Sharing files with colleagues and clients should be easy and convenient. What it shouldn't be is a security risk — but it frequently is. Because many small businesses don't have the right file-sharing systems and policies, many turn to unsafe practices that often put both their business's and clients' privacy in jeopardy.
An annual study by the Ponemon Institute revealed that although 37 percent of data breaches are due to malicious attacks — cybercriminals and inside jobs — 35 percent are actually caused by the "human factor" attributed to employee or contractor negligence. Another 29 percent are due to system glitches. One significant contributing factor is Shadow IT, the practice of employees using IT solutions that are not officially implemented and approved by an organization or its IT department. This includes using personal email accounts, free cloud storage services and other consumer services systems to share business documents, all of which pose significant security risks.
"It should be no surprise that Shadow IT, combined with the carelessness of corporate employees, can put company data at risk and lead to dangerous consequences," said Alex Gorbansky, CEO and co-founder of document management company Docurated. [3 Ways to Share Supersized Files]
When it comes to file sharing, IT is still playing catch-up in many companies, Gorbansky said. "Employees have bypassed IT and signed up for individual or departmental access to cloud-based file storage and collaboration services," he said. "Doing so gives employees short-term gain through immediate access to files."
However, such short-term collaboration solutions potentially carry long-term risks. "These individual or departmental accounts are set up on an ad-hoc basis, corporate permissions are not inherited, and deprovisioning user access when someone leaves the group, team or company is often an afterthought," he said.
Is your business guilty of engaging in dangerous file sharing habits? Here are five you need to watch out for and what you can do about them.
1. Sharing files via email
The most obvious dangerous habit is sharing files via email. Just the other day I received a design document from a client as an email attachment. Email is not designed to be secure. Anyone with access to an intermediate mail server or with the ability to sniff network traffic between our mail servers would see this design document. If I needed to sign a non-disclosure agreement to see this information, they probably did not want random folks on the Internet to see this information. Instead, senders should encrypt files and use secure file sharing services. — Susan Hinrichs, chief of engineering at SafelyFiled
2. Using consumer-grade cloud solutions
Workers around the world are putting themselves and their employers at risk by indiscriminately using unauthorized file sharing services on their mobile and desktop devices — to the tune of $2 billion. With more workers joining the bring-your-own-device (BYOD) revolution and turning to insecure file sharing services like personal Dropbox and Google Drive accounts, the threat is greater than ever. Employees need to demand Dropbox-like solutions for enterprise tools, bringing the productivity of Dropbox into the secure world of enterprise–sanctioned resources. Employees need to work with IT to adopt a consumer-grade experience with enterprise-grade security. Without IT buy-in, end users will continue to choose between engaging in risky file sharing behavior with consumer-centric alternatives, or taking a productivity hit through clunky legacy enterprise file sharing systems. — David Lavenda, vice president of product strategy at harmon.ie
3. Peer-to-peer (P2P) file sharing
P2P sharing is a great technology used to share data over peer networks. It's also great software to get hacked. Installing P2P software allows anyone, including criminal hackers, to access your client's data. This can result in business security breaches, credit card fraud and identity theft. This is the easiest form of hacking. There have been numerous reports of numerous government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked. For instance, blueprints for President Obama's private helicopters were recently compromised because a Maryland-based defense contractor's P2P software had leaked them to the wild, wild Web. Instead, have P2P security policies in place not allowing the installation of P2P software on your workplace computers or employee laptops. Also, a quick look at the "All Programs Menu" will show nearly every program on your computers. If you find an unfamiliar program, do an online search to see what it is you've found. You should also set administrative privileges that prevent the installation of new software without your knowledge. — Robert Siciliano, personal security and identity theft expert and CEO of IDTheftSecurity
4. Using flash drives
Flash drives are the easy tool of choice for infection since they bypass network security. If an infected file is on a flash drive and inserted into a system, it can start an infection spread from the PC. Some systems are set to autorun flash drive contents which can give the malware administrator permissions which allow all kinds of havoc to happen. These habits are not normally considered risky, but represent easy and unexpected infection or breach methods. The simplest and standard defensive actions are using up-to-date antivirus tools that stop autorun and scan any USB-attached device and their files. Encryption also should be applied. — Duane Kuroda, product and marketing at NetCitadel
5. Lack of visibility
The danger starts when employees take matters into their own hands and engage a file sharing service on their own. The individual making a one-off decision is not going to be thinking of the bigger picture of organization-wide requirements. What may look like the easiest, cheapest solution may be completely bereft of critical functions such as persistent control and auditability, and may inadvertently place the data at risk. Employees that engage a solution on their own may also be tempted to mix personal data with organizational data. Visibility provides important insights into who is using the data, when and how many times. In regulated environments, this visibility provides the required audit information needed for compliance. — Jim Ivers, chief security strategist at Covata