How to protect confidential documents

Using watermarks and DRM to safeguard confidential information & prevent sharing.

Why training is not enough to keep your confidential documents private and what you should be using instead of DLP, ERM, secure data room, or access control solutions.

Almost every business has some documents that must be kept confidential – whether it’s client information, internal procedures, contracts, or something as simple as the office layout.  This information could lead to legal, reputational, or physical damage should it fall into the hands of unauthorized parties.

It’s vital, then, that organizations do everything they can to prevent that from happening.  As well as doing what they can to prevent outside threat actors, they must stop employees from purposefully or accidentally leaking documents that are for internal use only.

There are three main ways to achieve this: training, watermarks, and secure document sharing solutions.

  The limitations of confidentiality training

Every organization should be training relevant employees how to handle confidential documents to safeguard them from leaks.  There must be clear guidelines surrounding the types of documents that are considered confidential, how to identify them, where to store them, and who they can be shared with.

Training such as this helps prevent accidental leaks from engaged employees.  However, it has its limits.  No employee can be 100% focused, 100% of the time.  Even with the best intentions, they will eventually slip up.  Malicious employees, meanwhile, will try to leak or sell documents no matter what you do.  Finally, there are some confidential documents that you’ll have to send outside of your organization – to lawyers, clients, etc.  At that point, the internal training you paid for is worth very little.

It’s clear additional measures are needed to prevent the unauthorized distribution of confidential documents.

  “Confidential do not distribute” watermarks

Watermarks are a popular way to remind users of their obligations when it comes to document security and safeguarding confidential information.  They clearly assert the status of the information so that there can be no misunderstandings.  Still, while static “do not distribute” watermarks are good at reminding well-meaning employees of their training, they do little to prevent intentional leaks.

Why use dynamic watermarks?

Dynamic watermarks can act as a deterrent as well as a reminder.  With them, you can display a person’s name and email address, as well as the date, time, and company.  This information is dynamically added when the document is viewed or printed without you having to create individual documents that are personally tailored to display this information.

As a result, anybody who leaks confidential information does so with the knowledge that it will be easily traced back to them.

Can you remove a watermark from a PDF?

Watermarks applied by Adobe Acrobat and other PDF editing tools can be trivially removed with the same tools they were created with.  Even Adobe’s permissions password, which is supposed to prevent unauthorized editing of the document, can be stripped in seconds by an online password remover tool.

This is a real problem.  Your watermark cannot act as a deterrent or reminder if users can remove it at a moment’s notice.  As the process requires little to no technical expertise, you may even find non-malicious users removing your watermarks because they make it harder to read the document.

When you apply a watermark with Locklizard Safeguard, dynamic or otherwise, it cannot be stripped.  As a DRM tool, Locklizard was built with security in mind.  Once you protect your document, users can only open it in the secure viewer application and cannot edit or remove the watermark.

  Applying a confidential watermark with Safeguard PDF writer

You can apply a watermark with Safeguard PDF Writer by following these steps:

  1. Right-click your PDF in Windows File Explorer and select the option “Make Secure PDF”.

    Creating a protected PDF

  2. Open the View Watermarks or Print Watermarks tab, depending on where you want to add it.  You can add both view and print watermarks with different text and images.

    Adding a text watermark

  3. Tick “Add Text Watermark” and enter “Confidential do not distribute” (or something similar).

    Adding a dyanmic watermark

    To add dynamic variables to your document, press the icon and select the ones you want to add.  When the document is viewed, these will be replaced with actual data.

  4. Press the “Aa” icon to change your font, color, and size.

    Changing watermark font size, style, and color

  5. Choose the watermark position via the dropdown and adjust the opacity slider.

    Changing the watermark position and opacity.

  6. Optional: Add an image watermark in the “Image Watermark” tab.

    Adding an image watermark to a document

  7. Press “Publish” to encrypt your document and apply the permanent watermark.

    Example of a dynamic confidential watermark applied to a document

  Controlling distribution with secure document sharing solutions

There are various solutions that claim to give you full control over who can view, edit, and share your documents.  Unfortunately, only a handful of them work.  A good secure sharing solution must be able to protect documents regardless of whether the recipient is on the internal network, at home, or in a public place.  One that provides secure, external document sharing is a must.

The main solutions on the market today are:

The first three options all have the same problem: they aren’t designed for sharing outside of the internal network or organization.  They may help with the “internal use only” use case (though they still have flaws), but they don’t cover the full spectrum of confidential document use and sharing.

  A word on “secure” data rooms

Secure data rooms claim to protect confidential documents even if you’re sharing them with an external party.  They provide you with secure space on a server that you upload documents to for external or internal parties to access via the web browser.

If only it were that easy.  There are various problems with this implementation:

  • The “secure” server space is usually protected by a password – which can be purposefully shared, socially engineered, or brute-forced.
  • You have to upload your documents to an external cloud server where you have no visibility over the protection process and can’t personally verify the security.
  • Once printing is allowed, users can print directly to a file (eg. Print to PDF), creating an unprotected copy.
  • It does not stop users from screenshotting and sharing the contents.
  • Many secure deal rooms decrypt content on the server, meaning it could be completely exposed in temp files should an attacker compromise the server.
  • Browser viewers can be manipulated with scripts or plugins to remove editing or printing controls.

In short, they still don’t solve the issues faced by DLP, access control, and ERM (Enterprise Rights Management) solutions – they can’t protect your documents from external parties.

  Digital Rights Management

Digital Rights Management (DRM) solutions like Locklizard are much better suited to keeping your confidential documents private and safeguarding information.  Locklizard is not only more secure than a full blown ERM (Enterprise Rights Management) system, it’s less hassle – requiring no configuration of policy, public key, or directory systems.

Instead, it takes a three-pronged approach: strong, AES 265-bit encryption, a licensing system to securely distribute keys, and the Safeguard Secure Viewer application to enforce editing, copying, and printing controls.

The process works like this:

  1. You encrypt a PDF on your local PC and add any DRM controls you want to enforce.
  2. Your protected PDF  is saved to your disk and a document record is created on the Admin System.
  3. You create a user account for each user you want to view your protected confidential PDF.
  4. An email is automatically sent to the user with a link to the Viewer and their license file.
  5. Once the Viewer is installed and the license file activated (clicked-on) it is registered to that device and cannot be registered elsewhere (unless otherwise specified).
  6. You control from the Admin System which protected documents each user can access.
  7. You distribute your DRM protected PDF just like any other file (email, file sharing site, etc.).

After this point, your confidential document can only be opened by someone who has authorization to view it.  Depending on your DRM controls, they’ll also be unable to screenshot, edit, print or copy it.  You no longer have to try to stop the document itself from being shared, because it will be completely unopenable by someone without the requisite license file.

As the license file can only be registered on a set number of PCs (which you decide), there’s no way to provide an unauthorized user access to confidential information short of manually typing it out.  Even this is made difficult with Locklizard, as the screen mask feature blanks out the document when it is not in focus.

  How to protect confidential information with Safeguard

Despite its advanced functionality, securing a confidential PDF only takes a minute.  Just follow the steps below:

  1. Right-click your PDF in Windows File Explorer and select “Make Secure PDF”.

    Create a protected PDF

  2. If you want to prevent printing of your document then click on the ‘Printing and Viewing’ tab and uncheck ‘Allow printing’.  If it is already unchecked, then you don’t need to do anything – users will not be able to print your confidential documents.

    Prevent printing of a PDF

  3. In the ‘Environment Controls’ tab, make sure ‘Disallow screen capture’ is selected and check ‘Add screen mask’.  This will prevent users from trying to screengrab PDF content, regardless of whether they’re using their official screenshotting tools (e.g. Windows Snipping Tool), or a third-party screenshotting or screen capture solution.  A mask (image) will also cover the content if focus is moved from the Secure Viewer window – so if users are intent on copying your information by typing it from scratch, then they will need to use another device to create the content.

    Stop screenshots of PDF content

  4. Optionally, you can restrict access to your PDF after a certain date by setting a date in the ‘Expiry & Validity’ tab.

    Add expiry to a PDF

  5. Press the ‘Publish’ button at the bottom of the dialog.  Safeguard will create an encrypted PDF (.pdc file) that only users authorized in the Safeguard admin portal can access.

  The best way to protect confidential documents

There are a lot of solutions that claim to keep your confidential documents private, but most are ineffective or take an inordinate amount of resources to set up and maintain.  You need a one-size-fits-all solution that can apply dynamic, irremovable watermarks while preventing unauthorized sharing both inside and outside of your internal network.

Locklizard Safeguard lets you:

  • Apply dynamic, irremovable watermarks that identify the user
  • Effectively prevent unauthorized sharing and opening inside and outside of your organization
  • Self-destruct confidential documents after they have been viewed or printed
  • Remotely revoke access to sensitive PDF files no matter where they are stored
  • Stop editing, printing, screen grabbing and more
  • Lock document use to certain devices and locations
  • Keep a log of who has opened and printed a document and from where

To protect confidential documents and safeguard your information, take a 15-day free trial of our DRM software.


What constitutes confidential information?

Confidential information can be any information that is shared with a limited number of people with the intention of remaining secret.  It can include anything from personal customer and employee information to contracts, proprietary technical information, marketing or business strategies, financial information, salary data, training manuals, and more.

Does encryption adequately protect confidential information?

No.  Encryption only protects data in storage or in transit.  As soon as the document is in use in its decrypted form the information can be shared with others and is therefore not safe.  A rights management solution is required to provide additional protection to prevent sharing and copying.

How to safely send confidential documents via email?
The only way to safely send confidential documents via email is to encrypt them first.  However, encryption alone does not protect them once the document has been received.  Unless you encrypt them with a DRM solution to provide additional copy protection, the recipient can pass the unprotected copy to anyone they like.
Where/how can I dispose of confidential documents?

The best way to dispose of digital confidential documents is to make them inaccessible with a DRM solution like Locklizard instead of destroying them.  Tracking down every copy of a document and its backups is a near-impossible task.  By ensuring that protection cannot be removed from a document and then removing access, you ensure they can no longer be viewed regardless of where they’re stored.

Is Google Drive safe for confidential information?

Google Drive should not be used for confidential information unless you take additional measures to protect your documents.  A PDF that is not encrypted or encrypted with ineffective password protection software like Adobe Acrobat can easily be extracted and have its information stripped.  To effectively protect confidential information on Google Drive you must use strong encryption and a solution that stops it from being opened, printed, or screen grabbed by unauthorized users.