Does File-Sharing Threaten Your Sensitive Data?
BY Kim Boatman
Whether your employees are using peer-to-peer technology to download the latest game or video or to share work-related documents, their actions may place your data and your organization at risk.
When debit cards first came out, says Internet encryption pioneer Taher Elgamal, people simply scrawled their pin numbers on the back of their cards.
He sees many businesses taking the same sort of naïve approach to security these days when it comes to file-sharing and peer-to-peer networks. Too often, businesses haven't thought through the risks involved in file-sharing. And like those early debit card users, employees often are thinking simply of convenience and ease of usage.
Yorgen Edholm, president and CEO of Accellion, a company that provides secure file transfer solutions, agrees that businesses have been slow to react, despite continued news reports about data breaches. "One of the things that surprises me is it's still such an under-discussed topic,'' says Edholm. "Two years from now, it's going to be, 'How did we do that?'"
How P2P threatens your data
In February, the Federal Trade Commission notified nearly 100 organizations and businesses that had released sensitive information about customers, students, or employees through file-sharing or P2P networks. The government agency also announced it was conducting investigations of other businesses which had exposed data through file-sharing. In conjunction with the announcement, the FTC published new educational materials for businesses.
The risk to your data from P2P technology is a two-pronged threat. Employees are placing critical data at risk by using P2P technology to transfer and to share work-related materials. However, as people become accustomed to moving much of their lives online, they often blur the distinction between work and home activities. Employees downloading the latest movies and music from file-sharing sites also create risk for their employers.
Among the dangers:
Inadvertently sharing files. Users may accidentally save a confidential file to a folder that is shared on a P2P network or malware could change the designation of a folder or drive where sensitive information is stored.
Opening your network to attacks. Malware in P2P programs can lead to attacks on other computers on your network, not just the computer sharing files.
Losing track of data. Once files are placed on a P2P network, they may be shared among other computers even after deletion on the original computer. So, retrieving and securing data you've unintentionally exposed is virtually impossible.
Remote storage of illegal material. Malicious programs could open one of your computers to storage of stolen documents or even child pornography, cautions Randy Abrams, director of technical education for anti-malware vendor ESET.
The threat is so significant Abrams thinks P2P programs should be avoided. "Peer-to-peer file-sharing programs have virtually no place in a business environment,'' he says. "The security of the programs varies widely. However, in many cases, the default settings are not the most secure. The risks of P2P file-sharing are too great to be ignored."
While every organization is vulnerable, Sanjay Mehta, senior vice president for security solution company Breach Security, advises that your company may be particularly susceptible to P2P threats. "In many ways, small to mid-sized businesses are great targets,'' he says. Mehta notes that smaller businesses often aren't equipped with the IT assets or the staffing to evaluate P2P risks or combat data breaches that occur through file-sharing.
How you can protect your data
Like most technology-related security issues, the first steps you should take involve people rather than machines or software, say the experts. Smart business practices will go a long way toward avoiding file-sharing data losses. Make sure your organization follows this checklist:
Establish and enforce a file-sharing policy. Awareness is critical. Your policy should spell out in non-tech speak whether you'll allow the use of P2P networks. If you allow file-sharing, you should explain the circumstances under which it is permitted and whom you authorize to do so. Once you've created a policy, revisit it frequently since technology evolves quickly. Educate your users.
Offer file-sharing solutions. "Ninety percent of employees just want to get their work done,'' says Elgamal, chief information security officer for Axway, which secures and manages business transactions. "Generally speaking, people like the path of least resistance. We need to tell people how the company is enabling them to do business. You can't sit down and say 'no, no, no.' Then what?" Your employees will find ways to share documents and files when they need to get the job done, so anticipate their needs and find secure solutions.
Classify documents. Establish a system for classifying information based on how it can be shared or the sensitivity of the data, advises Mehta. Then, arrange information in locations based on whether it can or can't be shared. Consider a separate server or network for secure information.
Classify users. Evaluate access and who should or shouldn't be sharing information. Consider whether you'll allow home computers on your network, an option Abrams advises against. "The cost/risk ratio of allowing personal computers on a corporate network, even for small companies, cannot be justified,'' he says.
Purchase help. Look for a vendor solution that helps you safely secure file transfers, log transfer activity, archive files that have been transferred and filter what goes into and out of your network. Accellion charges a couple of thousand dollars a year for a subscription covering 25 to 50 users, Edholm says.
Most important, says Mehta, is taking action now. If you visited the problem of file-sharing a year ago, it's time to look again. "The threat factor moves a heck of a lot faster than every so often," Mehta says.