AIIM White Paper Digital Signatures - making the business case Sponsored About the White Paper As the non-profit association dedicated to nurturing, growing and supporting the user and supplier communities of ECM (Enterprise Content Management) and Social Business Systems, AIIM is proud to D provide this research at no charge. In this way the entire community can take full advantage of the education i thought-leadership and direction provided by our work. Our objective is to present the “wisdom of the crowds” g based on our 70,000-strong community. i t a We are happy to extend free use of the materials in this report to end-user companies and to independent l consultants, but not to suppliers of ECM systems, products and services, other than ARX and its subsidiaries S and partners. Any use of this material must carry the attribution – “© AIIM 2012 www.aiim.org / © ARX 2012 i www.arx.com” g n Rather than redistribute a copy of this report to your colleagues, we would prefer that you direct them to www. a aiim.org/research for a free download of their own. t u Our ability to deliver such high-quality research is made possible by the financial support of our underwriting r sponsor, without whom we would have to return to a paid subscription model. For that, we hope you will join us e in thanking our underwriter for this support: s - m ARX a 855 Folsom Street, Suite 939 k San Francisco, CA 94107 i Tel: +1 415.839.8161 n Website: www.arx.com g t Process used and survey demographics h e The survey results quoted in this report are taken from a survey carried out between 03 Oct 2012 and 05 Nov 2012, with 283 responses from individual members of the AIIM community surveyed using a Web-based b tool. Invitations to take the survey were sent via email to a selection of AIIM’s 70,000 registered individuals. u Respondents cover a representative spread of industry and government sectors. Results from organizations s of less than 10 employees have not been included, bringing the total respondents to 263. in e About AIIM s s AIIM has been an advocate and supporter of information professionals for nearly 70 years. The association mission is to ensure that information professionals understand the current and future challenges of managing c information assets in an era of social, mobile, cloud and big data. AIIM builds on a strong heritage of research a and member service. Today, AIIM is a global, non-profit organization that provides independent research, s education and certification programs to information professionals. AIIM represents the entire information e management community: practitioners, technology suppliers, integrators and consultants. AIIM runs a series of training programs, including the ECM Master course. www.aiim.org/training/ECM-Enterprise-Content-Management-Course About the author Doug Miles is head of the AIIM Market Intelligence Division. He has over 25 years’ experience of working with users and vendors across a broad spectrum of IT applications. He was an early pioneer of document management systems for business and engineering applications, and has produced many AIIM survey reports on issues and drivers for Capture, ECM, Records Management, SharePoint, Big Data and Social Business. Doug has also worked closely with other enterprise-level IT systems such as ERP, BI and CRM. He has an MSc in Communications Engineering and is a member of the IET in the UK. © 2012 © 2012 AIIM ARX 1100 Wayne Avenue, Suite 1100 855 Folsom Street, Suite 939 Silver Spring, MD 20910 San Francisco, CA 94107 +1 301 587-8202 +1 415.839.8161 www.aiim.org www.arx.com © AIIM 2012 www.aiim.org / © ARX 2012 www.arx.com 1 Table of Contents D About the White Paper: Conclusion and Recommendations: i g i About the White Paper ................................... 1 Conclusion and Recommendations ............. 16 t a Process used and survey demographics.......... 1 Recommendations............................................ 17 l About AIIM ........................................................ 1 References ....................................................... 17 S About the author ............................................... 1 i g Appendix 1: Survey Demographics: n Introduction: Appendix 1: Survey Demographics .............. 18 a Introduction .....................................................3 Survey Background .......................................... 18 t Key findings ......................................................3 u Organizational Size .......................................... 18 r Geography ........................................................ 18 e Drivers for Digital/Electronic Industry Sector ................................................. 19 s Signing: Role .................................................................. 19 - Drivers for Digital/Electronic Signing ........... 4 m Appendix 2: Digital Signature Signatures in Business ..................................... 4 a Needless Document Printing ............................ 7 Primer: k Interrupted Processes ...................................... 8 i Appendix 2: Digital Signature Primer ........... 20 n Drivers for SharePoint ...................................... 9 g Appendix 3: Open ended comments Adoption of Electronic/Digital t h Appendix 3: Open ended comments ............ 21 Signatures: e Adoption of Electronic/Digital Signatures ... 10 Underwritten in part by: b Non-Adapters ................................................... 10 u ARX .................................................................. 22 Technical Understanding .................................. 11 s AIIM .................................................................. 23 i Champions and Objectors ................................ 12 n e Characteristics of Signature s s Solutions: c Characteristics of Signature Solutions ........ 12 a Sourcing ........................................................... 13 s Management..................................................... 14 e Functionality ..................................................... 14 Two-Factor Authentication ................................ 15 Benefits and Return on Investment: Benefits and Return on Investment .............. 15 2 © AIIM 2012 www.aiim.org / © ARX 2012 www.arx.com Introduction As more and more organizations adopt paper-free processes and automate their document-based workflows, the “wet ink” signature stands out as something of an evolutionary laggard. Electronic D signing mechanisms have been with us for a long time, but their adoption has been slow. Some i of this is due to a lack of trust on the part of legal counsel – despite progressive legislation to the g contrary – and some is due to confusion between the different mechanisms and technologies it a involved. All too often it is because the business case is not sufficiently prioritized to push it up the l IT to-do list. S However, as we rely more and more on electronic workflows and less and less on document i g exchange via post, fax or courier, the discontinuities and delays caused by physical signing n have become harder and harder to ignore. As we have found in this survey report, when existing a users make a cost/benefit analysis for the adoption of electronic signing, the payback period is t consistently one of the shortest we have seen for any IT investment. Whilst analyzing simple u document exchanges provides one dimension of cost-savings, removing the disruptive and r e delaying effects of physical approval sign-offs within otherwise time-efficient electronic processes s generally adds a much bigger benefit. - As we described in the “The Paper Free Office,1” replacing space-hungry, slow and unresponsive m processes with electronic workflows has huge benefits, particularly as businesses look to become more diverse and more mobile. However, paper can easily creep back in if we let it. Printing a documents to collect signatures is still very prevalent even in otherwise paper-free environments, k slowing things down and clogging up desks. i n In this report, we look at the drivers for electronic signing, the general understanding of the g different technologies, the issues that might be preventing adoption, and the ROI that is being t achieved by users. We also track changes from our previous survey in 2010. h e For those needing a technical and legal appreciation of the differences between electronic signatures, and digital signatures based on Public Key Infrastructures (PKI), please refer to b Appendix 2 and References 2-7. u s i n Key Findings e s ROI s The payback period is consistently one of the shortest we have seen for any IT investment: c n 81% of existing digital signature users have seen a payback within one 12-month budget a cycle. 25% saw ROI in three months or less. s e n The two biggest benefits are saving of staff time and speeding up the approval process. Saving of paper-handling costs comes next, particularly courier charges. Drivers Major process interruptions and delays due to employees still signing with pen and paper n Authorization signatures are considered essential for 58% of responding organizations. Over half need to bring travelling, remote or home-based employees into the signing loop. 40% need signatures from people outside the organization. n For 44% of organizations, half or more of their processes are interrupted by the need to collect physical signatures. The average across all respondents is that 42% of processes are interrupted. n On average, 3.1 days is added to most processes in order to collect physical signatures. 22% of organizations add a week or more to their processes. n 48% of process documents are printed for the sole purpose of adding signatures. For 26% of organizations, this rises to over 80% of printed process documents. © AIIM 2012 www.aiim.org / © ARX 2012 www.arx.com 3 n 60% of respondents admit that they frequently print and sign documents and then scan them back in to their DM/ECM system. 64% frequently print, sign and file manually. 33% regularly print, sign and courier documents. D n On average, 2.1 additional copies are printed of each process document in order to collect i g signatures. i 32% create three or more copies of each process document. t a l S Adoption i 35% of organizations have already automated their signature-dependent processes g n n 35% of organizations who have answered the survey are already using digital/electronic signatures, a up from 24% in the 2010 survey. A further 11% have plans in the next 12 months. t u n Self-managed in-house digital signature (PKI) solutions are the most popular with existing users, but r planned users are evenly split between this and server or appliance-based PKI systems. 30% are e using non-PKI solutions. s n Lack of familiarity with the technology is the most tangible reason for non-adoption, as it was in the - previous survey. 35% still report general unfamiliarity with legal admissibility and industry specifics, m 40% don’t really understand digital signatures and PKI mechanics, and half are confused about a encryption and the issues of self-certification. k i n Lack of priority and the perceived level lack of financial return feature highly as reasons not to adopt. n Difficulty of working outside the firewall with external partners and customers is ranked as number g three. t h n Process owners and signers are the most keen to adopt. Compliance/Records Managers and e Finance are mostly in favour. Lawyers and auditors are not so keen. The IT staff have the biggest influence but are somewhat ambivalent. b u System Characteristics s Highest ranked features: signing multiple file types and managing signatures through Active Directory i n profiles e s n 46% of user organizations have 50 signers or less. A quarter have more than 500. 45% are using s an in-house-developed management interface or are managing individual certificates. Only 19% are managed through Active Directory. c a n Two-factor authentication is used in 45% of organizations. Mostly numeric key fobs at login time, but s also iPads or other tablets at signing time. e n Existing users look for the ability to sign multiple file types, and for one-click sign-and-encapsulate functions. It is also important that multiple signatures can be added to already signed and sealed documents. n Managing signatures as part of Active Directory profiles is important, as is batch signing of documents in SharePoint. Approving workflow processes or forms with non-refutable signatures is particularly important for SharePoint users. Drivers for Digital/Electronic Signing Signatures in Business Unsurprisingly, the importance of signatures has not changed at all since our previous report in 2010, with 81% of respondents considering them to be very important or essential within their regulatory environment. Industry sectors of Government, Healthcare, Pharmaceutical and Banking and Finance place the highest store on signatures for their day-to-day activities. This also reflects a higher dependence in larger organizations (66% essential) compared to smaller ones (49% essential). 4 © AIIM 2012 www.aiim.org / © ARX 2012 www.arx.com Figure 1: With regard to the regulatory environment or standard business practices in your industry, how important are authorization signatures within your organization? (N=263) D 0% 10% 20% 30% 40% 50% 60% 70% i g i Essen(cid:31)al t a 0% 10% 20% 30% 40% 50% 60% 70% l Very important S Essen(cid:31)al i g n Somewhat important Very important a t u Not that important r Somewhat important e s - Not that important When it comes to why and where signatures are used, internal compliance, external regulation, and m authorizations for contracts or payments are prevalent. 60% have a strong legal requirement for a signatures. k i Figure 2: For which of the followi0n%g needs a2r0e% authoriz4a0t%ion sign6a0tu%res con8s0id%ered essential in n your organization? (Tick all that are significant) (N=262) g Internal compliance t h 0% 20% 40% 60% 80% e Required by regula(cid:31)ons b Internal compliance u Authoriza(cid:31)on for ac(cid:31)on or payment s Required by regula(cid:31)ons i n Contracts with 3rd par(cid:31)es e Authoriza(cid:31)on for ac(cid:31)on or payment s Required by law s Contracts with 3rd par(cid:31)es c Consent/agreement by customers, pa(cid:31)ents, a ci(cid:31)zens, etc. s Required by law Professional authority (doctors, inspectors, e Consent/agreement by customerse,t pc.a)(cid:31)ents, ci(cid:31)zens, etc. Health and safety Professional authority (doctors, inspectors, etc.) Health and safety When analyzing the use of signatures, it is important to consider the process as a whole rather than just the document or form that is used0 a%s the ca5rr%ier for th1e0 %signatu1re5.% On ave2r0a%ge, around half of the processes need signatures at some point, but in some organizations almost all processes require an authorization signature. 10% or less 10-20% of processes/docs 0% 5% 10% 15% 20% 20-30% of processes/1d0o%cs or less Average: 42.4% 30-50%10 o-2f 0p%ro coef spsreosc/edsoscess/docs 50-70%20 o-3f 0p%ro coef spsreosc/edsoscess/docs Average: 42.4% © AIIM 2012 w7w0w-8.a0i%i3m0 o.-o5fr 0pg% r/o ©coe fA spsRreoXsc /2ed0sos1ce2ss /wdwowcs.arx.com 5 50-70%8 o0f% p oror cmesosrees/docs 70-80% of processes/docs 80% or more 0% 20% 40% 60% 80% Local managers and employees Senior execu(cid:31)ves who frequently 0% 20% 40% 60% 80% travel EmploLyoeceasl imn arenmagoetres/ aonvde resmeapsloyees offices Senior execu(cid:31)ves who frequently travel Field-based staff Employees in remote/overseas offices Partners, suppliers or sub-contractors Field-based staff Customers or clients Partners, suppliers or sub-contractors External authorizing professionals Customers or clients External authorizing professionals 0% 10% 20% 30% 40% 50% 60% 70% Essen(cid:31)al Very important Somewhat important 0% 10% 20% 30% 40% 50% 60% 70% Not that important Essen(cid:31)al Very important Somewhat important 0% 20% 40% 60% 80% InNteortn tahla cto immpploiartnacnet Required by regula(cid:31)ons Authoriza(cid:31)on for ac(cid:31)on or payment Contracts with 3rd par(cid:31)es 0% 20% 40% 60% 80% Required by law Internal compliance Consent/agreement by customers, pa(cid:31)ents, ci(cid:31)zens, etc. Required by regula(cid:31)ons Professional authority (doctors, inspectors, etc.) Authoriza(cid:31)on for ac(cid:31)on or payment Health and safety Contracts with 3rd par(cid:31)es Figure 3: What percentaRgeeq uoirfe tdh bey m laawin business processes/documents in your organizational unit would you say require authorization signatures? (N=260) Consent/agreement by customers, pa(cid:31)ents, ci(cid:31)zens, etc. D i Professional authority (doctors, inspectors,0% 5% 10% 15% 20% g etc.) i 10% or less t a Health and safety l 10-20% of processes/docs S 20-30% of processes/docs i g Average: 42.4% n 30-50% of processes/docs a 50-70% of processes/docs t u r 70-80% of processes/docs 0% 5% 10% 15% 20% e s 80%10 o%r moro lreess - 10-20% of processes/docs m 20-30% of processes/docs a k Even quite small businesses will have a few authorized signers who formally sign docuAmveernagtse :t w42o. 4o%r 30-50% of processes/docs i more times a day. In larger organizations the number rapidly grows to many hundreds of people, signing n thousands of documents a day. g 50-70% of processes/docs0% 20% 40% 60% 80% It is increasingly the case that the managers who need to sign-off documents or processes are frequent t 70-80% of processes/docs h travellers, or may be based in remote or overseas offices, and this creates problems for over half of Local managers and employees e our respondents. Distributing the documents electronically is not an issue these days, but collecting 80% or more a physical sSiegnnioart uerxee cisu,(cid:31) avnesd wahso w free qaull egnettly more connected, any delay in an authorization response b becomes less and less acceptable. Ftroarvteyl-two per cent would also like to include customers and clients u in the loop. Employees in remote/overseas s offices in Figure 4: As part of your main business workflows, who of the following are required to sign and e returnF idelodc-buamseedn sttsa ffor approve your process steps? (N=256) s s Partners, suppliers or sub-contractors 0% 20% 40% 60% 80% c a Local manCaugsetrosm aenrds eomr cpllioeynetses s Senior execu(cid:31)ves who frequently e External authorizing professionals travel Employees in remote/overseas offices Field-based staff Partners, suppliers or sub-contractors Customers or clients External authorizing professionals 6 © AIIM 2012 www.aiim.org / © ARX 2012 www.arx.com Needless Document Printing Half or more of the printed process documents are printed just to add a signature in the 48% of organizations without digital signature solutions. Averaging the figure over all non-user organizations, D 48.2% of all process documents would not need to be printed if a digital signature system was in place. i See figure 5. g i Wherever the signer is located, if documents have to be printed, posted, faxed, physically signed and t a rescanned, this adds costs, delays and staff inefficiencies. l Figure 5: Considering the documents that are printed out as part of your formal approval pro- S cesses, what proportion would you say are printed for the sole purpose of adding one or more i g signatures? (N=153 non-users) n a t 0% 5% 10% 15% 20% u r 10% or less e s 10-20% of docs - 20-30% of docs m 30-50% of docs Average: 48.2% a k 0% 5% 10% 15% 20% i 50-70% of docs n g 70-80% of d1o0c%s or less t h 80-90% 1o0f -d2o0c%s of docs e 90% o2r0 m-3o0r%e of docs b 30-50% of docs Average: 48.2% u s i We also found that on5 a0v-7e0r%ag oef, d 2o.c1s additional print copies, photocopies or fax copies of each process n document are likely to be needed in order to collect signatures. For a third of organizations it is three or e 70-80% of docs s more additional copies – all of which need to be handled distributed and filed. s Other wasteful practic8e0s- 9in0c%lu odfe 0d %othces 602%0% who 4fr0e%quent6ly0 %print b8o0r%n-dig1i0ta0l% documents for signature and c then scan them into a document management or ECM system, including 30% who do this every day. Printed, signed and scanned9 i0n% to o ar more a To beat postal delays, 33% admit to regularly printing, signing and then couriering documents, with the DM/ECM system? s associated costs and delivery difficulties. Just looking at Figure 6, and thinking of all the unnecessary e handling costs involved, shows how this simple aspect of business creates so many inefficiencies. Printed, signed and filed manually? Figure 6: In your organizational unit, how frequently are documents: (N=153, non-users) Printed, signed and couriered? Printed, signed and fed into the fax 0% 20% 40% 60% 80% 100% machine? Printed, signed and scanned in to a DM/ECM system? Every day O(cid:30)en Occasionally Never Printed, signed and filed manually? Printed, signed and couriered? Printed, signed and fed into 0th%e fax 5% 10% 15% 20% 25% machine? 10% or less Every day O(cid:30)en Occasionally Never 10-20% processes 20-30% processes Average: 42.3% 30-50% processes © AIIM 2012 www.aiim.org / © ARX 2012 www.arx.com 7 50-70% processes 0% 5% 10% 15% 20% 25% 70-80% processes 10% or less 80-90% processes 10-20% processes 90% or more 20-30% processes Average: 42.3% 30-50% processes 50-70% processes 70-80% processes 80-90% processes 90% or more 0% 10% 20% 30% A few hours Half a day 1 day 2-3 days 0% 10% 20% Ave3ra0g%e: 3.1 days One week A few hours Two weeks Half a day More than 2 weeks 1 day 2-3 days Average: 3.1 days One week Two weeks More than 2 weeks 0% 5% 10% 15% 20% 0% 5% 10% 15% 20% 10% or less 10% or less 10-20% of docs 10-20% of docs 20-30% of docs 20-30% of docs 30-50% of docs Average: 48.2% 30-50% of docs Average: 48.2% 50-70% of docs 50-70% of docs 70-80% of docs 70-80% of docs 80-90% of docs 80-90% of docs 90% or more 90% or more 0% 20% 40% 60% 80% 100% 0% 20% 40% 60% 80% 100% Printed, signed and scanned in to a Printed, signed anDdM s/cEaCnMne sdy isnte tmo ?a DM/ECM system? Printed, signed and filed manually? Printed, signed and filed manually? InPtreinrtreud,p sitgenedd Panrdo ccoueriserseed?s Printed, signed and couriered? We also asked non-users what proportion of their electronic or scanned document workflows are Printed, signed and fed into the fax interrupted or prematurely completed by the need to collect physical signatures. For 44%, half or more D Printed, signed and fed inmtoa tchhein fea?x of their workflows are impacted. This is a rise of 4% since the last survey, indicating general progress i machine? g towards more paper-free proceEvsesrey sd,a dyespitOe(cid:30) tehnat finaOl chcausridonlea lolyf the Nsiegvnearture placement. On average, i 42.3% of processes are slowed down. t Every day O(cid:30)en Occasionally Never a Figure 7: What proportion of your key processes would you say are interrupted, slowed down or l prematurely completed by the need to collect physical signatures on paper? (N=153 non-users) S i g 0% 5% 10% 15% 20% 25% n 0% 5% 10% 15% 20% 25% a 10% or less t u 10% or less 10-20% processes r e 10-20% processes 20-30% processes s 20-30% processes Average: 42.3% - 30-50% processes Average: 42.3% 30-50% processes m 50-70% processes a 50-70% processes 70-80% processes k i 70-80% processes n 80-90% processes g 80-90% processes 90% or more t 90% or more h e b Looking at the extent of the slowdown, 65% think at least a day is added to their processes in order u to collect physical signatures. For 22% it’s a week or more. The average is 3.1 days. Just in terms of s business agility, this is a serious issue, but if reflected into customer response, it indicates a major i n opportunity for improvement. e s Figure 8: How much time would you say is generally added to a typical formal approval process s as a result of this physical sign-off? (N=151) c 0% 10% 20% 30% a 0% 10% 20% 30% s A few hours e A few hours Half a day Half a day 1 day 1 day 2-3 days Average: 3.1 days 2-3 days One week Average: 3.1 days One week Two weeks Two weeks More than 2 weeks More than 2 weeks 8 © AIIM 2012 www.aiim.org / © ARX 2012 www.arx.com Drivers for SharePoint Only one in four SharePoint installations are used to manage documents or processes that need approval. Two thirds of the organizations in our survey use SharePoint in some way, but in more D regulated industries, its use tends to be relegated to team collaboration and intranet portals. i g SharePoint is relatively straightforward to use for many workflow processes including staff claims, i purchase requisitions, project reports, etc. Generally, a tick box is used to indicate approval, relying on t a the login password for authentication. l As applications become more business critical, processes which are part of a regulatory regime or with S legal implications, are increasingly likely to find their way onto SharePoint. At that point it is important i g to have a more rigorous sign-off mechanism. Despite the ready availability of off-the-shelf digital n signature solutions that readily integrate with SharePoint, IT departments may be tempted to create a their own. They should be careful when creating or incorporating less standard electronic signature t solutions to ensure that an auditable security regime is maintained. Manual PKI solutions should also be u approached carefully due to ease-of-use and scaling issues. r e 69% of the organizations surveyed have a need to add multiple signatures to documents in SharePoint, s generally in a specific order. 40% need to add a non-refutable signature to a workflow process or form - approval, and 34% are using InfoPath forms that need to be signed. Users are also keen to sign off m batches of documents in one operation, or to sign off list items on a per item basis. a Figure 9: Do you have any of the following requirements within SharePoint? k (N=62, excl. 175 “None of these, N/A”) i n g t 0% 20% 40% 60% 80% h e Adding a single signature within a document b u Adding mul(cid:31)ple signatures to a document in a s specific order i n Signing mul(cid:31)ple documents in one opera(cid:31)on e (batch signing) s Signing a document automa(cid:31)cally upon a s certain trigger c a Adding a non-refutable signature to a workflow s process or form approval e Signing off on list items on a per item basis Signing an InfoPath form with single/mul(cid:31)ple signatures 0% 10% 20% 30% 40% 50% 60% We are already using them today We plan to implement them in the next 12 months 10-500 emps We have plans to implement 500-5,000 emps them in the next 2 years 5,000+ emps © AIIM 2012 www.aiim.org / © ARX 2012 www.arx.com 9 We see the need for them but have no plans at present We don’t see the need for them 0% 20% 40% 60% We have higher priority IT projects right now Not familiar with the technology We require signatures from external customers and partners in our workflow Management do not consider it a worthwhile investment Staff prefer (cid:31)me-honored manual signatures that they understand We don't do enough authorized signing to be worthwhile Managing the cer(cid:31)ficates for all the staff is too (cid:31)me-consuming We don’t see the business benefits The cer(cid:31)ficates are too expensive to acquire Our regulators will not accept them They are not legally admissible in court 0% 10%20%30%40%50%60%70%80%90%100% Legisla(cid:31)on on admissibility of electronic signatures Regula(cid:31)ons in your industry regarding signatures Difference between graphical/ electronic signatures and digital signatures How public keys work (PKI standards) What ID cer(cid:31)ficates and Cer(cid:31)ficate Authori(cid:31)es (CAs) are The difference between encryp(cid:31)on and encapsula(cid:31)on The problem with self-signed cer(cid:31)ficates in Word or Acrobat Fully understood Par(cid:31)ally understood Not well understood
Description: