if he is not in the office, we cannot access the information.

For further context, we scanned one of these documents once so we could keep a copy. He freaked out when he found out.

He is also a very technical person, exploring details, which needs to understand why/how.

—-

So, my question is:

How can I introduce my boss to computer file security, with file collaboration (or sharing) in mind, so he can maintain everything digitally but with a higher guarantee that it will not be stolen or anything?

—-

I once tried to explain that Google Drive/Dropbox is a good idea but I lack the technical arguments why.

He has a Windows 10 computer, a company mail hosted on Gmail with two-factor authentication, and his personal phone (Samsung Galaxy S8) with WhatsApp. All of the rest is on paper.

—-

He is also very methodical, so if there is a need to put passwords everywhere, he will do it. He is the type of guy that compromises User Experience for security.

Also, if there is a need for a local server, we can go for it as well.

Answer 1

... but I lack the technical arguments why ...

With such a position it is likely hard to convince your boss. And your boss is even probably right when arguing that what you want is weakening the security.

Digitally sharing data is usually not done because it is more secure, but because it is more convenient, allows faster work and collaboration etc. It is done because it reduces costs and increases efficiency. For a company it thus affects on how competitive the company can be in the market.

It thus provides new chances, but it definitely adds significant risks too. And these risks are not so much that the provider (Google, Dropbox, ...) might steal the data, but that it is more likely for employees to accidentally share data or even full access to many critical data with the wrong ones, for example when they fell for credential phishing. It also means a new dependency on getting the digital infrastructure working against threats like ransomware or even simple hardware failures. Sufficiently understanding and also addressing these new risks is not trivial.

Thus the arguments should likely focus on the business value, i.e. how much more efficient the work can be done and how much more competitive the company can be. And that these chances outweigh the risks. But if this is really true in your specific environment and how you can prove this is up to you, since this is specific to your environment.

Answer 2

The security of the files -- while in storage -- is as good as the physical security of the building. The files are still vulnerable when your boss edits them, though.

The physical location can be the first argument. If the building becomes unavailable -- and that might be the case during a pandemic, when people are working from home -- access to the files is impossible. This impedes work.

Similarly, the files are only as safe as the building. Vandalism, natural disasters (fire, earthquake), war or insurrection* might make the building unavailable for some time or even completely destroy the building, thus making the files not only temporary, but permanently unavailable.

This can be lowered be keeping a copy of the files off-site. That is something that is hard to do with physical files, but easy to do with digital data. Backups can use state-of-the-art encryption which can for all intents and purposes not be broken.

Thus, keeping digital copies of the files are good the the business -- it means disaster recovery or even mitigation like in a pandemic is easier.

Also, your boss keeping the files in the office makes it hard to access them. Having to physically go there to retrieve the files -- and only being able to do so when they are there -- slows down work and wastes time - time that could be used to create more value for the company.

Files that aren't on any device can not be access by hacking. But they can still be stolen and accessed since they are plain text. A burglar can not steal digital files if your IT systems are properly set up to have encrypted file systems, even when the burglar steals computers from the companies office.

The physical safety of the building might not be entirely in your hands, especially if your company only rents office space and doesn't own the building and employs their own security force. The digital safety of your assets is in your own hands. But that is both good and bad, because it also means you can do it horribly wrong.

It is thus a question of generating more value for the company by easing access to the files when they are in digital form vs. the loss of physical security of the files, but again vs. the availability in case of the building (and thus files) becoming temporarily or permanently unavailable.

Make your case about value and opportunities for the company, while assuring everything is done to keep the files reasonably safe.

Also, not all data is created equal. Maybe there is some sensitive data that doesn't need to be shared. But data that isn't as sensitive or needs to be shared regularly between people can benefit greatly from increased availability by digitalizing.

_{* yes, that can apparently happen even in the most stable of democracies}

Answer 3

Automated encrypted remote backups, with periodic tests of those backups, might allow your business to survive a fire.

That's the only recommendation I can see that effectively improve the security of his work. It's indeed hard to hack paper. For more reasons why your suggestions do not improve security, please refer to Steffen Ullrich's answer. There are other well known methods to improve your security, but I doubt their benefits would outweigh their costs, assuming you run a standard business.