In last week’s newsletter, I wrote about using secure file transfer tools as a complement to your enterprise e-mail system to offload large file attachments from e-mail. The primary focus of that newsletter was how to relieve the bandwidth-hogging pressure of handling large files via e-mail. This week, I want to talk about the need for securing those files.
This discussion is made all the more urgent following the publication of an article in the Wall Street Journal entitled Ten Things Your IT Department Won’t Tell You. As I covered in my blog, this irresponsible article infuriates me because the author suggests that workers should ignore the policies and procedures that IT departments create to keep the corporate computing environment safe and productive.
One of the many bad pieces of advice dished out by the Journal article is that employees who find they can’t send or receive large files through their corporate e-mail system should use a free online service instead. Now I personally have nothing against these free services offered by YouSendIt, SendThisFile and Carson Systems. Those companies provide a necessary and valid service…for consumers. However, I don’t think these services should be used for corporate information because of security and compliance concerns.
Of course, for an employee who simply must get a large file to another employee or to a client or partner in the most expedient way, security and compliance are not likely to be big concerns. Instead, getting the task done (i.e., sending the file) is his top interest. That’s why it’s incumbent upon the IT department to provide a file transfer tool or service that is easy to use while at the same time secure and compliant with data handling policies.
Why should companies care about securing files during a file transfer process? Not only is there the potential for a costly data breach, but there are requirements under mandate by Sarbanes-Oxley, HIPAA, GLBA and other regulations that dictate the handling of sensitive files. An organization in violation of these mandates can face hefty fines.
About a year and a half ago, Osterman Research conducted a survey on file transfer and data security issues on behalf of Accellion, a manufacturer of a secure file transfer appliance. My company had the opportunity to analyze the results of the survey, and what we learned is not really surprising.
At the time of the survey (March/April 2006), 60% of the respondents acknowledged using file transfer processes that are potentially considered to be high-risk or insecure. These processes include the use of e-mail attachments, non-secure FTP, hosted file transfer services, CDs/DVDs, USB thumb/flash drives, and pcAnywhere. It shows that employees will use any means at their disposal to send large bits of digital information to other people. Convenience trumps security.
What constitutes a high-risk or insecure file transfer process? Any one or a combination of the following:
* The unencrypted file can be accessed by people other than the intended recipient.
* The file traverses an unsecured communication medium that is outside your infrastructure or control.
* There are no means for determining who has accessed the file during transport or while awaiting delivery (i.e., no audit trail).
* There is no way to know if the file integrity is intact if, for example, the file transfer process aborts before it is completed (this is common with FTP).
* There are no means to control the lifecycle of the file – how long it is available to the recipient, when it should be deleted, etc.
The enterprise-level file transfer solutions I discussed in last week’s newsletter all place a priority on addressing security and compliance concerns. These products and services build in critical features like automatic file encryption, lifecycle management, virus-checking, SSL or HTTPS data transmission, and audit trails.
Providing your users with a secure file transfer solution doesn’t have to be costly or complicated. Many of today’s solutions are easy to set up and maintain, and they integrate with your enterprise e-mail system and directory services. They are easy for end users because they have Web-based interfaces or even can be invoked from within an e-mail message, allowing for ad hoc use as needed.
If users have no alternative means for attaching large files to e-mail messages, they’ll use whatever means are at their disposal, and this can pose a security risk. Even the Journal article – with its inherently bad advice – acknowledges this by saying, “Because these [consumer-oriented file transfer] services send your files over the Web, they’re outside of your company’s control. That makes it easier for a wily hacker to intercept files during their travels.” That can’t be good for anyone except the hacker.