How Secure are Virtual Data Rooms? The Ultimate Guide to VDR Security
Did you know that so far in 2019, hundreds of millions of citizens have had their data compromised?
Data is extremely valuable to both companies and hackers, and the consequences of data breaches are far reaching: from negative PR, to loss of revenue, to fees associated with legalities of data breaches...compromised data can wreak havoc on a company.
Keeping data safe is of the utmost importance when trying to maximize synergies and grow businesses, but what is the best way to safeguard data?
Virtual data rooms (VDRs) can be a safe and effective way to store and share sensitive data. In fact, VDRs are said to lower the risk of information theft by a third party.
What are some of the key considerations when selecting the right VDR provider?
Of utmost importance is taking the time to thoughtfully investigate a VDR provider’s security certifications and features, which will help protect data while simultaneously allowing work to be conducted more efficiently around the clock.
What is Virtual Data Room?
A virtual data room (VDR) is a cloud based storage system, and virtual data room security relates to the certifications, user features, and encryption protocols that work to keep this cloud of data safe.
How Secure is a Virtual Data Room?
In general, VDRs are considered extremely secure. One of the top indicators of a virtual data room provider’s security is the type of certification it boasts. ISO 27081 is considered the premiere security choice for cloud storage systems.
ISO is the largest developer of international standards, and therefore, ISO certification is the most widely accepted certification in the world. A VDR that is ISO compliant means it follows the guidelines set forth to protect Personally Identifiable Information (PII) in storage clouds.
More specifically, VDRs allow for the secure storage of information, secure file sharing with clients, and secure collaboration on files. Here are more details:
1. Secure information storage
VDRs allow for secure and efficient storage of information. In fact, according to entrepreneur.com “virtual data rooms have almost the same grade of security as high-level financial agencies like banks. With a VDR, you can be sure that your private information will not be affected by natural and manmade disasters, fire or flood.”
2. Secure file sharing with clients
Virtual data rooms allow for easy, centralized, and secure file sharing. This makes it a perfect tool for deal-making, as well as for real-estate, finance, legal services, and all other data sensitive lines of business. The central dashboard allows the administrator to determine who can access specific documents in the room. Room specific additional security features (which we will discuss below) also make this file sharing extremely easy and secure.
3. Secure collaboration about the files
VDRs, especially those with more project management features, allow for increased collaboration due to heightened visibility and 24/7 access to files. Undoubtedly, real-time transparency and communication are invaluable in today’s fast-paced business world.
Can I Share Sensitive Information and Documents Using Data Rooms?
Storing and sharing data in a VDR is actually much safer than simply storing files on computers or sharing on a company server.
This is because the top VDR providers have advanced security certifications as well as other security related features. Below we discuss these security features and certifications.
What Features Make Virtual Data Rooms Secure?
- Strong encryption methods. Encryption is a method that encodes data before it is moved into a storage cloud. While data moving to and from the server in a cloud is usually encrypted, the document itself is not always encrypted. Fortunately, VDRs allow for the document to also be encrypted, thus increasing its security.
- Document permissions and restriction settings. The most secure VDRs will provide features such as “view only” so that data cannot be copied, shared, and/or printed without permission. Additionally, another document permission and restriction setting that can be helpful is the ability to share only a portion of a document with a team member and restrict him/her from other specific parts of a document. Ultimately, these features allow you to limit who is downloading, viewing, and saving sensitive content.
- Digital watermarking. Digital watermarking is the use of an embedded marker on the data (whether it be text, video, audio, or an image) to identify ownership of the data. There are two types of digital watermarking, both visible and invisible. The benefit of digital watermarking is that it allows you to track who is downloading and printing information, which protects you from information leaks.The best VDRs have both dynamic and static digital watermarking.
- Two-factor authentication. Two-factor authentication requires you to provide not only a password to enter a data room, but also additional factual information and/or codes. This process helps reduce the chances of the wrong person entering the data room. Specifically, two-factor authentication keeps data safer than a regular password.
- The ability to check which IP, device, and location a user logs in with. This is a fairly standard, yet important, feature as it allows you to see where and when users are logging into the data room. This can also help protect against leaks and misuses of the VDR.
- Audit Logs. Audit logs provide analytics on all activity within the virtual data room. For instance, the audit log provides user specific information, as well as document activity.
- Single Sign On (SSO) Integration. SSO is a user authentication service that allows a user to enter one set of login credentials, such as a username and password, and be able to access multiple applications with those credentials.
- Maintains robust user support. Finally, you will want to consider the type of customer support and service the VDR company provides. Because many of the individuals utilizing VDRs are collaborating with stakeholders around the country or even the world, the work surrounding the VDR may never sleep - this means you’ll want to find a provider with 24/7 support.
- Customizable NDA. This feature requires all the users who log into the data room to accept the NDA before they can access the documents.
What are Virtual Data Room Certifications for Security and Compliance?
- ISO 27081 Compliance. As noted above, ISO compliance means the VDR follows the guidelines set forth to protect Personally Identifiable Information (PII) in storage clouds. Specifically, ISO 27081 is considered the premiere security choice for cloud storage systems (vs. ISO 27001).
- FINRA Compliance. The Financial Industry Regulatory Authority aims to protect investors by making sure the security industry operates fairly. It is the largest independent regulator for all securities firms doing business in the U.S. and offers regulatory oversight.
- SOC2. The Service Organization Controls relates to the secure handling of financial documents.
- Compliant with Safe Harbor's international privacy practices.
How to Choose a Secure Virtual Data Room?
While security is of the utmost importance, the following are additional considerations to help you weed through the jungle of VDR providers for investment banking, legal, private equity and more and identify a secure VDR that will truly support your business goals and needs:
- Define your needs and abilities
- Identify desired features
- Consider your budget
- Compare virtual data rooms
- Read the reviews
- Select VDR providers, check their sites and talk to support
- Check the provider’s security page
- Test software by free trial
1. Define your needs and abilities
Looking inward before turning outward to providers is essential. Failure to clearly define your company’s unique needs and abilities will make your VDR shopping much more cumbersome and can result in lost time and value for your business. The following questions and points of consideration provide a solid place to begin:
- How much storage do you need?
- What kind of files and documents will you be storing?
- What is your budget?
- Which team members will be using the data room?
- Will the entire company be using the data room?
- Will the VDR simply be used to store documents or will it serve other purposes?
- Will the use of the data room affect your work streams at all?
2. Identify desired features
VDR features tend to fall into the following categories:
- Permission Settings
- Document Management
- QA Feature
- Customer Support
3. Consider your budget
Similar to defining your needs and abilities before you begin shopping, setting a ballpark budget will also allow you to narrow your search and be more efficient. Most commonly, VDR pricing is based on the following:
- Number of users. Some providers only allow for an administrator and a few users, and each additional user can cost upwards of $100. As you shop, you will want to consider the number of users you will have (administrators and quests), as well as the number of users allowed in each VDR with additional charges.
- Storage size. Storage size pricing is not ideal for most users as this means the room charges based on the number of gigabytes (GBs) purchased. The overage charges for these rooms are historically high; however, if you have a small project with a limited number of text documents, this might work for you.
- Number of documents (also known as “per page pricing”). Although becoming a bit outdated, a per page pricing method is still used by many VDRs. This means they charge about 40-85 cents per page. Again, if you have a very small, well-defined project, this might work for you, but if you have a larger project or a project with unknown variables, per page pricing can often lead to additional charges and difficult, even compromised, decision making when it comes to what will go into the room.
- Available features. Different plans provide different features which can affect cost.
- A flat rate. Larger projects with many variables usually fit well with flat rate pricing. Oftentimes, this means the VDR provider will charge a monthly fee that includes unlimited pages, users, and data. This type of pricing can help with financial planning for your project, as well as help your company avoid surprise or overage charges. The current trend seems to be toward more VDR providers moving to a flat rate pricing model, but be sure to fully investigate what the flat monthly fee covers for each VDR you consider.
4. Compare virtual data rooms
Now that you have established your needs and price point, in order to effectively compare which virtual data rooms meet these criteria, you can use one of the following tools:
5. Read the reviews
Reading reviews is essential, but proceed with caution: many VDR providers pay for “fake reviews.” For instance, writing peppered with spelling and grammatical errors is one sign the review is fake. Another red flag is numerous five star reviews (which are very rare, unless the company has paid for them).
With these tips in mind, to begin your review research, start by searching “Provider name + Reviews” in Google. Next, consider the following websites, which are considered credible in the industry (although we cannot guarantee that a fake review will not appear from time to time):
6. Select VDR providers, check their sites and talk to support
After you have been able to pinpoint a few well-reviewed M&A virtual data rooms that meet your needs, you must interact with the providers and their websites.
In speaking with the providers’ support teams, you will want to consider both the knowledge and helpfulness of the support staff as well as their response times. When considering the providers’ websites, keep in mind that these sites are in a sense previews of the product..
Specifically, how intuitive the website is often says something about how intuitive the product will be. Other considerations include: is the interface modern, is the site visually pleasing, and does the website offer any free materials that would be useful for your company and its users?
7. Check the provider’s security page
Building off of our previous step, it is imperative that you check the security page of the VDR providers’ websites.
8. Test software by free trial
An obvious last step is testing the VDR via free trial offers. Just as you would not buy a car you didn’t first test drive, don’t put your business’ data in the hands of a VDR you don’t test.
As you work through the trial, continue to make note of the VDR’s features and ease of use. It will be important for multiple members of your team to also test the virtual data room to see if it is a good fit for users of all technological skill levels.
VDRs are the wave of the present and future when it comes to sharing and storing data. They can be utilized for all data sensitive fields and can improve workflow and efficiency. With more and more VDR providers popping up, companies need to be informed as they shop this crowded market.
Furthermore, companies must be especially wary of free cloud based storage systems. While these systems may initially seem like the easy and cost effective choice, all it takes is for one email account to become compromised and the entire company's accounts become vulnerable to attack.
Similarly, when a server is hacked, all of the documents and data that have been on the server are now at risk. It is crucial for companies to be diligent and thoughtful in their investigations and selections of VDRs to assure the security of their data and sensitive information and, ultimately, to assure their business success.