Yorgen Edholm CEO Accellion

Each day companies face an ever growing number of IT-related security issues and information security compliance requirements.  Through the course of security audits, companies are being made aware of the urgent need to address vulnerabilities related to data transfer.
 
As we have learned through an informal survey of companies, the growing number of P2P- and FTP-related data breaches, which continue to make headlines, form an area of particular concern.  Our own President’s safety was recently compromised through P2P file sharing, when sensitive information about his helicopter, Marine One, was leaked from a contractor’s computer through file-sharing software.  As a result of this and other highly publicized security breaches, many companies are revisiting their information security policies to address the security of data transfer. 

In today’s digital age, there is no question the Internet has changed our views about information; including how we access it and how we share it.  This presents new security concerns, particularly when you consider data transfer in the workplace.  Most users don’t realize that the same P2P software they use to freely exchange personal files may also be configured to access and share virtually all of the files that reside on their computer hard drive or network servers.  This is a huge opportunity for those looking to access and exploit sensitive information while also exposing corporations to viruses, worms, Trojan horses, and spyware.
 
After using P2P to exchange files with friends, it can easily become a very appealing IT workaround for an employee.  Up against a work-related deadline, P2P can look like a savior when a proposal needs to be sent that is too large to share over the company e-mail network.  Even if FTP is available the complexities associated with it -- including the time delays when filling out a request form and waiting for the IT department to set up a new FTP account -- make P2P and other non-secure, non-compliant workarounds much more appealing but very dangerous alternatives.

If P2P file sharing is not addressed in your company’s security policy, it should be.  The U.S. House of Representatives recently examined a bill that would force peer-to-peer applications to provide specific notice to consumers that their files might be shared.  While this legislation is a step in the right direction, a company needs to do more than just inform about possible risks; it needs to safeguard against them.

Preparing for the next security audit
No company wants to fail a security audit.  However, if data transfer security is not addressed, it will be flagged.  Corporations and government entities alike need to demonstrate they are controlling sensitive information as part of their security policy while providing auditable records of information transfers for compliance with SOX, HIPPA, FDA and other relevant mandates.  As you prepare for your next security audit, some important data transfer security questions to consider include:

1. Who within an organization decides what digital information can be shared and with whom? 
2. Are there controls in place to safeguard employees from exposing information they shouldn’t?  
3. What vehicles are available to share information and are they secure and compliant?
4. Is it okay for employees to carry digital information around on thumb drives?
5. Is P2P file sharing safe for corporate use? If it wasn’t safe for the President…
6. Is Instant Messaging suitable for employees to transfer digital information?
7. Who gets fired when there is a data breach?
   

So you failed a security audit because of deficiencies in data transfer security – What next?
When a company fails a security audit, the pressure is on to fix any identified security deficiencies as quickly as possible.  Nobody wants to be the person responsible when a data breach happens, particularly when the data breach is associated with a previously identified security vulnerability.  Evaluating and deploying a solution rapidly becomes a top priority.

Fortunately the growth of managed services in the Cloud has helped tremendously in shortening IT evaluation and deployment timeframes. Managed services in the Cloud, such as Accellion’s Managed Secure File Transfer offering, provide organizations with the ability to quickly fix a security deficiency and get a security solution up and running within days, even hours.  Rather than having to bring in evaluation hardware, or download, configure and set up evaluation software, managed services in the Cloud enable companies to immediately evaluate solutions.  Unlike traditional software deployments that require allocation of data center resources and scheduling of IT resources for installation and configuration, a managed Cloud service enables companies to move rapidly to deployment and integration stages.  The result is reduced time to address security vulnerabilities, which is a good thing.

But selection of a security solution is not all about IT requirements, particularly when you consider P2P vulnerabilities.  It is essential that the business needs of business users are addressed.  If we revisit why P2P is so appealing to employees, it is typically because it is an “easy” alternative to using inadequate, non user-friendly corporate systems for transferring data.  Again, FTP is not easy to use nor is it secure, and email systems that limit attachments to less than 10MB are often inadequate for today’s business users.  Any solution installed to secure data transfers has to address ease-of-use for the business user and support the transfer of large files, otherwise employees will find a non-secure workaround, including falling back on P2P.  The assumption needs to be that people have little to no idea of the security hazards of P2P and will need to be educated on why they need to change behavior.  Selecting a user friendly secure corporate solution for data transfers will make changing user behavior a lot easier.

P2P File Sharing Friend or Foe?
P2P file sharing puts corporate data and networks at risk for unauthorized access.  Organizations who choose not to provide an easy to use secure file transfer capability will find P2P being used as an IT workaround.  Rather than waiting for the next security audit to flag P2P as a vulnerability, corporations should be taking steps now to outlaw P2P use and deploy easy to use file transfer capabilities for their employees. P2P file sharing has no place in the corporate environment and the benefits surely do not outweigh the risks.