Efficient business operations rely on fast communication between employees, clients and partners. What was once considered a competitive edge-the ability to share ideas and information in near real time-is now a necessity for businesses. E-mail has set the standard for speed of communication, yet it is surprising how many organizations, both large and small, are not equipping their business users with the ability to move information larger than just a short message. As a result, they expose themselves to security and compliance risks.
Numerous high-profile events clearly demonstrate that organizations of every size struggle with how to securely share large e-mail attachments. For example, following a year-long ban on USB thumb drives and other removable devices, the Department of Defense recently released new guidelines allowing limited use of these devices under mission-critical, carefully controlled circumstances-and only after strict compliance requirements are met. According to DefenseNews, the ban on thumb drives has been inconvenient for military personnel who used them for carrying tech manuals, medical records of wounded troops, mission plans, and other types of important information stored in files too large to e-mail.
In February, the Federal Trade Commission (FTC) issued a warning on security risks associated with the use of peer to peer by businesses. The FTC said companies and institutions of all sizes that allow P2P use are vulnerable to serious breaches.
The warning was issued after sensitive data about customers and employees had been shared from the computer networks of the nearly 100 companies and organizations as a result of P2P usage. The companies and organizations ranged in size from businesses with as few as eight employees to publicly-held corporations employing tens of thousands.
To help organizations ensure the confidentiality of data being exchanged electronically and demonstrate compliance, it is important that they equip users with a solution with which they can securely exchange large file attachments.
Understanding the Dangers of Workarounds
Understanding the dangers of workarounds
Before discussing how to reduce security risks associated with e-mail attachments, let’s look at some common IT workarounds which employees often turn to when enterprise-level solutions are not available. Although the dangers associated with these workarounds may seem obvious, recent actions from the FTC, Department of Defense and high-profile data breaches illustrate additional education is necessary.
To alleviate the impact that growing file sizes have on e-mail networks, the common response is to place a limit on the size of messages sent and received. With Microsoft best practices limiting e-mail attachments to a mere 10MB, employees are often left to find other creative (but often unsecure) ways to send large file attachments.
Simple to use and relatively inexpensive, thumb drives, DVDs and CDs are common vehicles for transferring large amounts of data. However, these highly-portable devices quickly turn into a security nightmare when placed in the wrong hands. Although advances are being made that allow encryption of thumb drives, more work needs to be done before this method is ready for mass use. Additionally, the inability to monitor what information is copied onto devices and track where the devices go after leaving an enterprise makes achieving compliance impossible.
Using P2P in the workplace
The use of P2P in the workplace often happens with the best of intentions. Typically installed to exchange music files with friends, P2P can become an appealing IT workaround for an employee who discovers the proposal they need to send is too large to share over a company e-mail network. FTC Chairman Jon Leibowitz has recently stated that, unfortunately, “companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers’ sensitive information such as health-related information, financial records, driver’s license and social security numbers at risk for identity theft.”
Dedicated FTP servers installed to overcome size limitations come with their own set of problems. In addition to being too technical for the average user, shared account names, passwords and files left indefinitely on unsecure FTP servers present a weak link in an organization’s data security programs.
Checklist of Features to Consider
Checklist of features to consider
To avoid exposing your organization to security and compliance risks at the file transfer source, I have developed a checklist of five features to consider before selecting a solution:
Feature No. 1: Integrated e-mail and file transfer security features
Security features such as content awareness, encryption, comprehensive tracking and reporting, and archiving should encompass e-mail messages and e-mail file attachments, which contain the bulk of sensitive information. A solution for transferring large files should provide integration with e-mail via a plug-in so that file attachments are sent securely at all times, in compliance, and to reduce the risk of a data breach at the file transfer source.
Feature No. 2: Policy-based content awareness of large file transfers
The ability to set automated security policies for data in motion and conduct content analysis of each attached file is essential for ensuring compliance with corporate data security guidelines. The solution should block or quarantine files if the content within the file does not meet corporate security policies.
Feature No. 3: Disk and file transfer encryption
Encrypting user files before storing them on a disk eliminates risk at the file transfer source. Seamless, client-side encryption of file attachments before they are sent, along with transparent logging and reporting, provides increased confidence and protection. Whether operating in the cloud or on-premise, disk and file transfer encryption helps organizations maintain compliance by ensuring that confidential files remain secure during transfer or in the event of loss, theft or security breach.
Feature No. 4: Business record retention
Protection and retention of electronic business records is vital in the event of corporate litigation. E-mail messages with large file attachments should be continuously monitored to determine which files meet the criteria for archiving. Look for a solution that captures and replicates files subject to corporate archival policies.
Feature No. 5: Flexible deployment options
Flexibility in deployment options provides enterprises with the highest level of performance at the lowest cost by allowing you to leverage the infrastructure you already have or plan to build. If you operate in a mixed environment or anticipate changes, look for a solution that can be deployed in the clouds, on a virtual appliance, and on a physical appliance-which can all be mixed and matched and integrated as one solution.
Unfortunately, in many organizations, the management of e-mail attachments is an afterthought, leading to security vulnerabilities. Given the increase in data breaches and updated and extended compliance regulations such as the Health Insurance Portability and Accountability Act (HIPAA), now is not the time to ignore security vulnerabilities. Organizations large and small are waking up to the hazards of e-mail attachments.
Deploying an enterprise-level managed file transfer solution will protect confidential information and ensure compliance. Linking this technology to your content filtering and corporate archrival policies provides the ultimate security against insider and external threats.
Yorgen Edholm is President and CEO of Accellion. A Silicon Valley veteran, Yorgen has more than 25 years of enterprise software expertise. Yorgen also co-founded Brio Technology. During 12 years as Brio’s CEO, he took the company public and grew it to $150 million in revenues, with over 700 employees and a customer base of over 5,000 organizations. In addition, Yorgen was president and CEO of DecisionPoint Applications, an analytical applications company. Yorgen has served on several public and private company boards including most recently Hyperion (sold to Oracle), I-many, Resilience, Verix and Saama. He can be reached at firstname.lastname@example.org.