5 misconceptions about file transfer security

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

The typical enterprise transfers thousands of files per day, making it one of the essential business productivity tools. But there are a number of file transfer security misconceptions floating around that give the technology a black eye. Here are the Top 5:

Misconception 1: All that matters in file transfer is getting data from point A to point B

This is the most common misconception. File transfer tools are seen as a productivity necessity and employees will toss security to the wind to get the job done. The truth is there's much more to take into consideration -- for compliance, operations and overall security. For example:

• Visibility: You can't secure what you can't see and you can't be compliant if you have no idea who is sending which files, where. Full visibility into files moving inside and outside of your network is a necessity in file transfer security and compliance, and it's just as important (if not more important) than the file simply reaching its destination.

IN DEPTH: File transfer solutions take pressure off email

• Setting and enforcing file controls and permissions: Some files are just too sensitive to sit in the intended recipient's inbox for weeks. Who knows who has access to that inbox? Password-protected files are a step in the right direction, but they're not a silver bullet. It's important to be able to implement and enforce file security controls that extend beyond your network. For example, you can create a rule that will make sure a sensitive file will automatically delete itself if it has not been opened three days after it was sent.

• Moving large files: Files are getting bigger and as a result, our bandwidth needs are increasing, but moving big files isn't as easy as you might think. Sure there are free services out there that will do this -- but do you really want to trust them with your corporate data? For security and operations, it's important to have in-house solutions for moving big, sensitive files efficiently by automating recurring transfers and timing large transfers to take place during off-peak network hours. Don't forget that some of the biggest files moving on your network are likely moving between integrated enterprise applications.

Misconception 2: Homegrown FTP and/or encrypted email is 'good enough'

You're probably telling yourself, "My homegrown FTP works just fine" or "We use encrypted email, so my business is secure." Think again.

First, homegrown FTP solutions are littered with inefficiencies, risks and limitations, and they can cost up to 10 times more than other technology solutions on the market. Scripts and disparate homegrown FTP solutions eventually become impossible to manage and, having numerous point applications and tools from several vendors poking holes in your firewall, isn't an ideal scenario for file transfer security.

Second, encrypted email is great. It's a step in the right direction, but all it does is make it difficult for data in transit to be stolen. It doesn't get you the file transfer visibility, control or enforcement needed for compliance. And according to recent research, more than 75% of IT executives surveyed use email accounts to send classified files and information -- including payroll, customer data and financial information as attachments, and nearly 60% do so weekly. Encrypted email also embodies all the limitations that traditional email does (for example, no sending of files larger than 10MB, etc).

SURVEY: Gov't agencies use unsafe methods to transfer files

For enterprises today, consolidation is key. We all want to be secure, work with fewer vendors, and own less responsibility for the performance of technology that operates within our business. Homegrown technology solutions and half-baked security fixes may temporarily meet your needs, but as your business expands and your network becomes more diverse it makes sense to tap a single, managed solution for file transfer that ensures security and also gives you the benefit of one throat to choke.

Misconception 3: My business doesn't transfer any sensitive 'big data'

Big data is anything that's too big to fit in a stand-alone email. Now, you personally might not transfer sensitive big data, but your company does -- especially if it is using large integrated enterprise applications. On average, 60%-70% of files transferred within the enterprise today are large files transferred between enterprise applications through some form of middleware. And those transfers (typically large batch, flat or video files) are usually ungoverned and often contain sensitive information about your company, your employees and your customers. And interestingly enough, the middleware used today for large enterprise software systems was not designed to handle big data and constrains network resources.

When thinking about your network architecture, assume that sensitive big data is only going to get bigger and evaluate effective, flexible file transfer solutions that can manage large, sensitive files better than legacy middleware solutions and more securely.

Misconception 4: Employees only use work email to transfer work files

Employees will always take the path of least resistance. If that means circumventing security policies by using personal email to send a large payroll file, so be it. For most employees, security just isn't their top concern and for other employees there is a more malicious intent. A recent study showed that 40% of business professionals are sending sensitive or confidential information through personal email accounts to mask file transfer activity from management, a major security and compliance breach and violation for companies.

SURVEY: Insider data breach more common than you may think

Everyone feels that they have the right to check, and use, their personal email account throughout the business day. The truth is that personal email makes it easy for employees to walk out the door with your IP or sensitive client data -- or inadvertently leak it to an untrusted third party. If you're looking to stop your employees from using personal email to send work-related documents, an important first step is providing a simple and secure alternative.

Misconception 5: We have a file transfer policy and our employees follow it

As a security professional, you need to follow the age-old mantra of "trust but verify." Policies without enforcement are worthless, and it's dangerous to assume employees know and follow your file transfer policies, let alone partners and other outsiders that log into your network. Yet, according to a study at RSA, the majority of businesses are not enforcing file transfer policies. According to the study, nearly 55% of IT executives say their companies provide -- but do not enforce -- policies and tools around sharing sensitive information.

Enforcement is critical to information security. The first step is identifying what files you want to protect and implementing a framework that provides real-time, 24/7 visibility and active network monitoring, enforcement and alerting on suspicious file transfer activity.

Ipswitch File Transfer enables companies, applications and people to manage, secure and share business-critical information. The company's managed file transfer and application integration solutions are used by more than 40 million global users, including 90% of Fortune 1000 enterprises.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityWide Area Network

More about CiscoetworkFTP SoftwareIpswitchLANRSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by André Bakken, director of product management at Ipswitch File Transfer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts