We all know it and are no doubt tired of hearing it, but in today’s global technological landscape, there is an ongoing and increasing danger of being hacked.
These hacks are increasingly sophisticated, but many could have been prevented by eliminating human error, encrypting data or effective security awareness training. It makes sense to eliminate potential weak points and the file transfer process, in many cases at least, is one of them. Rather than rehash the dangers of data in motion vs. at rest, Shadow IT, or social engineering, let’s assume that companies want to protect their sensitive information and that of their clients, suppliers and other contacts.
If you handle credit card processing, then you must comply with PCI-DSS, if you handle clinical data such as medical records, then you must comply with HIPAA and likely PCI-DSS as well. Other requirements, depending on jurisdiction/state laws, require compliance with identity theft or data privacy legislation. The University of North Carolina offers an excellent list of examples of sensitive data.
Whether you call it personally identifiable information (PII), protected health information (PHI), or employee data, it’s all sensitive, and in the wrong hands, data can be used against the compromised target in the form of identity theft or financial fraud.
Data Must Be Shared
The key issue is that data is typically shared and not always in an efficient manner. In the banking, financial services and insurance (BFSI) industries, a wide range of data is shared in a manner required to do business. Credit checks, for example, require banks to share data, making Equifax a logical target for hackers in 2017 (exposing the sensitive data of 143 million Americans).
Financial reports, customer statements, account updates and much more is shared between banks or backed up to a central server. With the rise of fintech, smart payments and other financial services, data sharing is even more common. Data analytics, big data and resulting targeted marketing all add to sharing requirements.
Healthcare is another industry that is a primary target as providers habitually store and share both clinical and financial data, whether it’s with insurance companies or medical professionals who are necessary to provide consults or enhance the level of medical care involved. If a provider is not involved in a patient’s care, clinical information (with PII removed) may be shared without the patient’s permission. Given the attractive nature of the target, it’s no surprise that many healthcare hacks took place in 2018.
Like the hackers, I have focused on finance and healthcare, but the problem is common to all who store sensitive data, and who doesn’t? Do you share sensitive data with others? If so, then you need to consider your file transfer process. Regulations do not instruct organizations on how to secure data but rely on them to perform due diligence, penalizing those who fail to comply. Ignorance is no defense given the number of well-publicized examples of data breaches in all industries.
Why Not Transfer Files Securely?
Companies must look at a means of securing sensitive data but, only in a way that improves efficiency and enhances business operations and processes. Compliance with governing standards and regulations is also necessary, but this will vary according to industry and location. An effective file transfer solution will handle all of it, despite aging legacy infrastructure (a complaint common to the banking industry), platform type or business size.
Why not eliminate repetitive tasks and so-called ‘busy work’ by automating them in a way that frees up time for tasks that need manual intervention? It makes sense to me, at least. The advantages to automating file transfer tasks (rather than sharing them haphazardly by email, cloud sharing or as an attachment in a VoIP chat window) include but are not limited to the following:
1. Centralized Control
With dedicated (carefully selected rather than ambitious) staff responsible for building, scheduling and managing file transfers, the likelihood of human error caused by repetitive data entry is reduced. Batches may also be created for transfer at regular intervals.
2. One Solution For All Transfers
Rather than a myriad of options for file transfer, users only need to focus on one program. Less confusion and less creation of duplicates or omissions in file transfers.
3. Improve Data Security
Data is encrypted at all stages of the file transfer journey, with confirmation of delivery to the authorized recipient and complete logs of each transfer.
4. Real-Time Visibility
The file transfer status is apparent and any alerts such as failed delivery (due to connection loss or other interference) may be acted on immediately.
5. Improve Efficiency
When transfers are automated, it saves time, allowing administrators to spend more time on creating additional triggers and alerts that complement existing file transfer processes. While not all transfers will be automated, fine control of manual transfers is also possible, whether you transfer large files or require a once-only scheduled transfer.
6. Option For Multi-User Automation
Administrators can easily create triggers per user. This is especially useful for database updates or end-of-day backups to a central server.
7. Easier Compliance
As everything is tracked and recorded in a log file (that cannot be edited), compliance with a wide variety of regulations is possible.
8. Audit Trail
A key feature of managed file transfer solutions is that each file transfer is fully auditable, recording who sent it, when, and who received it. In the event of a data breach, such evidence is a major timesaver that is impossible using traditional file transfer methods. It can also prevent the financial penalties and reputational damage often associated with a successful data breach.
In conclusion, unless you want to take on the nightmare of managing FTP server sprawl and scripts, it can’t be ignored that automation for file transfers is only feasible with a managed file transfer solution. With growing compliance requirements, every company must consider the implications of a data breach in the minds of their customers. Trust is a commodity that companies cannot ignore, and once it’s lost, few will recover. As a consumer of a variety of services, I expect all companies to secure my PII. If it’s compromised, and I discover later that my selected companies did not implement basic security precautions, it’s an easy task to select an alternative service… and a lawyer.
What do you think? Are companies obligated to secure all data in a vault (even if a virtual one), only accessing it or sharing to do business, or are they entitled to mine it for all possible info and share it as they wish for marketing purposes?