A staggering 822 million records were exposed by data breaches in 2013, according to research from Risk Based Security. The frequency and risk of data breaches compels companies to look at their network infrastructure and security processes and take appropriate actions to guard against inadvertent data leaks.
An often overlooked area vulnerable to unintentional data leaks is through the use of free online file sharing and syncing solutions. While most employees never consider using a non-corporate sponsored email system, those same employees would readily collaborate through a free file-sharing tool, because it is easier to use than what is available from their employer. Another risky situation arises when a group collaborates by sharing documents and files over email. Version control quickly spins out of control as the volume of email exchanges skyrockets due to the complexity and volume of the edits and to the number of people involved. Project groups then turn to free, ad-hoc file-sharing and collaboration services, which can lead to serious data leakage problems as content is copied onto non-secure public cloud servers.
Unfortunately, IT departments are often unaware of or turn a blind eye to ad hoc file-sharing activity, which tends to expand as projects and teams grow. Compounding the problem, many of these ad hoc file-sharing solutions offer little or no active user authentication, encryption, file tracking or audit controls. Either through malice or by accident, sensitive data can be disseminated outside of the corporate network without regard to corporate policy or security tools like encryption, content filtering or other security solutions that are likely deployed for corporate-sponsored tools, such as email. Further complicating the risk, many of these ad hoc sharing solutions locate servers outside the country in which the company or users reside, such as a European organization sharing files from a U.S.-based file-sharing service. This may inadvertently subject the users’ data to surveillance or control in unexpected jurisdictions.
The disclosure of sensitive files, lack of audit control or the transferring of data across jurisdictions may trigger a compliance breach, summoning the wrath of the regulator or a class-action lawsuit. The consequences can range from a company-wide audit to fines or criminal litigation. Worse, it is almost impossible to track down those at fault, because many of these ad hoc sharing services do not maintain proper audit trails.
Through conversations with enterprise customers, I know that breaches and other data compromises as a result of free file-sharing tools have happened more frequently than most companies care to admit. IT departments have responded in part by using next-generation firewall technology and web filtering to block certain websites. However, it can be hard to spot each new file-sharing variant. Every day it seems I read an announcement about the launch of the next great file-share and -sync company with a free user program. In addition, the employees using these free solutions may be the CEO or other high-level executives. It takes a brave system administrator to ban unsafe file sharing, even though not speaking up can put the company at risk.
Critical questions
Instead of ignoring the issue at hand, IT departments, security and compliance officers and senior managers should accept that employees need an easy way to collaborate without putting the company at risk. Although there are a plethora of competing products, a set of simple questions will help sort out the products that are up to the task and those which fall short.
1) Will employees be sharing sensitive or confidential information? If the material is sensitive or confidential, then there is a need for encryption both at rest and in transit, whether data is consumed on PCs or mobile devices.
2) Will employees share files and get input from multiple parties in and out of the company and be using different platforms and devices? If yes, then the solution must be extensible inside and outside the company, be usable on PCs and mobile devices, and have features for version control and file backups.
3) Do you need to be concerned with the location of stored information? If this is a concern, the solution must be able to be hosted in the appropriate geography for data sovereignty or in an on-premises private cloud that complies with international regulations.
4) Do you have compliance controls and authentication policies in place for email and other corporate programs? If so, you will need the same level of controls and tracking for file sharing and syncing solutions as you maintain for your other corporate systems. For security and compliance, it may be essential to enforce an authentication policy or integrate with content-filtering solutions, as well as having a method to track access logs and remove user access when the project ends or if members are no longer with the company or partner community.
The days of turning a blind eye and ignoring ad hoc, BYOD solutions are over. You should answer these four questions to set your company practices around sharing information to ensure compliance with industry standards and your own corporate policies. Avoid the worst-case scenario of sensitive data leaking outside the company. Take action now and put a compliant, corporate-enforced, secure file-share application in place.