An article by: David Tan, Chief Technology Officer, CHIPS Technology Group
It’s a typical paradigm in the computer industry, things seem to get simultaneously easier to do, just as it becomes more important to control them. The most recent case I can think of to demonstrate this, is sharing documents with parties outside of your organization. Communication and collaboration has become the norm, every business needs to share documents with business partners, vendors, customers, and prospects. The size and volume of these documents have grown to make simply emailing back and forth completely impractical. This has led to a growth of very simple to use file sharing services that users seem to be taking advantage of, many times even circumventing corporate policy or IT.
This is not meant to be a shot at any of these services. Offerings like Dropbox, or box.com are secure, robust platforms. The problem is most end users don’t take full advantage of the secure features, and simply rely on the ease of use to make sending critical business data back and forth a common task. The risk this opens the average company up to is immense. If you don’t take proper precautions, or at least know what data is going where, you lose control of a critical asset and create unacceptable levels of risk for the company.
I’d say this is a great example of what we call Shadow IT. Cloud services and solutions have become so easy to get started using, that many times employees don’t even bother to get IT, business owners, or typical decision makers involved in the process. Many times you don’t even need a credit card to start a 30-day free trial, and 30 days is more than enough time to send sensitive data that should not leave the company’s network to someone who can then share it completely outside of your control.
There are other risks involved in this as well. Probably the most common way we see of people getting their company network infected with a variation of the crypto virus is by opening a file sent to them via dropbox. When it becomes so common to share files and information this way, an employee’s diligence is inevitably going to drop. This leads to being too comfortable and way too careless. 5 minutes after clicking on an illicit file in a dropbox share, your entire network can be encrypted and compromised.
There are many ways to securely share files outside of your organization. Tools like the Adobe Document Cloud embed tracking and monitoring into file sharing. This ensures the data you send only makes its way to intended recipients and it is not shared. Citrix ShareFile is a file sharing solutions that integrates into the remote access tools you already have in place today, ensuring higher levels of security and compliance. Robust Data Loss Prevention tools allow you to actively monitor and control what data leaves your network and where and when it is sent. This type of solution also ensures critical assets don’t leave your borders without you knowing about it. These are just a few simple examples of how you can be doing this, and doing it smarter and more securely. The key is understanding the risks, finding the right solutions, and getting them implemented. Even before your roll out a DLP product or lock down your network entirely, there are steps you should take to protect your data:
- Monitor your network – look for file sharing programs running on all systems. Make sure you know who is running what and why. Finding an installed copy of dropbox on a system you didn’t know about is a great first step to figuring out what is going on.
- Monitor your network – look for file sharing programs running on all systems. Make sure you know who is running what and why. Finding an installed copy of dropbox on a system you didn’t know about is a great first step to figuring out what is going on.
- Educate your users – explain the dangers of sharing files and teach users how to be safe and secure when handing critical company data.
- Create robust policies – it’s critical that you document how files need to be handled and what programs and services are allowed. Setting expectations up front is the key to being successful.
- Track file usage – there are some great, inexpensive tools you can use to track who accesses files and when. Looking for anomalies and strange behavior can often help you find and resolve a problem before is escalates.
- Understand the risks – it’s important for the business to understand the tradeoffs between ease of use and security. Almost all IT Security decisions are made on a sliding scale and you need to weigh the pros and cons before implementing any sort of security program.
- Create robust policies – it’s critical that you document how files need to be handled and what programs and services are allowed. Setting expectations up front is the key to being successful.
- Track file usage – there are some great, inexpensive tools you can use to track who accesses files and when. Looking for anomalies and strange behavior can often help you find and resolve a problem before is escalates.
- Understand the risks – it’s important for the business to understand the tradeoffs between ease of use and security. Almost all IT Security decisions are made on a sliding scale and you need to weigh the pros and cons before implementing any sort of security program.
