Companies rely on data transfers to communicate between departments and with clients. When transferring data between different people, however, there are several risks if these data transfers are insecure.
If insecure file transfer methods such as unencrypted email or cloud services are used, companies can open themselves up to potential exploitation by malicious actors. These actors could look to utilize methods including poisoning uploads with malware or intercepting files to gain access to confidential data.
Cyber Security Hub research found that 30 percent of cyber security practitioners say the most dangerous threat at their organization is a lack of cyber security expertise. When considering data transfer security, one of the main risks is employees using unsafe practises as they do not understand the risks of them.
In this article, Cyber Security Hub explores how companies can apply secure file transfer practices without affecting the efficiency of their business along with insight from Fortra and key learnings from cyber security practitioners at Sanne Group, MainSpring and Cyber Security Hub’s Advisory Board.
The current state of data practices
Data transfers refer to the sharing, collection, or replication of large data sets from an organization or business unit to another. These transfers carry several risks including account compromise, the introduction of malware to an organization, or loss of confidential control.
Chris Bailey, senior product manager at cyber security software company Fortra, notes that the main risk to data transfers is lack of security. “Without proper security in place files can be intercepted, confidential data can be leaked, and data could also be passed to unauthorized recipients,” he remarks.
When considering the most dangerous cyber security risks, research for Cyber Security Hub’s Mid-Year Market Report 2022 found that 75 percent of cyber security practitioners considered social engineering – also known as phishing attacks – to be the most dangerous. Additionally, more than two-thirds (36 percent) of cyber security practitioners cited third-party risks, while 16 percent said that endpoint security issues were one of the most dangerous threats. These risks can be incurred when unsafe data practices are utilized.
Ray Steen, CSO at fund management company MainSpring, explains how. He says: “First, malicious actors can intercept sensitive files if they are shared through insecure means. Second, they can exploit insecure file sharing methods to poison uploads, distribute malware, and install backdoors in your organization’s network.”
Steen goes on to share that insecure file-sharing can occur in many ways. Employees may bring their own cloud services to work, they may use free file-sharing services with poor security standards, send files through social media or unencrypted email, use an app that bypasses an organization’s internal firewall, or use a protocol like File Transfer Protocol (FTP) that exposes credentials in plaintext.
Energy company Shell suffered a data breach in March 2021 following the compromise of its file-sharing system. A third party gained unauthorized access to several files through the file transfer service. However, as the file transfer service was separate from the rest of Shell’s digital infrastructure, they were unable to access any of Shell’s core IT structures. The breach was investigated and the vulnerability that led to the breach was addressed. It is only due to using a secure file transfer service that the breach was unable to progress further, demonstrating the importance of employees consistently using a secure service to transfer files.
Creating a work environment where employees can better understand data transfer practices can help mitigate this. James Johnson, CISO at John Deere, notes that HR departments, team leaders, and managers play a huge role in creating a safe and inclusive work environment where employees feel supported. This helps make sure the employees are proficient in policies and guidelines, but also know how to handle data and report issues when necessary.
In the next section we will explore how businesses can properly educate employees on the risks of non-secure data transfer.
Educating employees on the risks of non-secure data transfer
Non-secure data transfers can happen because of employees not understanding the risks of insecure data transfer. Companies, however, can uphold data transfer security by ensuring that their employees receive appropriate training and have a full awareness of the cyber security risks of non-secure data transfers.
Cyber Security Hub research for Cyber Security Hub’s Mid-Year Market Report 2022 found that 30 percent of cyber security practitioners believe that lack of cyber security expertise is the most dangerous cyber security threat their organization faces.
Fortra’s Bailey notes that a lack of awareness or training on threats or on how to use the more secure alternative can contribute to this. He explains that those organizations may not have standardized a secure file transfer method and users are left to find one for themselves.
When employees are left to use data transfer services they themselves select, even using supposedly trusted sources can have devastating consequences. In September 2022, cyber security researchers found that bad actors were using WeTransfer, a legitimate data transfer site, to distribute phishing links that contained Lampion malware. The sent files claimed to be a Proof of Payment document, however, when clicked on, the link downloaded a .zip file. This contained a VBScript which downloads additional files from cloud-hosted services like Google Drive or Amazon Web Services when executed. The Lampion malware could then be used to exfiltrate data and target bank accounts.
Meena Gupta, chief operating officer of moving company Nearby Movers, suggests that employees may not be aware of data transfer risks, especially if they are using data transfer sources that are very familiar to them, such as emailing attachments or downloading files from file transfer protocol (FTP) sites. They may also be unaware of more secure alternatives, such as transferring files using a secure data transfer service.
Gupta explains: “Even when employees are aware of the risks, they may still use insecure methods of data transfer because they perceive them to be easier or more convenient. For example, they may not know how to use a secure data transfer service, or they may believe that email is sufficient for transferring small files.”
During a discussion between members of the Cyber Security Hub Advisory Board, one member noted that the one thing that can never be accounted for is human behavior. The member explained that while their executive team believes employees need to be trusted to do what is right, in their experience employees do what takes the least amount of time, which may not protect the environment and data.
To combat this, the member explained that they must be innovative. “We try to empower our staff through education. So, when I get information about reaches and best practices, I share this with the staff, so they understand the risk of breaches, and that they are real and are a danger. That way it is easier for us to mitigate any risks that happen when breaches occur. We try and let people know how important it is to bring IT into conversations surrounding anything that may be an IT risk.”
In the next section we will look at how companies can ensure their data transfers are secure and efficient.
“Even when employees are aware of the risks, they may still use insecure methods of data transfer because they perceive them to be easier or more convenient.”
Meena Gupta, Chief operating officer at Nearby Movers
How to ensure secure, efficient data transfers
While education is integral for employees to understand how and why secure file transfers are necessary, their training should reflect the fact that human behaviour plays a large role in cyber security.
Ash Hunt, group head of information security at investment management company Sanne Group, notes that cyber security education programs fail when a program is built on awareness alone, as repeatedly telling users not to do something has little bearing on reducing loss events. This must be considered as it only takes one successful click for a payload or breach to cause a significant incident.
Also read: The IT guide to data security & governance
Hunt explains: “Behavior change is a far more effective approach by way of measurable risk reduction. All humans are unfortunately susceptible to cognitive and heuristic biases, so taking shortcuts or ignoring known guidance under pressurizing time constraints. A creative and well-designed behavior change program can combat this through numerous initiatives.”
A member of the Cyber Security Hub Advisory Board agrees, explaining during a discussion with other board members that they removed awareness from their cyber security program to security and behaviour change. This meant that instead of making employees simply aware of cyber security risks, they created process alternatives and incentives to help employees to change their behaviour around these risks. This equipped employees to know how to approach and avoid cyber security risks.
“The secure file transfer should also have incoming threat, data loss, and rights management protection. If these facilities are in place, are easy to use, end users are aware of the risks, and have proper training, the security risks should be removed.”
Ash Hunt, Group head of information security at Sanne Group
When considering how to implement secure data transfers, Fortra’s Bailey recommends implementing a standardized secure file transfer which includes encryption of data while it is in transit.
“The secure file transfer should also have incoming threat, data loss, and rights management protection. If these facilities are in place, are easy to use, end users are aware of the risks, and have proper training, the security risks should be removed,” he says.
Trans Am Piping utilizes secure file transfer and automation
Trans Am Piping Products, Ltd., a distributor of carbon steel piping components serving western Canada, wanted to create a singular, more secure way to do business with its customers with less impact on staff. To do this, it utilized GoAnywhere Managed File Transfer (MFT) and Automate from Fortra.
MFT delivers more than secure file sharing capabilities
The company initially sought out an MFT solution as it needed to satisfy a requirement of one of its customers. The customer had requested their invoices be sent to them via secure FTP with its encryption and authentication technology. Before this, the company primarily sent invoices via email and fax.
When comparing possible MFT solutions, Gordon Schneider, Computer Consultant for Trans Am Piping Products, found that GoAnywhere was “priced right for the needs [the company] had at the time.”
GoAnywhere automates and secures file transfers using a centralized enterprise-level approach. By incorporating MFT software, Trans Am Piping was able to not only securely transfer data but could also use it to read emails from customers and vendors.
Schneider noted: “The ability of the software to parse out text data is invaluable to us. We are able to process most customer Electronic Funds Transfer (EFT) payment advice and vendor invoices no matter what format they are sent in.”
Automate adds OCR capabilities
After using GoAnywhere for file transfers and translations successfully for around two years, Trans Am Piping added Automate to its software suite to read EFT payment details and vendor invoices that could not be read through other methods. Automate is Fortra’s Robotic Process Automation (RPA) solution.
Schneider explained that, before using Automate, the company was spending “several hours each week dedicated to trying to extract the necessary information.” The company chose the Automate solution as it wanted a tool that could economically provide Optical Character Recognition (OCR) functionality.
He added: “Automate OCRs our image PDFs and sends them to GoAnywhere as a text file for further processing. The two solutions work well together to complete the tasks we ask of them, and it has reduced the workload of our accounting staff. Automate gives us the ability to increase the number of customer and vendor documents we process in GoAnywhere.”
Data transfer is fundamental to businesses to send key documents both internally and externally. Insecure file transfer, however, can open businesses to a number of threats including malware, data theft, and account compromise, which can have potentially devastating consequences.
File transfer security is reliant on employees not circumventing the cyber security protocols put in place and using insecure services.
To ensure all employees are in the best place to understand the importance of secure data transfer, companies should ensure all employees are properly educated on the risks of insecure file transfer. They should also verify that the secure file transfer service is easy to use, to prevent employees from circumventing it for ease. Additionally, the secure file service used should be robust enough to prevent attacks by malicious actors. While in transfer, the data should be encrypted and should also have incoming threat, data loss and rights management protection.
By doing this, companies can protect their employees, the business itself, and clients from cyber criminals and threats. By communicating these efforts with clients and customers, they can build trust in their cyber security and make sure that their file transfer services are used every time data sets are communicated both internally and externally.