How to secure your most critical documents

A behind-the-scenes look at Indigo Vault Docs, built to protect critical business documents against insider risk, AI leakage and post-quantum threats.

For years, many enterprise security programmes treated office documents as an output of “real systems” (databases, apps, and networks) rather than a primary asset class in their own right. We saw the reality as exactly the opposite. In day-to-day operations, the crown jewels of most organisations travelled as Word documents, spreadsheets, PDFs, and slide decks: forwarded, downloaded, copied into personal notes, pasted into chat, or dropped into AI tools. That’s why we built Indigo Vault Docs, a document security platform that protects a document not only at rest and in transit, but also while it is actively being used.

Why ‘documents-in-use’ became a board-level issue

Willis Towers Watson (WTW) has over 50,000 employees operating across 145 countries, supporting clients with risk and human capital challenges. In practice, that means large volumes of highly sensitive client data and trade secrets, often packaged into office documents for analysis, board papers, underwriting decisions, deal execution, or incident response.

What we kept running into was the “last mile” problem. Even when upstream controls are strong, with good identity controls, encrypted transport, and hardened endpoints, the moment a file becomes a portable object it tends to slip into the most permissive channels: forwarded to a personal address to “work on later”, saved to unmanaged storage for convenience, or shared with a third party who genuinely needs access but doesn’t share the same controls. That isn’t a moral failing; it is normal human workflow colliding with high-value information.

In 2017, through our work with Microsoft on its quantum computing programme, we confronted a specific long-term risk: harvest now, decrypt later. If an adversary can capture encrypted traffic today and later decrypt it with a sufficiently capable quantum computer, confidentiality has an expiry date. That observation reframed document security for us from a purely operational concern to a strategic, time-bound risk. It also had to account for human behaviour (accidental sharing, convenience-driven workarounds) rather than only external threat actors.

When we could not find a commercial solution that met the need, our CEO tasked us with building one.

Then AI put the issue into even sharper focus. As board attention shifted to AI risk, one message became clear: better document protection also means better AI protection.

The design goal: high protection without user friction

Our guiding principle was straightforward: make the secure path the easiest path. Instead of asking employees to classify, encrypt, and distribute documents through a specialist workflow, we present the solution as a familiar folder in Windows File Explorer. People save files where they already save files, while our platform applies policy, protection, and auditability automatically.

Under the hood, that “simple folder” required a ground-up re-architecture of document storage and control. We needed to protect documents in storage, in transit, and, critically, in use (the moment the file is opened, viewed, edited, or shared), while also supporting regulatory requirements such as data residency and records retention across our operating footprint. Our intent wasn’t to secure every file. It was to secure the small subset that represents outsized risk: the documents we cannot afford to leak, lose, or have tampered with.

We also learned early that the rollout matters as much as the cryptography. We started with a small number of high-impact use cases, partnered with the teams who owned them, and treated adoption as a product launch: clear “what goes in the vault” guidance, simple onboarding, and fast feedback loops when a control got in the way of legitimate work. The goal was to create confidence. Users should feel that placing a document in the vault makes their job easier, not harder.

What counts as ‘critical’

Our view is that the highest-assurance controls should be reserved for the files where the blast radius is extreme. In a mature end state, that may be under 10% of an organisation’s total documents. Examples include kidnap & ransom policy documentation (where disclosure can invalidate coverage and increase personal risk), merger & acquisition materials (where market sensitivity and regulatory obligations are paramount), and cybersecurity penetration test reports (which can function as a roadmap for attackers if mishandled).

To decide what belongs in that “critical” set, we use simple tests: if this leaked, who would be harmed and how quickly? If this were subtly altered, what decisions would change? And how long does this information need to remain confidential – days, months, or years? Those questions keep the conversation grounded in outcomes, and they help us avoid two failure modes: over-classifying everything and so overwhelming users, or under-protecting what truly matters.

The control plane: constraining what can happen to a file

The practical difference between a “secured file” and a “normal file” isn’t just where it is stored; it’s the set of actions that are permitted when someone opens it. Our approach is to apply multiple layers of protection by default, so a single mistake (or malicious act) does not become an incident. We also assume that controls will be tested in the real world, so we design for defence-in-depth rather than betting everything on a single gate.

• Identity-bound access: we bind document access to authenticated identity, so only explicitly permitted people can open a file, including protection against unauthorised administrative access.

• Controlled sharing by default: we constrain distribution to managed mechanisms rather than ad-hoc forwarding.

• Data leakage controls: where required, we can prevent copying, printing, screenshots, and screen recording.

• Application-level hardening: we can protect hidden rows, columns, or sheets in spreadsheets from being revealed.

• Time limits: we can set access to expire automatically.

• Remote revocation: we can withdraw permissions centrally at any time.

• Audit trail and alerts: we keep visibility into who accessed the document and when – enabling investigation, deterrence, and faster response.

AI changed the leakage pathway

Generative AI has added a new, low-friction route for sensitive content to escape: copy/paste into prompts, uploading documents for summarisation, or integrating files into assistants and plug-ins. Even where organisations set strong policy, the day-to-day temptation to “just drop the document in” is real. We treat AI leakage as another form of exfiltration from the point of view of document control. We aim to reduce the risk that critical content accidentally becomes part of an AI tool’s working set, index, or training exposure. In practice, that starts with controlling access to the file.

By default, we prevent AI from accessing critical documents and users from copying content into uncontrolled contexts, unless explicitly authorised by the document owner.

Looking ahead: post-quantum readiness is a migration, not a product

In the security community, the shorthand “Q-Day” is sometimes used for the point at which quantum capability makes widely used public-key cryptography no longer safe for protecting long-lived secrets.

Whether you believe that deadline is close or distant, the operational reality is the same: migration planning is required, inventory is required, and the work cannot be completed in a single quarter. Our message internally has been to start with pragmatic steps. Use established national guidance as a baseline, review how critical assets are protected end to end, and test controls in the workflows where sensitive files actually get created and shared.

If a document needs to remain confidential for years, we assume the clock is already ticking. That is why Indigo Vault Docs was built to be post-quantum ready.

Three document protection takeaways for security leaders

1. Treat documents as systems

If your most sensitive decisions live in Office and PDFs, the same rigour you apply to apps and databases must apply to files, especially at the moment they are opened and used.

2. Make the secure behaviour the default

Security that relies on perfect user choices will fail at scale; security that fits existing habits (like saving to a normal folder) can succeed.

3. Layer, shorten exposure, and audit

Combine preventative controls (access, sharing limits) with containment (anti-copy/capture, geo/time limits), and pair it with auditability so incidents are detectable and investigable.

As attackers industrialise exfiltration and defenders navigate both AI adoption and post-quantum transition, we’ve found the question is no longer just “can we encrypt a file in storage or in transit?” but “can we control what happens when that file is opened?”

In our experience at WTW, the real test of document security is not whether a file can be stored safely, but whether it can still be controlled when people actually use it.

Mark Beardall

Willis Towers Watson (WTW)

wtwco.com

You can protect your most critical documents with Indigo Vault Docs, the document management platform for now and the future.

For further information or to request a demo

email:  demo@indigovault.com

or visit www.indigovault.com