Businesses need to share information, but they have to make sure it doesn’t get into the wrong hands. The consequences of a leak can range from embarrassment to legal penalties. Some ways of sharing files obviously aren’t secure. Others may give the impression of security but aren’t up to business standards. File security requires transferring them safely and storing them safely. People have to actually use these practices rather than taking easy shortcuts.
The consequences of leaked files
Internal documents can hold information which criminals and your competitors could find useful. A file doesn’t have to be stamped “Confidential” to hold bits of information that need to stay out of unauthorized hands. Once a snooper finds a way to get at your private files, the information gathered from them can quickly add up.
Seemingly inconsequential information can make customized “spearphishing” email more convincing. If the message mentions some detail which no one outside the company should know, the recipient is likely to think it must be legitimate.
When confidential information is part of the loss, the problem is even worse. It may give an advantage to a competitor or enable identity theft. It could damage your business reputation. If you contracted to hold the information safely, your organization could be sued for negligence. In some cases, such as personal health records, your business could be subject to huge fines.
The best approach is to treat all internal documents as confidential unless they’ve been approved for public exposure. Any of them might contain something you don’t want getting out.
How not to share files
Some ways of sharing files are easy but seriously unsafe. The easiest, and unfortunately one of the riskiest, is email. In most cases there’s no end-to-end encryption. Mail can go through servers belonging to people you know nothing about. It can sit on the recipient’s email server for a long time, where it could be a target for snoopers.
Consumer-grade file storage, such as free Dropbox and Google Drive, offers some security. It usually isn’t safe enough for business purposes, though. It may be stored unencrypted, and it may be available to anyone who can get hold of its URL.
File-sharing applications are all over the place as far as security is concerned. Some are designed for serious protection, but others are as bad as email. They may use flawed encryption or none at all. If you aren’t careful about where you get them, some are outright spyware.
The “sneakernet” approach, taking files from one place to another on a removable drive, has risks of a different kind. Someone might lose or throw away a drive that has confidential files on it. Dishonest employees can pocket one and take it home.
Storing files on an on-premises server should be secure, but only if it’s set up properly. If any employee can access any document on the server, then people who aren’t authorized to see highly sensitive documents can grab a copy. Internal data leaks are a bigger problem for some companies than external ones.
Security in transit
There are two aspects to safe file sharing: security in transit and security at rest. To keep information safe in transit, the transfer needs to use high-quality encryption on every leg of the trip. It needs to make sure that no one except the intended recipients can get the unencrypted document.
Encryption needs to start at the device which sends the document. Even sending it to a local server without protection opens some risks. It opens a second target for attacks on the communication path. The final leg to the recipient’s machine needs to be up to the same standard.
Encryption procedures that haven’t been updated in years are risky. They may not use a long enough key to be safe from cracking by today’s computing power. They might use protocols that have been cracked or are no longer strong enough. Keys need to be stored safely.
You need to be especially wary of wireless connections. The WEP protocol, used on some older access points, is badly broken, and public Wi-Fi is about as secure as shouting across the hall. Any access points used for internal operations should use WPA2 with a good password.
Local network file sharing options, such as AirDrop, may be reasonable, but only if they’re set up properly. If they’re left wide open, someone sitting in the lobby might be able to eavesdrop or send forged files.
Security in storage
Any place where lots of confidential files are stored is an attractive target. Encrypting them on any cloud or on-premises central storage device is a basic necessity. The safest approach is to store files in a way that they can’t be decrypted on the server.
Free file sharing services may sound attractive, but they rarely pay enough attention to security. They’re good enough for most people’s personal use, but not for serious business purposes. Business-quality sharing services ought to have an SLA that guarantees secure practices and live up to it.
Sharing files with mobile devices raises the same concerns, since they’re subject to theft. Mobile devices that hold business documents need to be encrypted. They need a strong password to stay safe if they’re stolen. Enabling a remote wipe is a good idea.
Promoting best practices
All these recommendations will accomplish their goal only if employees live up to them. They need not just to understand the right way to share files but to be comfortable with it. If it seems like a lot of work, they’ll fall back on email or sneakernet.
They need to have the right habits when handling documents. This means sharing them only as much as necessary and keeping them safe on their own machines. They have to understand the difference between a strong password and a weak one. The more they’re in the habit of following the right practices, the fewer mistakes they’ll make.
When your business has a reputation for keeping its documents safe, it earns trust from customers and business partners. You don’t have to devote effort to stopping leaks and offering excuses for them. You get fewer uncomfortable questions from regulators and lawyers. It isn’t really hard to make file sharing secure, and the effort pays for itself.