Like it or not, today’s world is a connected one, and data is shared at an alarming rate between mobile device users, company networks, and cloud services (including social networks).
We must have the ability to share data on the go as we no longer have the patience to wait for updates until the next business day until you return to the office or even until you finish your lunch. Convenience is the name of the game, and if we must sacrifice security and privacy in the process, that’s the price we pay. Right?
Nope, companies are held responsible for their user failings when sharing data, via a wide range of data and privacy regulations that vary according to jurisdiction, industry, and activity. Most impose financial penalties that pad the coffers of government departments and without compensating the victims. Their main aim is to act as a deterrent to companies, leaving the actual victims to pursue civil cases or class action suits. As if that wasn’t enough, the legal profession has another lucrative angle to cash in on suspect data sharing activities – e-discovery, a marvelous invention designed to waste company time and money on data forensics – converting data to ‘human-readable’ format to provide an audit trail in court. Note than even voicemail and social media are included, so files certainly are.
Get Ready, Before It’s Too Late
Despite all of these hazards, each with the potential for hefty fines, costs, and reputational damage, many companies and users fail to consider either security or privacy when dealing with sensitive data. This makes it easier for hackers who seek valuable data for criminal or malicious use, such as ransom demands (via ransomware) or identity theft.
Companies must review their file sharing practices, and users should ask themselves a few questions before sharing a file. These include but are not limited to:
- Is it essential to share this file?
- If a hacker, rival client, or customer obtained it, what is the impact on the company? – estimate the risk involved.
- If your personal information were attached to the file, would you still send it? – If not, then the information of others deserves the same consideration?
Okay, with questionable file sharing activities and their penalties mentioned, how about mobile device usage in this area? Does it add additional risk?
Some claim the ability to access data on the go has never been more critical, BUT it needs to be encrypted to the highest standard at rest and in motion to meet compliance obligations. I agree in principle, but there is a world of difference between accessing data and transferring it to another user or location.
Noteworthy use cases for transferring files include doctors and nurses who need to access PHI on the go from mobile devices during the pandemic. Insurance adjusters must send photos back from their mobile devices securely to their claims department for processing. Legal teams often access briefs remotely in court, and the industry as a whole is leaning towards eliminating paper-based documents.
However, regardless of use case, when it comes to mobile devices and security, there are many concerns and considerations before using them to transfer files. These include but are not limited to:
Types of Devices
Whether it’s a smartphone, tablet, phablet, laptop, hybrid, or any internet-enabled device, most savvy companies will have an approved vendor list or preferred device suppliers. Companies typically make their selection based on performance, technical specs, or budget, ignoring calls for boycotts of products based on unproven national security issues.
Whether it’s Windows 10, Android, iOS, ChromeOS, or a Linux distribution, companies will select options compatible with their infrastructure and expertise, securing new devices effectively as they are added. The OS version may also be an issue, and most will try to ensure the latest secure version is active, scrapping older versions as support ends. This change frequently requires a new device.
Companies must decide on their approved apps and limit access to potential threats, including other apps that require excessive permissions during installation. Approved security software such as VPNs, antivirus, and malware detection must be installed.
Users must be wary of connecting to public Wi-Fi, especially if unsecured as such hotspots are easily hacked.
Bring your own device (or downfall, as I see it) is commonly known as BYOD, and the whole concept baffles me. You spend the price of a few 4K TVs (or at least one) on a smartphone, and you then allow your employer to use it for their business activities. Note that I believe IT must have full control of all devices connected to their network, including a remote wipe function if a device is lost or stolen or the employee leaves the company. It’s just commonsense as is my recommendation that companies provide employees with devices if they expect to contact them outside office hours or indeed outside the office.
If you must be part of a BYOD scheme, please ask IT to encrypt and partition the device to ensure that business and personal activities are kept completely separate. You don’t want to lose all your personal photos and data if the device is remotely wiped later.
Whatever the use case for sending and receiving sensitive data on mobile devices, email, enterprise file synchronization and sharing (EFSS), and other file sharing solutions can have severe repercussions in terms of security and compliance. Even commercial solutions often lack an audit trail or involve suspect privacy policies. To remain compliant with GDPR and other regulations, including PCI-DSS, data must be encrypted (at rest and in motion). IT must attempt to enforce the same security standards for mobile devices like the ones on their own in-house IT infrastructure. This is never achieved without user involvement, and every user must follow the same security guidelines as on their wired desktop computers.
In conclusion, selecting the ideal secure file transfer solution is just part of the process. Check out the free trial of Progress MOVEit, which includes a secure mobile app. You may have the best available solution for file transfers, but what’s the point if the device itself lacks security? Apps can aid the transfer of files from your computer to your device, or you could just use Bluetooth or a compatible USB cable for direct transfer. The key element for e-discovery is that data movement is tracked, regardless of the method used. Why bother if the user generally uses public unsecured Wi-Fi? Wouldn’t permission-based access to a central data repository be a good idea? Do you need to invest in data loss prevention (DLP) or mobile device management (MDM) solutions? Why do companies persist in sharing data with those who do not need to see it and then act surprised after a data breach or compliance failure?
What do you think? Are your file sharing activities above reproach, or is there room for improvement? To maximize investment return on your file sharing solution, secure your mobile devices as well, using some or all of the tips included in this post. A lot of questions without answers, but the final decisions are yours to make—best of luck.