- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
The CIO-level business angle on the latest tech
Network World - In last week’s newsletter, I wrote about using secure file transfer tools as a complement to your enterprise e-mail system to offload large file attachments from e-mail. The primary focus of that newsletter was how to relieve the bandwidth-hogging pressure of handling large files via e-mail. This week, I want to talk about the need for securing those files.
This discussion is made all the more urgent following the publication of an article in the Wall Street Journal entitled Ten Things Your IT Department Won’t Tell You. As I covered in my blog, this irresponsible article infuriates me because the author suggests that workers should ignore the policies and procedures that IT departments create to keep the corporate computing environment safe and productive.
One of the many bad pieces of advice dished out by the Journal article is that employees who find they can’t send or receive large files through their corporate e-mail system should use a free online service instead. Now I personally have nothing against these free services offered by YouSendIt, SendThisFile and Carson Systems. Those companies provide a necessary and valid service…for consumers. However, I don’t think these services should be used for corporate information because of security and compliance concerns.
Of course, for an employee who simply must get a large file to another employee or to a client or partner in the most expedient way, security and compliance are not likely to be big concerns. Instead, getting the task done (i.e., sending the file) is his top interest. That’s why it’s incumbent upon the IT department to provide a file transfer tool or service that is easy to use while at the same time secure and compliant with data handling policies.
Why should companies care about securing files during a file transfer process? Not only is there the potential for a costly data breach, but there are requirements under mandate by Sarbanes-Oxley, HIPAA, GLBA and other regulations that dictate the handling of sensitive files. An organization in violation of these mandates can face hefty fines.
About a year and a half ago, Osterman Research conducted a survey on file transfer and data security issues on behalf of Accellion, a manufacturer of a secure file transfer appliance. My company had the opportunity to analyze the results of the survey, and what we learned is not really surprising.
At the time of the survey (March/April 2006), 60% of the respondents acknowledged using file transfer processes that are potentially considered to be high-risk or insecure. These processes include the use of e-mail attachments, non-secure FTP, hosted file transfer services, CDs/DVDs, USB thumb/flash drives, and pcAnywhere. It shows that employees will use any means at their disposal to send large bits of digital information to other people. Convenience trumps security.
What constitutes a high-risk or insecure file transfer process? Any one or a combination of the following:
* The unencrypted file can be accessed by people other than the intended recipient.
* The file traverses an unsecured communication medium that is outside your infrastructure or control.
* There are no means for determining who has accessed the file during transport or while awaiting delivery (i.e., no audit trail).
* There is no way to know if the file integrity is intact if, for example, the file transfer process aborts before it is completed (this is common with FTP).
* There are no means to control the lifecycle of the file – how long it is available to the recipient, when it should be deleted, etc.