'You are Fired!'The popularity of consumer file-sync-and-share solutions such as Dropbox continues to grow, as consumers appreciate the ease with which they’re able to transfer large files, such as photos and videos, to family and friends. While beneficial to consumers, these applications are problematic for IT departments. More and more employees use Dropbox to share corporate files, and don’t fully understand the risk. Organizations must do a better job of warning employees that using online file sharing tools to share sensitive files at work can result in serious penalties, and even termination. Let’s take a look at why:

1. Operating in the shadows.

Companies’ IT departments aren’t able to track when an employee accesses Dropbox to share files and are unable to control which employee devices are able to sync with a corporate computer. This practice, often called “shadow IT,” effectively locks the IT department out of the file-sharing activities of employees. As a result, IT departments are unable to track how files have been modified, determine who has viewed files if sensitive information is leaked, or remotely wipe Dropbox if an employee’s device is stolen.

2. Potential for data theft.

Dropbox has limited security features, and because companies aren’t able to monitor what files are synced to what device, it’s impossible to know whether data has been shared with or accessed by the wrong party, which increases risk of insider threats and data theft.

3. Data loss.

Dropbox has been known to lose customer files (source this) – or fail to back them up at all – meaning that employees run the risk of permanently losing company files, with no way for the IT department to recover them.

4. Adherence to compliance regulations.

Many industries have compliance regulations which dictate that certain files have limited access or remain encrypted during transfer. Because Dropbox is not equipped with secure file regulation capabilities, there is an increased risk that employees are unknowingly violating their company’s compliance requirements.

5. Limited data security.

All employees know that it’s important to protect sensitive files such as financial data or intellectual property documents. Yet Dropbox has limited encryption and security features, which leaves data exposed and at risk of being corrupted or landing in the wrong hands.

While Dropbox and other online file sharing tools are sufficient for sending personal files, these systems simply aren’t capable of securely managing corporate file transfers. There’s certainly a demand among employees for reliable, user-friendly file transfer options, and IT departments should look to meet this need by providing employees with a highly secure alternative, such as Managed File Transfer (MFT) solutions.

nhbc_logoNHBC is the National House Building Council, a building standards and insurance warranty provider in the United Kingdom. By implementing a Managed File Transfer (MFT) solution, NHBC is able to effectively ensure a constant flow of secure, confidential, copyright and personal documents and communications – a necessity in the heavily regulated insurance and building sectors. We spoke with Wayne Watson, information security manager for NHBC, to find out why MFT is critical to satisfying internal standards and external regulations.

Q. What issues was your organization facing?

We faced a regulatory challenge. We conduct our own internal audit, and are audited every year by the Financial Conduct Authority (FCA), which has very stringent guidelines regarding the transfer and management of sensitive data. Our challenge is proving to the FCA auditors the types of files and data that are leaving the company. If you don’t comply with the FCA – such as by losing or exposing someone’s financial information – you can get hit by a fine of 250,000 pounds. Plus it would damage our reputation, which we’ve built over 75 years, and people could turn to our competitors. Moreover, we need to comply with the Data Protection Act.

The threat is external because everyone who deals with us tends to want to use their solution, such as DropBox. The risk of having data leakage through sites like DropBox is just to great for a company like ours.

Q. What impact were these issues having on your business?

I would get lots of requests to download from sites like DropBox. For example, someone would say, “I need to download this file from this location,” and I would say “We’ll set up a folder so the person can upload to our site.” We need to get our users to educate the people that they work with from third-party companies to do things a bit differently, and that’s where the problem lies.

To send files, our staff was resorting to clunky measures, like encrypting and sharing files via SD cards, USB drives, CD-Rs, email attachments and an assortment of unsecured web-based file sharing applications.

Q. In a day and age where IT can only address the top issues facing your business, what made this something that had to be dealt with?

Because we are regulated, we like to monitor everything that is going in and out of the business, especially confidential and financial data. We’re trying to work towards ISO 27,000 on compliance, which is what all of our information security policies are based around.

Q: What impact has Managed File Transfer had on your business?

I think what’s most important to someone in my position anyways is visibility of what’s coming and having the ability to monitor. It has given me a warm fuzzy feeling that I can see what’s going in and out of the company and I can monitor people’s usage of the solution. From an IT perspective, it is definitely a best practice to use a commercial MFT solution rather than rely on something based on open source.

More and more people are using it rather than resorting to “old-fashioned” and insecure methods of saving to disk or USB. Staff in legal, claims, development, and training departments use it quite a lot, and we use it extensively in the IT department.

City of GuelphTo better understand Managed File Transfer (MFT), it’s useful to review actual use cases. I think of the City of Guelph  as a prime example of what prompts organizations to migrate from simple consumer-grade Enterprise File Sync and Share (EFSS) for file transfer to more robust and secure MFT.

A growing number of organizations are fighting an age-old battle – just using new weapons. With easy access to web-based tools for sharing files, employees often circumvent sanctioned means of transferring files in the workplace. This causes IT all kinds of headaches. But it can lead to even bigger problems for the organization, especially when the files being transferred are highly confidential in nature. This is a key reason many organizations are driven to look at MFT systems. MFT provides better visibility and control, primarily to meet the demands of regulatory compliance. It satisfies the need for comprehensive reporting and the ability to set business rules around who, or what systems, can send and receive files and when. In other words, it provides the “M” in MFT—the file management capabilities lacking in consumer-grade EFSS tools. This was why the City of Guelph adopted MFT.

The City of Guelph – a government agency in southwestern Ontario – had long used simple FTP to protect contracts, workplace safety documents, staff information, employment information, and citizen data. But over time, more and more city employees needed to transfer confidential files. According to Shibu Pillai, Technology Services, City of Guelph “Every day, we’re transferring important, highly sensitive documents: contracts, citizen information, and CAD (Computer Aided Drawing) files.” And like many government agencies, the city needs to safeguard confidential information and satisfy information privacy requirements.

Many city employees turned to consumer-oriented, non-secure file transfer sites freely accessible via the web for these ad hoc file transfers. It’s no surprise that employees are attracted to these tools – they’re incredibly convenient. But by using them, they can put their organizations in a bad position. That was the case with the City of Guelph: employee use of these sites put the city at risk of violating Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and Personal Health Information Privacy Act (PHIPA) requirements. And those staff members that were not using these unsanctioned sites were putting a strain on the city’s infrastructure by sending large files up to 20 MB via city email servers.

By migrating from FTP to a managed file transfer system, the City of Guelph was able to address both of these issues. Specifically, it now:

  • Has a productive environment for sending files
  • Securely sends large files
  • Reduces the burden on its email systems
  • Reduces storage costs
  • Saves IT staff time
  • Meets MFIPPA and PHIPA privacy requirements
  • Is PCI-compliant with respect to any credit card payments made for the city’s services

For more details, view  the City of Guelph Managed File Transfer case study.

Car Keys and New Car
Will this car hide my bald spot, make me younger, slimmer, and more appealing in every way?

So, what kind of file transfer solution do you need?  It can be a seemingly tricky question, with all the options on the market today.  More and more services emerge with what’s been called the “sync bubble”, and we all know what happens to bubbles.  No need for confusion, or to get wrapped up in the hype – let’s figure out what solution you need by taking a step back and talking about what you need it to do…

We all buy cars, right?  When we’re thinking about buying a car, what is (hopefully) a key question in our decision-making process?  Right after, “Will this car hide my bald spot, make me younger, slimmer, and generally more appealing in every way” don’t we usually ask ourselves what this car needs to do?  Does the car need to drive through 2 feet of snow, uphill, both ways, during the winter?  Are you also planning to run a part-time piano moving service during the summer with your new car? If you find yourself answering yes to those questions, while test driving a Yaris, you may actually be in the market for a truck.  The Yaris is a lovely car in its own right, but 2 feet of snow is probably over the hood, and your piano service better not line up any cargo bigger than my two-year old son’s toy keyboard.

All kidding aside, I can tell you that EFFS and MFT solutions are different, but I’m probably only really helping you if I’m telling you what each is best suited to help you achieve.

What is EFSS?

Enterprise File Sync and Share (EFSS) services tend to focus on person-to-person synchronization, along with some collaboration and user management. Some solutions may provide some visibility/auditing features, depending on the vendor and subscription tier. A key defining trait of an EFSS service is that it is typically designed for, marketed to, and sold to end users, with IT folks left in the dark. Many EFSS vendors have recently added some administrative tools to appease IT managers, who are frustrated by the loss of control over their networks and the inherent security risks.  Rumor has it at least one major EFSS service even uses the same encryption key for all of their users (which is kind of silly, if the intent is to keep people outside of your organization from reading your stuff).  This is so well-known in enterprise IT that “just store it in (insert major EFSS vendor)” is a running joke for workers in the data protection field.  Regardless of efforts to enhance security, EFSS services are still end user focused, resulting in many enterprise IT managers actually blocking EFSS services from their corporate domains to maintain control of their networks.

What is MFT?

Managed File Transfer (MFT) solutions support person-to-person file sharing with added security and visibility, and they really shine with automated system to system file processing capabilities, including file transportation, translation, encryption, sorting, filtering, routing and compression, to name a few. You won’t find file processing automation tools in the sync bubble, beyond your basic synchronization.  IT managers can also configure transfer workflows over all the standard, established protocols, using an MFT solution.  The right MFT solutions (who are we kidding…certain Ipswitch MFT solutions) won’t have (any) transfer size limits, whereas EFSS solutions and even many other MFT solutions will have file size limits that won’t support many large file types (high def videos, MRIs, CAD/design files).  Think piano in a Yaris.

MFT solutions have to work – and work well – for end users. But they also provide the robust administrative toolset that IT managers need to ensure security and compliance.  While EFSS services aren’t typically backed by an SLA offering uptime guarantees and credit schedules for downtime, MFT solutions offer robust SLAs, guaranteeing access to your business critical files.

Which solution should I use?

Let’s consider some use cases and which solution might be right in each situation:

When it comes to moving and processing files, you’ll need to know where it’s going, how it’s going, and what happens to it upon departure, en route and upon arrival.  Will you be exchanging files with colleagues, customers, or patients? Just with yourself, between devices? With friends and relatives? Do you need to be able to see every single person, action and file that touches your solution in audit logs, for compliance reasons? While not an exhaustive list of questions, these are key ones to ask.  Do you need to move a piano?

These issues matter because they help determine the capabilities and service availability that you’ll need in your solution.

  • Your automated file movement may be triggering order fulfillment for your products. If the files don’t make it from location A to B, you may lose orders, customers and money…
  • You may be processing 5GB videos, from around the world, and need to get them turned around in a matter of hours for your end clients.  If the videos don’t make the transfer or take too long that video content gets stale, and loses value…
  • If you’re a medical oncologist and you can’t review your patient’s latest MRIs because the service is down or the data corrupted, you may not be able to treat your patient…
  • If you’re sharing baby pictures, your parents won’t lose clients, money or patients if they can’t see the pictures for a few hours…

In the first few cases, what you’re planning requires the enterprise class 4WD truck, to move your piano in an automated and secure fashion that your business depends on.  In the latter, you’re likely well suited with the Yaris.  They do get great mileage…

In my next post, I’ll cover what to look for in a service level agreement for this type of solution.

As you consider your MFT and EFSS options, check Osterman Research’s white paper: Evaluating Managed File Transfer in the Cloud: http://resources.ipswitchft.com/Evaluating-Managed-File-Tranfer-in-the-Cloud.html

managed file transfer diagram access for end users
A complete MFT system needs a range of client options that allow end users to exchange files simply, and transparently.

Businesses exchange files. That was the basic premise of my last post, and the foundation on which I made a case for Managed File Transfer (MFT) as a critical category of infrastructure software behind B2B processes. I’d like to expand on that this week, to talk about the role people play in file-based business processes, and what that means for MFT.

Business processes (sometimes) involve people. Seems simple enough. So what?

For starters, that means MFT systems have to support people with tools that help them to do their job, while protecting all of the things that make MFT necessary in the first place. To do this, a complete MFT system needs a range of client options that allow end users to exchange files simply, and transparently. Along with this, they need the peace of mind that, in the background is machinery to handle:

  • Security
  • Reliable and verifiable receipt of delivery
  • Large-file handling
  • Scalability
  • Uptime protection
  • Visibility in all the comings and goings of files across critical, file-based business processes
  • Non-repudiation and proof of file integrity

Imagine an auto insurance company handling its most basic business process: claims adjustment. Without getting into messy details, the basic process involves the receipt of claims and validation that the claim can be paid, often after several loops of workflow with law firms, body shops, the customer, and so on. Files change hands in these workflows – and all of them are in some way material to the claims-adjustment process – as the insurance company works toward a final disposition on the claim.

The process involves a number of people, from the claims adjusters at the insurance company, to the clerks at partner law firms, to the poor customer sitting at the requesting end of the workflow, wondering if he is going to have to pay out-of-pocket for the unfortunate incident in the mall parking lot (I’ll call him Joe Fenderbender). Files will likely flow between several pairwise combinations of these players, and there may even be multi-party access to the same files at some point in the process. But the players are not equal partners in the exchange, and have different needs when it comes to tools to support their role.

Email alone isn’t sufficient for getting business done

Today, a lot of business gets done with email, and a lot of files move as attachments. Consider that a vast majority (84%) of the respondents to our third annual survey about data security send classified or confidential information as email attachments. But could you possibly imagine a worse tool for structured file exchange? Just think about the signal-to-noise ratio, for starters. Not to mention, most mail solutions handle very large files poorly – a real challenge in an age of HD video and tens-of-megapixel cameras masquerading as smart phones. Mail servers were never meant to be content-management systems. While it may be possible to conduct business via email, it is probably not going to serve every aspect of our example process equally well. However, email likely plays a role.

Car Accident Claims Adjustment
After a car accident many files change hands between people as the insurance company works toward a final disposition on the claim.

Consider, for instance, file exchange that takes place between the claims adjuster and our hero, Joe. It is probably reasonable to assume the insurance company has no control over the technology on Joe’s end of this exchange. So the easiest thing to do may be to employ plain-old mail as a way to communicate status, or receive/deliver materials. For security or compliance reasons, the insurance company won’t want to do this using traditional attachments (consider for example if Joe has whiplash, which could introduce patient information into the equation). Instead, they will employ a secure-attachment option that provides Joe with a link to files securely stored in the MFT repository, for his eyes only. The company may even want to provide him with temporary access to a Web-based upload/download space where files can be staged for the duration of the adjustment process. You can imagine the role email might play in this workflow of the process, since Joe is a temporary participant, with unknown skills and equipment on his end of the exchange.

Managed File Transfer streamlines file-exchange workflows

For contrast, consider the relationship between the insurance company and a partner body shop. In this case, the relationship is a little more permanent, and the two partners will likely have a more streamlined workflow in place, possibly with a durable shared upload/download space, and client technologies that make exchange very easy. In this case, the exchange might be better served by traditional FTP clients, or possibly a simpler background-synchronization option that links folders at the two parties’ locations through a central store, hosted by the insurance company. Email may still play a role, but because of the volume between these trading partners and the durability of their relationship, it makes more sense to use tools that are more tightly tied to the MFT system. These tools – and this integration – should make their exchange workflows quicker and simpler, so that all exchange is bagged, tagged, and verified in a more structured way with minimum friction.

You could even imagine a claims investigator from the insurance company employing his smart phone to collect photographic evidence at the body shop, or at the accident scene. A mobile MFT client would tie those collected files directly to the claim to speed processing, and keep all the evidence and artifacts in one place, stored securely.

Let’s pull back and take stock for a moment. In one simple business process, we have just imagined several types of file sharing workflows, and several types of tools to support those activities. We’ve covered:

  • Secure email attachments for exchange between temporary parties
  • Web-based file upload/download, and structured storage for universal access
  • Folder synchronization for simple, durable exchange between tight partners
  • Traditional FTP clients for cases of bulk upload, or automated exchange
  • Mobile access and file origination for employees in the field

My simple thesis is: All of these tools are necessary for end users of an MFT system today. And it follows that a complete MFT system will support a variety of exchange models and tools to make these options possible.

The digital world changes quickly, and IT departments find themselves on their heels a lot these days. IT has to serve the core processes of the business, protect the business with security and compliance coverage, and do all that with tools that bring end users along for the ride.

When it comes to MFT, bringing end users along has become more of a challenge than it used to be. That’s because end users have been targeted over the past few years by a number of consumer-grade, cloud-only file sharing services offering incredible ease of use for a very narrow synchronization and sharing use case.

As research firm Ovum states, “The shift in the balance of power from corporate-led to consumer-driven IT innovation has in part been caused by the cloud, since it has provided consumers and line-of-business managers with an alternative range of services that run independently and are competitive with the portfolio of applications provided from on-premise corporate IT infrastructure.”

This movement has largely been driven by the proliferation of mobile devices, and the desire to have all of one’s stuff on any of one’s devices, available at all times. It’s no wonder a Gartner survey found CIOs expect mobile technology will be the most disruptive force in the enterprise for the coming years. Users have eaten this stuff up, and that has led them to expect a level of usability, polish, and capability when it comes to the exchange of files.

That users employ these tools for their own “personal cloud” is fine, but when usage bleeds into business workflows, IT managers tear their hair out. These services store critical data offsite, have no guaranteed security, and are not under the visible control of the business. But the damage is done, and IT knows whatever they deploy to gain back control over business file transfer has to meet the changed end-user expectations for ease of use, convenience, and seamless fit in users’ existing workflows.

Modern MFT systems like Ipswitch MOVEit  provide a full range of client options, including all of the options mentioned above, to serve our customers’ business-critical workflows – even the workflows that involve people who expect more today than ever before.

I appreciate feedback. Are you concerned with the tools your people are using to move files? Are you confident that they enable your employees to be productive while ensuring IT and the business meets their security, internal auditing and external compliance requirements?

Businesses face a real threat – their employees. That’s right, increasingly tech-savvy employees have turned to a diverse range of file transfer tools that are beyond the sight of IT management.

personal file sharing leads to enterprise risk

Employees see webmail, file sharing services, cloud storage, USB sticks and smart devices as easier to use than traditional corporate tools to transfer files. But this trend ignores the security risks and regulatory implications of using file transfer methods entirely outside of corporate control.

Here’re five things you should know about your employees’ habits and the need for secure file transfer technology:

1) Insecure means are used to send confidential files.Recent surveys we have run to monitor user behavior found that a vast majority (84%) of respondents send classified or confidential information through corporate email attachments. Of those, 72% do this at least weekly and 52% daily. That means employees are using unsanctioned tools in record numbers, resulting in a lack of visibility and control.

2) Many employees use personal email to send company documents and data.
Users may think they can’t afford delays or slowdowns associated with jumping through perceived hoops to send out information and files that keep business humming. And if the business doesn’t provide the tools they need to send large and confidential attachments, or if the processes and technologies are too difficult to use, then users will take matters into their own hands – and their own email.

3) Employees are using consumer-grade file transfer services for business purposes.
If the corporate email system limits the size of file attachments or if IT vetoes service requests, resourceful employees don’t throw up their hands in resignation: they look for workarounds. And the growing popularity of file transfer sites and cloud services aimed at consumers is making it easier for business users to sidestep IT. More than half of the users we surveyed admitted they use these services.

4) Risk of data theft is high.
When business users aren’t turning to personal email accounts or free file-sharing services, they may be putting files on USB thumb drives, smartphones or other external devices. Unfortunately, our market research shows that almost one-third of users had lost a USB device, smartphone or other external device containing business or personal information – a tremendous risk for any organisation.

5) IT Management Visibility into Data Management is Low, Putting Businesses at Risk.
Most companies create and maintain policies that mandate the use of approved tools for moving and sharing information. However, our research shows fewer than 32% strictly enforce these policies, making these mandates largely meaningless. No visibility means no compliance with internal policies or external regulations and laws.

The file sharing habits of employees can be risky but is driven by their desire to get work done. The business need and IT desire to control file sharing is equally important. Fortunately, companies don’t have to choose between risky behavior and productivity. Using secure managed file transfer technology, employees can get the convenience, ease-of-use, and speed they need while IT and the business get the control, visibility, security and compliance they need.

The file sharing habits of employees can be risky but is driven by their desire to get work done. The business need and IT desire to control file sharing is equally important. Fortunately, companies don’t have to choose between risky behavior and productivity. Using secure managed file transfer technology, employees can get the convenience, ease-of-use, and speed they need while IT and the business get the control, visibility, security and compliance they need.

Are Your Employees Putting Your Data at Risk? eBook

Every organization that values security is facing challenges in how it secures information shared between people, either inside the company or with people outside the company such as customers or partners.

Jeff Whitney, VP of Marketing, sat down with Enterprise Management 360 Editor David Tran to discuss trends and issues around person-to-person file sharing within business. 

EM360°: What are you seeing as the key trends today impacting person-to-person file sharing within businesses?

Jeff Whitney: There are essentially three key trends in person-to-person file sharing.

First of all, taking a few steps back, it has only been a few decades ago, in a work world that’s now long forgotten, that IBM mainframes ruled the world. In the good old days, the vast majority of confidential company and customer information was locked down in those mainframe computers. People were only able to access it by wading through computer printouts, or if they were lucky, by accessing large cathode ray VCT terminals. People couldn’t get hold of that information and risk sharing it elsewhere.

But today, the work world is entirely different. Today businesses are dominated with knowledge workers who have personal computers, and each one is far more powerful than those old mainframes. These PCs are filled with confidential company and customer files.

The second trend is that, with all the information that knowledge workers have, they are sending an ever-increasing volume of information to their extended enterprise; to their suppliers, shipping vendors; and their customers and every imaginable type of data being shared including legal documents, patient records, loyalty data, package locations, insurance claims, account information, purchase orders, x-rays, test results, and investment information, just to name a few.

The third trend is, with all of this going on, IT hasn’t been able to keep up with this flow of information, and there is a plethora of easy ways that employees can use to transfer files. For instance: company email, personal email and consumer collaboration systems like Dropbox.  Employees are using these non-secure systems because IT hasn’t been able to provide them with solutions that are convenient enough. They are not knowledgeable of these security risks, and all they want to do is get their work done.

EM360°: From a corporate perspective, what security risks and challenges are therefore in place that management, IT and security professionals need to be aware of?

These file-sharing techniques that employees are using can create security breaches. Even company email is often not secure as it is coming across in an unencrypted way.

You could be breaking corporate compliance obligations — if you are in financial services, in healthcare, or any number of other places who have policies or compliance regulations.

There is a true lack of visibility of Audit trails. You lock down your cash, so you know what is happening to your cash. And yet knowledge is regarded as far more important to businesses, or at least as important as cash. Yet, we are letting that knowledge flow back and forth in very non-secure manners. And the reality is who will get in trouble if that happens — is it the employee who sends it? Definitely. But equally, the senior manager is going to walk into the IT department, asking why IT hasn’t provided their workforce with solutions that can protect secure the data and provide the governance and compliance the business needs. 

EM360°: So now let’s get to the survey. We see your eBook states that 84% of respondents acknowledge they send classified or confidential information as email attachments. That’s astounding. What do you see driving that behavior?

It is really driven by the fact that employees are just trying to get their job done. They are surrounded by solutions — personal email, consumer collaboration tools — that allow them to share information in a very easy to use and rapid form. They carry that over into their work lives. If they know that they could send a file very quickly using a readily available consumer tool, they are not going to wait around for a member of the IT department to help them.

I think it’s actually very appropriate to discuss the magnitude of file-sharing. You mentioned that 84% are using or sending confidential information using these kinds of tools. In that 84%, they are actually sending classified emails with email attachments, which I have reiterated before, is not secure.

Almost three quarters of those — 72% — are doing it weekly, and more than half are doing it every day. This is a major issue.

In fact it gets even worse as employees aren’t using only their work emails, but instead are using their personal email. Some 50% are using their personal emails to send over work attachments. 40% say it’s because it is faster and more convenient. 35% say it is because of file size issues. And 30% say their IT department can’t monitor or audit. They are sending over confidential company information, and for some reason, they do not want IT to monitor that. It’s wrong.

Additionally, 50% are using file sharing websites, and of those, a quarter are doing that weekly, and some of those websites are well known for data breaches and have been publicized for it over the past few months.

EM360°: Jeff, there’s a set of risks in place with most organizations today. So what can companies do to balance the needs of the employee vs. the organization?

What companies need to do is to provide secure managed file transfer capabilities for their employees that they will readily adopt.  These tools need to be convenient, straight-forward, and allow fast transfer of knowledge. And for the business, it needs to provide the security and governance (control, security, compliance) that companies demand. You need to have both; it isn’t just one or the other.

IT isn’t just sitting on resources that are readily available to attack any issue. This issue has just blown up so quickly that IT has been slow to respond. Our survey shows that only 25% of IT organizations actually enforce the usage of IT-sanctioned tools. Only about 40% of organizations have visibility into the movement of their confidential data in and out of their business. And only about 15% receive confirmation of when critical data is being delivered.

As I said, IT organizations haven’t been able to catch up with this trend, and they haven’t provided the solutions that are out there to address this.

So how is Ipswitch File Transfer addressing this increasing need that you’re seeing for secure person-to-person file transfer within organizations?

Ipswitch File Transfer has a long history of providing managed file transfer capabilities for organizations, specifically for IT to manage these issues.

Our MOVEit™ Ad Hoc Transfer solution enables employees to send and receive files and messages between individuals and groups using an Outlook or a simple browser interface.  MOVEit™ meets employees’ needs for convenience, ease-of-use and speed and IT’s need for governance, including control, visibility, security and compliance.

EM360°: Jeff, thank you for sharing your insights with us. The eBook Jeff mentioned is available and includes the full details of the research we have cited around the risks of person-to-person file transfer within business.  

I recently attended SecureWorld Detroit and engaged in two days of conversation with top security, IT and risk management professionals.

There was a single theme that I heard the loudest and clearest from the security community:

There is growing concern for how employees transfer files in an ad hoc manner to those outside the organization. Employees are quick to turn to DropBox or YouSendIt to step outside of file size limitations or email speed issues, without realizing the consequences of their actions.

We heard this consistently across multiple industries – Retail, Healthcare, Financial Services, Banking, Government, Automotive.

We heard this from organizations large, medium and small with requirements to manage file transfers with partners, customers or vendors, and in some cases with international and global reach.

It was said in different ways but it came down to the security teams seeing significant risk for leakage with their current situation today. Some soundbites:

  • “We need a person to person file transfer solution”
  • “My users want to send large files through YouSendIt. Right now I just keeping saying ‘No’, I’d rather have a solution to offer them.”
  • “We need to support an ad hoc file transfer requirement for our users”
  •  “I have people using DropBox today. It is absolutely unacceptable from a security standpoint, but we need to offer them an alternative.”

This risk around person to person file transfer is not going away, it’s getting worse by the day as more and more employees rely on personal email and cloud based services to transfer data. The potential for leakage is amplified when you consider other data transfer devices such  as USB drives and personal email use.

We have done extensive research in this area and we have a Research Report summarized in a graphical eBook which will be published later in October. Titled “Are Your Employees Putting Your Company’s Data at Risk?”, this report helps bring the current problems to life with a picture of how users are behaving today.

There is so much to absorb at RSA Conference.  The largest gathering of security vendors, solution providers and practitioners in the U.S. certainly didn’t disappoint as the Moscone Center was buzzing with security education and of course lots of thought provoking conversations.

Many of the people I spoke with shared similar concerns of data breach risk, tighter compliance and auditing requirements, and their lack of visibility and control over the tools that people are using inside their organization to share files and data with other people.  IT leaders are feeling pressure (and rightfully so) to regain control over how people share files with other people.  It was also great hear so many people talking about migrating to the public and private clouds in order to take advantage of benefits such as quick provisioning and elasticity.

My favorite conversations at conferences are usually the ones I have with current customers…. And RSA was no exception.  Quite frankly, the key insights I learn from talking with customers help me do my job better.  Many thanks to the dozen or so Ipswitch customers that stopped by our booth and shared stories of how they have successfully consolidated and replaced the various homegrown file transfer tools and scripts, various vendor products, and manual processes they had been relying on with an Ipswitch MFT solution, resulting in improved efficiencies in their business processes as well as a simplified way to demonstrate compliance and consistently enforce security policies for all their file transfer and file sharing activities.

Looking back at 2011, we saw more and more employees using consumer-grade (and often personally owned) file sharing technologies such as USB drives, smartphones, personal email accounts, and file sharing websites to move sensitive company information.  We’ve learned that employees will “do what they need to do” to be productive and get their job done… And if IT doesn’t provide them with the right tools, they will find their own.

2011 was also a record-breaking year for data breaches.  Coincidence?   Perhaps.  But there is no denying the fact that the increased use of non-sanctioned technology in the workplace has created a security loophole in many organizations.  It will become increasingly important for organizations to mitigate this risk to avoid a failed security or compliance audit or worse, a data breach.

Ipswitch can help your organization meet the security, usability and visibility requirements for file sharing.  For example, our Ad hoc Transfer module for MOVEit DMZ enables organization to enforce consistent policies and processes around person‐to‐person file transfers ‐ email encryption, attachment offloading, secure messaging, eDiscovery, and more.  It not only gives companies unparalleled governance, but it also allows end users to send information, with anyone, in a fast, easy, secure, visible, and well managed way.

We will be talking a lot more about the topic of people person-to-person file sharing in 2012, so stay tuned….

“My company still relies heavily on FTP.  I know we should be using something more secure, but I don’t know where to begin.”

Sound familiar?

The easy answer is that you should migrate away from antiquated FTP software because it could be putting your company’s data at risk – Unsecured data is obviously an enormous liability.  Not only does FTP pose a real security threat, but it also lacks many of the management and enforcement capabilities that modern Managed File Transfer solutions offer.

No, it won’t be as daunting of a task as you think.  Here’s a few steps to help you get started:

  • Identify the various tools that are being used to transfer information in, out, and around your organization.  This would include not only all the one-off FTP instances, but also email attachments, file sharing websites, smartphones, EDI, etc.  Chances are, you’ll be surprised to learn some of the methods employees are using to share and move files and data.
  • Map out existing processes for file and data interactions.  Include person-to-person, person-to-server, business-to-business and system-to-system scenarios.  Make sure you really understand the business processes that consume and rely on data.
  • Take inventory of the places where files live.  Servers, employee computers, network directories, SharePoint, ordering systems, CRM software, etc.  After all, it’s harder to protect information that you don’t even know exists.
  • Think about how much your company depends on the secure and reliable transfer of files and data.  What would the effects be of a data breach?  How much does revenue or profitability depend on the underlying business process and the data that feeds them?
  • Determine who has access to sensitive company information.  Then think about who really needs access (and who doesn’t) to the various types of information.  If you’re not already controlling access to company information, it should be part of your near-term plan.   Not everybody in your company should have access to everything.

Modern managed file transfer solutions deliver not only the security you know your business requires, but also the ability to better govern and control you data…. As well as provide you with visibility and auditing capabilities into all of your organizations data interactions, including files, events, people, policies and processes.

So what are you waiting for?