In the vast majority of cases,
corporate data breaches are caused inadvertently by well-meaning employees as they exchange data with customers, vendors, and partners. As a result, ad hoc file transfer security has become a critical concern for Information Security departments at leading companies. Let’s take a look at some of the major concerns:
FTP Replacement
As long as you know the location of the file and the sign-on information for the appropriate server, FTP, or file transfer protocol, is one of the easiest ways to move files from one machine to another. While it’s fairly safe to use FTP practices internally, using this method across an unsecured Internet connection makes the file vulnerable to interception by hackers and corporate information thieves. To protect their electronic resources, companies should provide their employees with easy-to-use tools that encrypt the data before transmittal and provide secure pipes for the actual data transfer.
Email Attachment Management
While most companies have monitored incoming email for spam, malicious code, and other issues for years, many are just beginning to see a need to monitor outgoing email messages as well. Some estimates report that about 80% of information leaks go out through email messages. In some cases, the issue is caused by simple mistakes like entering the wrong email address, but other examples point to outright corporate espionage conducted by insiders passing confidential information to a competitor. The latter breach is often caused by an employee using their private email account through their employer’s Internet connection. The use of filters and other automated processes in addition to the implementation of a strict set of security policies can detect and prevent the majority of email data breaches.
The Importance of Not Putting Files in the DMZ
When non-technical users become frustrated with trying to transfer a file to a customer, they may be tempted to simply put it in the DMZ. Once the data is on the other side of the firewall, it solves the problem for the individuals trying to share information, but it causes a much larger problem for the corporate entity. At this point, the data is left wide open to the entire online world without any protection at all. Any hackers who have been targeting the company or who are randomly trolling TCP/IP addresses could intercept the data just as easily as the authorized parties. In short, any transfer method is better than dropping a file in the DMZ to facilitate access.
Regulatory Compliance
With the exponential growth of data breaches at commercial institutions, every company must be careful to comply with regulations concerning the exposure of certain types of information. In addition to protecting corporate data, companies have a responsibility to keep the personal information of their employees and customers completely secure to prevent identity theft. If a breach does occur, a variety of federal laws including the Privacy Act, the Federal Information Security Management Act, and the Fair Credit Reporting Act come into play. These laws not only require any company that experiences a data breach to notify the affected parties, but also allow individuals to pursue damages in a court of law if they were harmed by the company’s negligence. In extreme cases, criminal charges may apply.
Auditing and Reporting
Since the Enron debacle, both IT reporting requirements and auditing procedures have become much stricter. Third-party agencies like PCI DSS, SOX, and HIPAA are now in full control of ensuring compliance, and they are more than willing to come down hard on any offenders. Although preparing for audits is intended to lead to tighter, more secure systems, this process has added additional overhead for virtually every IT department. At a minimum, strict controls and targeted reporting should be implemented for sensitive data access, privileged user monitoring, and secure web applications.
The importance of file transfer security can’t be overstated. A data breach can not only put your company’s confidential data at risk, but can also lead to legal problems in the event that any personal information is compromised. Alternative To WeTransfer