In 2022, school-age hackers and shady opportunists have long been consigned to the annals of history. No longer are simple brute-force passwords or man-in-the-middle attacks keeping IT managers awake at night. Instead, today’s IT environment presents a much bigger challenge when trying to secure an organisation’s data.
As Matt White, experienced CISO, explains in his article “Deploying Quatrix for the Enterprise“, the number of systems and amount of data has exploded in recent years, meaning that the sheer size and scale of the task facing IT teams has become daunting. And in transit, when data is at its most vulnerable, it can be a major headache to enable day-to-day business operations while also protecting an organisation’s most sensitive data.
We can see the impact of this explosion in Splunk’s State of Security 2022 report. It paints the human impact in a stark light, with 70% of respondents having considered moving roles due to increased workload and 73% seeing workers resign, citing ‘burnout’ as the reason.
So what are the biggest file-sharing security risks facing organisations in 2022, and how can they be addressed in a way which protects an organisation’s data without creating additional work for already under pressure IT staff?
1. Sharing directly through the corporate firewall
Allowing a third-party access behind the corporate firewall is a big no-no. Inviting external users into an environment such as Office 365, or providing login credentials for an internal file-sharing platform is extremely risky.
There are several reasons why this is a bad idea:
- Users can create overly-permissive settings too easily, leading to inadvertent data loss.
- It’s hard to secure and manage external file sharing on apps which tend to either focus too much on ease of use or flexibility, rather than taking a security-first approach
- As an example, OneDrive alone has 75 settings associated with data security scattered across 15 different locations.
- Another feature of Microsoft 365 is data acquisition using one-time links, which is not available for all subscriptions, but then requires the most permissive security settings to be configured in order to work.
- Compliance programmes such as GDPR in the EU and CCPA and HIPAA in the US require an audit trail and data retention policies to be enforced, which is extremely difficult to manage and debug when logs are not centralised.
- Adding multiple routes through the corporate firewall presents a challenge to monitor and debug, as well as a larger attack surface and extra work to manage.
In response, some organisations choose to lock down all external file sharing across their internal apps, only allowing files to be shared on one segregated platform which is both secure and compliant by default.
2. Insecure, unsanctioned software
Third-party file sharing applications pass data through one or more networks and data centres which may or may not be hosted in your preferred jurisdiction, meaning that you may be breaking international laws.
Examples include consumer-grade file-sharing apps such as WeTransfer, or plain email, both of which are notoriously insecure.
3. Legacy systems
Legacy systems can run outdated code, don’t always take advantage of modern security techniques and can be susceptible to breaches. In a worst-case scenario, software which runs critical business applications is no longer supported, or is running an outdated version due to upgrade or compatibility issues.
Given the challenges of upgrading and patching software, it is no surprise that the trend is for both organisations and software vendors to migrate to the cloud for file sharing. It makes security issues much easier to prevent, manage and handle by a dedicated security team in real time.
4. Application sprawl
Multiple applications performing the same or similar tasks is not only inefficient, but difficult to manage and secure. It’s also not surprising that end users and IT administrators also prefer fewer applications to have to learn and use.
As Matt White explains in his article, providing a familiar solution on a segregated platform means that employees have a simple way to securely share data as and when required, immediately hardening an organisation’s overall security posture.
- Enterprise File Sync & Share (EFSS)
- Document Collaboration
- IPaaS / API
- Robotic Process Automation (RPA)
- Electronic Documentation Interchange (EDI)
- Secure Email
- Extreme File Transfer
Given the above, buyers often consult a file sharing expert before proceeding to see how specific software fits into an organisation’s overall applications strategy.
For file sharing, as Matt White explains, a single application with a familiar interface gives employees a way to securely share data which they are actually likely to use. This approach immediately hardens an organisation’s overall security posture by removing friction and ensuring adoption while reducing application sprawl.
5. Rogue employees
If an employee wants to share a file, having access to it will allow them to do so. However, you can minimise the risks associated with this by:
- Restricting access to only the employees who need access to specific data, using “zero trust” principles
- Using a platform which tracks all file shares to alert you to any suspicious behaviour
- Limiting what employees need to or can do with data, through granular controls and secure automated workflows
A simple solution to secure file sharing
Organisations can protect against the file-sharing risks presented in this article using Quatrix. It offers a secure, segregated environment where only authenticated users can access files using granular permissions and centralised controls, as well as offering MFT automation and SFTP hosting in a secure and compliant environment.