While CISOs have long labored under the directive “do more with less,” it has often and unfortunately come at the expense of cybersecurity and data governance. In an increasingly distributed work environment where secure file sharing involves accessing sensitive information from mobile devices and sharing it across enterprise boundaries, CISOs have struggled to maintain visibility and control of where sensitive information is stored in the network, who has access to it, and what’s being done with it. These blind spots introduce a significant amount of risk, namely risk of a data breach and risk of a compliance violation. This is not sustainable.
As more and more sensitive data is compromised, whether inadvertently by careless employees or intentionally by hackers, organizations increasingly look to their CISOs to reassure senior management and boards of directors that the proper systems and processes involving secure file sharing have been put in place to prevent a data breach, or at least mitigate the damage caused by one.
Data security however is only half the battle. Data privacy is just as important. CISOs must not only ensure every file that enters, leaves or is stored in the organization must be protected, they must also ensure that these activities are done in compliance with increasingly strict data privacy regulations. Those regulations and laws – particularly the stipulations that pertain to secure file sharing – will only grow stricter and carry harsher penalties for non-compliance. Look no further than GDPR, which becomes binding in late May of this year.
Compliance with GDPR and other regulations like HIPAA, SOX, ITAR and others extends beyond setting and following processes. Today, compliance also includes demonstrating how sensitive information is handled as well as knowing where all sensitive information resides (both on-prem and in the cloud), who has access to those files, and what’s being done with them. Are they being downloaded? Edited? Shared? With whom? When?
Organizations need to categorize all of their information into one of three different buckets: information that is safe for publishing openly without restrictions; information that is restricted and can never be shared outside the firewall; and information that needs to be shared outside the firewall, but only if the proper security controls are in place.
This third segment poses the most risk. A data breach can take many forms: a brute force attack that makes several attempts to correctly guess a user’s username and password, a man-in-the-middle attack over an unsecured Wi-Fi network, a lost or stolen device, a malware infection (this includes ransomware), a phishing attack and many more. Unfortunately, most file-sharing solutions – whether traditional email solutions like Gmail or Office 365, or public cloud solutions like Dropbox and Evernote – lack the necessary enterprise security controls needed to protect sensitive information. For those organizations that do prioritize security over efficiency, SFTP is a popular choice for secure file sharing however it’s time consuming for IT to support and often so cumbersome for users that they will opt for easier-to-use (and less secure) alternatives, often without IT’s permission. This is commonly referred to as shadow IT.
CISOs and their organizations therefore must identify systems, solutions, and processes that enable their employees to share sensitive information securely and efficiently. Here are five key capabilities for organizations to consider while evaluating a secure file sharing platform that is also easy to use and demonstrates compliance with industry regulations:
- Comprehensive File Protection: Organizations need a number of security features to ensure sensitive information stays private. Encryption of files in transit and at rest, role-based access (view only, download, assign other users, etc.), file/folder locking and expiration, watermarking, antivirus (AV) scanning, and integration with advanced threat prevention (ATP) and data loss prevention (DLP) solutions are just some of the many security capabilities a secure file sharing platform should have. Generally speaking, the more security capabilities that are available and deployed, the harder it is for hackers to gain access to an organization’s network, systems, and sensitive information.
- Automatic Version Control: Having multiple versions of a file creates a greater surface area for hackers. The creation and storage of multiple versions of files also causes confusion for employees, forcing them to wonder which version is the most current. A secure file sharing platform that only displays the most current file version (and archives, rather than deletes, earlier versions) ensures every authorized user with access to the file is working with the right file. Version control is also instrumental in streamlining workflows and improving employee productivity.
- Two Factor Authentication (2FA): Smartphones, tablets and laptops are obviously very popular tools for secure file sharing, however they’re very susceptible to data breaches whenever they are lost or stolen but also when exposed to vulnerabilities in the device or operating system, a compromised Wi-Fi network or brute force attack. 2FA, whether it’s an alphanumeric code, pre-determined security question, biometrics or other form of authentication, provides an additional – and therefore critical – layer of security to these devices that mitigates the risk of sensitive information falling into the wrong hands.
- Automation: If organizations are able to automate some of their secure file sharing, the process can streamline workflows and enable users to focus on more strategic (read: less tedious) projects. Consider an employee who needs to share customer log files, credit card transactions or IP addresses with outside legal counsel or a manufacturing partner. Sending this sensitive information via email and a file attachment is neither efficient nor secure. And manually updating individual repositories might take days or weeks. Instead, organizations can create a customized workflow that automatically distributes the files to designated repositories that can be accessed by all impacted personnel. Note: depending on the complexity, this may or may not require the assistance of a software developer to write code.
- Full Visibility into All Content: Secure file sharing is enhanced when the files being shared are easy to locate. It’s not uncommon for organizations to have files stored on CIFS Drives, on-prem Enterprise Content Management (ECM) systems, and in a variety of cloud-based storage solutions. The ability to find, access, and share files quickly can greatly enhance employee productivity and if it can be done from a single user interface, even better. For compliance purposes, organizations also need to demonstrate full visibility into all enterprise content with a trusted, detailed log of all activity. This includes where a file resides, who has access to it, when it has been accessed, what’s been done with it (downloaded, printed, shared, etc.), from what IP address and what device. Ultimately, a record of file activity not only provides a trail of touchpoints for auditors or investigators should any file be compromised, it also provides valuable governance insight into how users interact with an organization’s data.
The reality is organizations across virtually every industry must access, handle and share sensitive information. This requires organizations to deploy systems and processes that can ensure the information being shared stays private and that privacy can be demonstrated when auditors and regulators ask for it. Having a secure file sharing solution that incorporates these five capabilities will enable CISOs and their teams to protect an organization’s most valuable digital assets, comply with internal policies and industry regulations, and finally, get work done efficiently.
About the Author
Cliff White is Chief Technology Officer (CTO) at Accellion. Mr. White joined Accellion in 2011. He has more than 15 years of experience in the software industry and web-based technologies. He has also managed global engineering teams and advised C-level executives on software product engineering and best practices. Before joining Accellion, Mr. White developed highly scalable software for imageshack.com, an online media hosting company and one of the most visited websites on the internet. Previously, he led the engineering function for rentadvisor.com, a peer review and recommendation website for rental properties before it was acquired by apartmentlist.com.