Security-first collaboration applications built around zero-trust principles are called virtual data rooms (VDRs). They allow businesses to reduce data breach chances by 50% in the due diligence process, financial transactions, and other business activities. While offering impenetrable security features comparable to the world’s most protected banks, virtual data rooms are still prone to human error. As much as 74% of all data breaches involve a human element.
After this article, you will discover how to combat three human-related VDR security issues and protect your business against 71% of cyberattack vectors. You will learn how VDR security features work under the most common data breach scenarios and get a VDR selection checklist.
Assessing potential cyber threats and vulnerabilities
The most common data room security issues originate from low VDR skills. Insufficient VDR knowledge can lead to the following security gaps:
- Misconfigured access controls
- Download security issues
- VDR access gaps
Let’s see how each of these threats can be solved.
Misconfigured access controls
Virtual data rooms provide role-based access to in-app content. VDR admins have unrestricted access to VDR content and VDR settings while manually configuring access permissions for non-administrative users. Based on our observations, insufficient VDR administrative skills can lead to several security issues.
| Access controls | Specifics | Potential security threat |
| Folder permissions | Subfolders automatically inherit parent folder permissions. | An admin may cause a subfolder to inherit inappropriate permissions while moving folders across the content structure. |
| File permissions | When copied and pasted, files inherit permissions of the destination folder. | An admin may cause a document to inherit inappropriate permissions, exposing sensitive data to more users than intended. |
| User permissions | User permissions are assigned at the user group level. | Admins must ensure users with different permission requirements are invited in separate groups. Otherwise, admins risk exposing sensitive data to inappropriate users. |
✅ Solution:
- Safeguard data with user impersonation features. Double-check the permissions of VDR collaborators using “View As” mode.
- Determine collaborative roles in advance. Create collaborative groups based on previously established job roles and responsibilities. Populate user groups accordingly.
- Conduct risk assessment in data rooms. Review and adjust permissions while managing VDR content.
| Check our guide on how to set up a data room and manage access permissions successfully. |
Download security issues
VDR file download features may carry data breach risks if configured inappropriately on different access levels.
| Download functionality | Specifics | Potential security threat |
| Original download | The original download option removes all access restrictions on the downloaded file. | Admins may assign original download rights to inappropriate users. It will give them unlimited rights to sensitive data. |
| Encrypted download | The encrypted download option allows admins to revoke file access at a custom date or upon closing a data room. | Admins may forget to revoke access to saved files that are no longer required for work but contain sensitive info. It may give a malicious insider enough time to capture confidential data. |
✅ Solution for original download:
- Apply IRM security. Most VDRs support information rights management (IRM) security. It allows admins to retain control and revoke access to files saved on user devices. For this, admins must enable an encrypted download feature.
✅ Solution for encrypted download:
- Enable automatic access revocation. VDR solutions allow admins to set expiry dates for sensitive files. A user will not access an expired file even if it’s saved on their device.
VDR access gaps
Virtual data rooms prevent unauthorized users from content access through several mechanisms, including strong password policies and two-factor authentication. It helps mitigate the risks of sending sensitive information via email, as only authorized parties can open VDR sharing links. However, VDR authorization methods may also compromise security in data room.
| VDR access method | Specification | Potential security threat |
| Access via email and password | A user signs in using a strong password. | Employees may reuse passwords, exposing multiple accounts to a single data breach. A VDR account may be compromised in a data breach targeting a completely different account of the same user. |
| Two-factor authentication via SMS code | A user confirms an SMS code sent to their device. | Data encryption in VDRs doesn’t cover SMS messages. A skilled enough hacker can intercept a verification code and breach a VDR account. |
✅ Solution:
- Security awareness. Inform employees about the best electronic data room security practices and encourage them to use unique passwords for online accounts.
- MFA via authentication app. Use reliable authenticator applications with end-to-end encryption for 2FA keys stored locally and in the cloud.
Advanced security features in modern data rooms
Leading virtual data rooms provide the most advanced features to mitigate risks of mergers and acquisitions or any other deal or project. If a business implements VDR security features correctly, it can prevent up to 71% of data breaches and avoid up to $31.95 million of combined damage by initial attack vector. (Data taken from the IBM Cost of Data Breach Report).
| Strongest data breach prevention measures | Initial attack vector targeted | Combined percentage of all data breaches | Combined prevented data breach cost |
| 1. MFA 2. IP-based access 3. Single sign-on (SSO) | – Phishing – Compromised credentials – Social engineering – Business email compromise | 48% | $18.59 million |
| 1. Secure spreadsheet viewer 2. Granular access permissions 3. Dynamic watermarking | – Malicious insider – Accidental data loss or lost or stolen devices – Cloud misconfiguration | 23% | $13.36 million |
Below, we describe how the following VDR security features protect sensitive data under common data breach scenarios:
- Multi-factor authentication
- Single sign-on (SSO)
- IP-based access
- Granular access permissions
- Secure spreadsheet viewer
- Dynamic watermarking
Multi-factor authentication
Virtual data rooms offer multi-factor authentication (MFA) via SMS codes, authentication apps, and recovery codes. Two-factor authentication can stop 30% – 50% of attacks targeting login credentials.
| Scenario: 2FA prevents a phishing attack |
| Susan, an external auditor, was invited to the IPO project hosted in a virtual data room. Susan used a strong password and enabled MFA during registration. One day, Susan received an email from a VDR provider claiming that “all users must verify their credentials to improve secure file transfer protocols.” It was a phishing attack. The email contained a VDR logo and mimicked the VDR layout, so Susan didn’t suspect a phishing attack. She filled a fake form, handing her VDR credentials to cybercriminals. |
| Outcome |
| The attackers captured Susan’s credentials (the first factor). However, they couldn’t bypass the second factor, an authenticator app code. Susan noticed an unauthorized 2FA request and updated her VDR account password. |
Single sign-on (SSO)
As much as 52% of people reuse passwords for different accounts. It means a cybercriminal has a 52% chance to access at least one more account if they compromise one set of credentials.
Single sign-on (SSO) is the technology that allows users to log in to several applications using one set of credentials. However, SSO is different from just one strong password for all accounts. This technology uses a unique token for each authorization event, separate from individual account credentials. It prevents cybercriminals from accessing a VDR account using compromised passwords.
| Scenario: SSO blocks unauthorized access by compromised credentials and missing VDR-level MFA |
| Bob is a VDR project admin who hasn’t enabled VDR-level MFA. Bob invited Tom, a post-merger integration supervisor. Upon signing up, Tom reused his Slack password for a VDR account. Later, Bob configured an SSO integration and SSO-powered MFA. A few months later, Tom’s Slack credentials were compromised. |
| Outcome |
| Hackers would have easily entered Tom’s VDR account unless SSO had been in place. Since Tom used separate SSO credentials, hackers couldn’t access his VDR account using the password Top used upon initial VDR sign-up. |
IP-based access
IP-based access allows businesses to narrow the IP addresses eligible for VDR access. IP restrictions can stop attackers who manage to bypass the password, the second authentication factor, and even SSO.
| Scenario: IP restrictions prevent unauthorized access by compromised credentials and MFA prompting |
| Steve is a financial analyst working on the VDR project. Steve logs in to the system on his laptop with the following IP address: 192.168.123.45 (all numbers are imaginary).The project administrator approved Steve’s IP. One day, Steve lost their credentials to cybercriminals without knowing it. Attackers also triggered an MFA request on Steve’s mobile phone, and Steve accidentally confirmed it. The attackers attempted to log in to the VDR project from the following IP address: 203.120.45.78 (all numbers are imaginary). |
| Outcome |
| Although the attackers passed through the second authentication factor, they couldn’t log in to the VDR project using Steve’s account. The attackers’ IP address wasn’t on the list of IP addresses approved by the VDR project administrator. |
Granular access permissions
VDR solutions allow businesses to control the content access rights for particular user groups. With a granular level of access in place, users can only work with VDR content to the extent permitted by the administrator. This virtual data room protection measure minimizes human error in sensitive information handling.
| Scenario: Access controls prevent accidental or unsolicited file sharing |
| John works within a sell-side due diligence team. John’s task is to redact personal identifiable information (PII) in the company’s HR contracts. John can only access the “HR contracts” folder in the data room. John’s rights: Available rights: View, encrypted download. Unavailable rights: Upload, download original, print, copy. |
| Outcome |
| John can’t access other parts of the VDR, which reduces the risks of sensitive info exposure. John can’t leak HR contracts intentionally or unintentionally because encrypted files require authentication to be opened on user devices. |
Secure spreadsheet viewer
Spreadsheets enumerate 1.5 billion users, yet they are vulnerable to unsolicited sharing and fraudulent manipulations, especially from malicious insiders.
A secure spreadsheet viewer, a feature unique to the most advanced data rooms, enforces access controls to Excel files. It ensures that only selected users can access content in spreadsheets, such as PII, financial data, and formulas. In this way, it enables secure file sharing for financial services, the second industry by data breach cost ($5.9 million).
| Scenario: Secure spreadsheet viewer protects sensitive data from a malicious insider |
| Daniel is an accountant with access to financial data in the VDR project. He is an insider planning to sell M&A synergy projections to competitors. However, the VDR admin has applied the secure spreadsheet viewer with the following settings for Daniel’s collaborative group: – Disable formulas – Disable downloading – Disable copying, editing, and screen capturing |
| Outcome |
| Daniel opens the Excel file he wants to leak and discovers that sensitive formulas are hidden, and all actions except viewing are disabled. Daniel can’t realize his malicious intent. |
Dynamic watermarking
Watermarks are irremovable identifiers displayed on each page of the document. Many VDR solutions support dynamic watermarks that update in real-time. Watermarks deter users from unsolicited file sharing and track the file source if a leak occurs.
| Scenario: Watermarking deters unsolicited file-sharing and tracks the leak source |
| Mike is a business analyst in a VDR project. He is under an NDA and NSA. Mike has access to a VDR folder with sensitive stakeholder data. He hasn’t been promoted for eight years. So Mike decides to leak confidential documents to competitors to get revenge on his boss. |
| Outcome 1: Watermarks deter unsolicited file sharing |
| Mike opens sensitive files and checks the watermarks. The watermarks read the following: Project Eclipse, Mike Smith, mike.smith@companyeclipse.com, 12/06/2023, 4:58 P.M. (imaginary info).Mike realizes the watermark will instantly expose his identity, and he will be heavily penalized for breaching the NDA and NSA. He understands that punishment is inevitable and decides not to break stakeholder data confidentiality. |
| Outcome 2: Watermarks track the leak source |
| Mike shares sensitive files anyway. The company quickly tracks the source of leaked data and enforces a $100,000 NDA breach penalty on Mike. |
Data room compliance and legal considerations
Regular security audits for data rooms ensure a high level of compliance in data storage and processing. VDRs comply with the strongest information security standards, including but not limited to the following:
- ISO/IEC 27001. It defines frameworks covering all aspects of data security, including technological, organizational, human-related, and physical. It lists over 90 controls for implementation.
- HIPAA. It defines rules for the secure handling of medical data, including protected health information. HIPAA-certified businesses protect personally identifiable information to the highest standard.
- GDPR. It requires companies to apply privacy-by-design and privacy-by-default measures while handling sensitive documents. GDPR regulates the storage, access, transfer, and processing of EU individuals’ data.
- CCPA. It ensures data room privacy policies meet the California Consumer Privacy Act. CCPA-certified businesses allow customers to control access to personal data by businesses.
VDR security certifications help businesses meet data room regulatory compliance requirements while handling business info.
Role of user training in enhancing VDR security
One can’t successfully counter cybersecurity issues with security software exclusively. Effective virtual data protection also hinges on cybersecurity awareness, a crucial factor that defines how effectively your organization will use a virtual data room. This is where most organizations fail. As much as 56% of leaders surveyed by Fortinet believe their employees lack cybersecurity awareness, which is essential for robust virtual data protection. Meanwhile, the survey shows that 81% of cyberattacks come from phishing, passwords, and malware — the consequences of poor security training.
Therefore, training is critical when you begin using a virtual data room. It provides the following benefits:
- Better virtual data room security. It boosts your VDR skills and allows you to benefit from robust security measures to the maximum.
- Better productivity. It reduces learning curves for admins and regular users, boosting employee productivity. Skilled VDR users spend less time operating the system and managing files.
- Better accessibility vs. security balance. High VDR skills allow you to use 100% security potential without fearing that data-protecting features make it harder for users to access content. It ensures effective and secure collaboration.
| Secure virtual data rooms offer one-on-one live training sessions with VDR experts, VDR courses, detailed user guides, and dedicated project managers. |
Evaluating and choosing secure data room providers
Our practical knowledge shows that businesses are more likely to get satisfactory VDR experience if they carefully select VDR providers. Here are the top factors to focus on while selecting a security virtual data room.
| VDR selection criteria | Best examples |
| Advanced security features |
AES 256-bit encryption |
|
User access control |
|
|
MFA |
|
|
IP-based access |
|
|
SSO |
|
|
IRM security |
|
|
Dynamic watermarking |
|
| Collaboration |
Advanced Q&A workflows |
|
Full-text search |
|
|
Discussions and comments |
|
|
In-app messaging |
|
|
Full audit trail |
|
|
Drill-down reports |
|
|
Scheduled reports |
|
| Branding |
Brand logos |
|
Customizable colors |
|
|
Customizable agreements |
|
| Compliance |
ISO 27001 |
|
GDPR |
|
|
CCPA |
|
|
HIPAA |
|
| Reputation |
4-5-star ratings with a high review count |
| Subscription |
No-commitment free trial |
|
Unlimited secure storage of information |
|
|
Flat-fee monthly subscription |
|
| Customer support |
24/7 in-app live chat |
|
Live VDR training |
|
|
Dedicated project manager |
|
|
Help center |
|
|
VDR guides |
It’s also advisable to research VDR profiles for informed buying decisions. Professional vendor reviews consolidate helpful info about secure document-sharing features, billing options, reputation, etc. Below, you can check the top 5 VDR provider reviews.
iDeals
- Access controls
- Built-in viewer
- Full-text search
- Auto-indexing
- Customizable branding
- Advanced Q&A
- In-app live chat support 24/7
- 30-second chat response time
Intralinks
- Access controls
- Built-in viewer
- Full-text search
- Auto-indexing
- Customizable branding
- Advanced Q&A
- In-app live chat support 24/7
- 30-second chat response time
SmartRoom
- Access controls
- Built-in viewer
- Full-text search
- Auto-indexing
- Customizable branding
- Advanced Q&A
- In-app live chat support 24/7
- 30-second chat response time
Box
- Access controls
- Built-in viewer
- Full-text search
- Auto-indexing
- Customizable branding
- Advanced Q&A
- In-app live chat support 24/7
- 30-second chat response time
Citrix
- Access controls
- Built-in viewer
- Full-text search
- Auto-indexing
- Customizable branding
- Advanced Q&A
- In-app live chat support 24/7
- 30-second chat response time
Conclusions
- A secure virtual data room is the best tool for safe data governance.
- Although featuring bank-grade security, VDRs may be less effective when operated by employees with poor cybersecurity knowledge.
- Most common VDR security issues include phishing and misconfigured access to online documents and downloaded files.
- VDR technology complies with the strictest sensitive data handling protocols. If operated correctly, virtual data rooms secure data integrity from 71% of attack vectors.
- VDR training is mandatory for efficient usage and robust virtual data protection.
- Businesses should research VDRs and carefully inspect VDR reviews to maximize user experience.
