Subscribe

What about the data files?

No discussion about security in the connected economy would be complete without spending quality time thinking about files.

Godfrey Kutumela
By Godfrey Kutumela, leader of the cyber crime and security division at IndigoCube.
Johannesburg, 02 Sept 2016

My last Industry Insight looked at the potential vulnerability of application programming interfaces (APIs) in the mobile and connected world of today. I argued that APIs are essential to allowing devices and backend systems to connect seamlessly and easily, but that developers paid scant attention to the security risks, preferring to focus on enabling connection and access.

There's another reality of the application-driven, digital and now mobile economy that deserves attention: files.

The world is increasingly characterised by large and growing amounts of data - the big data phenomenon that is so often spoken about. Conventional wisdom says this data is either structured or unstructured.

Structured data would typically be in a database, stored in a tightly defined template. Unstructured data would include the torrents of videos, comments made on social media, music clips and so on that are posted to the Web or exchanged via e-mail or other communications platforms.

However, I want to argue that things need to be viewed slightly differently. In truth, much of what is called unstructured data is actually stored in file formats - spreadsheets, documents, video formats and so on. So it's not quite unstructured, because each type of file has its particular format.

Sending more files

Files make up more and more of big data, which is not surprising, since files are needed to get work done. Some files are used by people, such as Word documents, legal documents, loan agreements, purchase orders, X-rays and financial statements. Others are used by systems, such as XML files. Files are a critical part of the way businesses get work done, and they are likely to remain so.

According to the Radicati Group, a market research firm, there were 2.6 billion e-mail users in 2015, a number that's set to grow to 2.9 billion by 2019. In 2015, a whopping 205 billion-plus e-mails were sent and received - many of them with attachments.

And, of course, the document I checked to get these figures is a PDF posted on the Web - another file.

Users can get a sense of how important it has become to exchange files by looking at how the number of file sharing and storage sites have mushroomed - OneDrive, Dropbox, WeTransfer, Google Drive and the like. Research from the Aberdeen Group indicates the number of users needing to transfer files is growing at between 6% and 9% year on year. And the volume and size of files needing transfer is also growing at 11% and 7% respectively.[1]

So, companies shouldn't just think about structured and unstructured data - they should think about files. And, in the context of this discussion, the focus should be on the security issues related to the growing use of files, especially as e-mail remains the de facto channel of business communication.

Corporate risk growing

At the same time as the need for businesses to transfer files is growing, the number of IT staff associated with file transfer is growing much more slowly - at a rate of 2% a year, the Aberdeen Group suggests. This is a problem in a business environment in which responsiveness is key to customer service, and customer service to competitiveness. Faced with the administrative hassle of getting in touch with their IT department to transfer a file safely, as well as the delays, businesspeople have almost universally adopted the workaround of sending the files either via Gmail or some other private e-mail system, or by using file-sharing platforms like Dropbox.

All of this creates a lot of risk for companies. Most of these free services are cloud-based, unprotected and certainly not aligned in any way with existing corporate security policies or, indeed, with law. The Protection of Personal Information Act (POPI), when it comes into force, will apply to all personal data held by a third party, and other laws will apply to specific industry sectors.

Files are a critical part of the way businesses get work done.

As perturbing, companies are not even able to monitor where there data is being held, meaning they cannot even scope the risk, let alone mitigate it.

Solution time

That's a lot about the problem, but how to move forward?

Most companies have multiple file-transfer systems in place - e-mail, cloud file share, FTP servers and maybe a number of scripts to automate some of them. Most of them do not meet compliance needs, or the needs of business partners for integration via automated file transfer. IT departments have the challenge of managing multiple systems.

Most users just bypass them to use the simple and easy alternatives outside of the corporate system.

It's not overstating the case to say that, based on my years of consulting, most of these systems are chaotic and reactive. In constant firefighting mode, they are incapable of enabling compliance or meeting business requirements.

First and most critical is to fix the corporate file transfer/sharing capability. Employees are only using freeware because it solves a pressing business problem for them. They just want a system that works - while IT needs a solution that is secure, compliant, can be monitored and, most important, controlled.

The answer is surely a solution that is fast and easy for employees to use. Such a solution should ideally be completely automated, and would thus be able to be monitored properly; it would also probably make use of encryption and have a mechanism in place to authenticate each party in the exchange.

This solution would have to include mobile devices as well as the corporate desktop or laptop as, increasingly, everything that is done on a PC is being done on a mobile device, including file transfer.

In other words, the ideal solution is an automated process to manage the transfer of files between all business processes and individuals inside and outside the company: process-to-process, process-to-person, person-to-process, and, lastly but most importantly, person-to-person.

Only once such a technology solution is in place will it be realistic to begin the task of changing employee behaviour. Change is always tricky, but in this case it should be relatively easy because the undesirable behaviour was driven by the business imperative for speed. Combining speed and ease of use with security is the answer.

In my next Industry Insight, I will continue my review of the corporate security landscape by considering the security challenges posed by the growing universe of mobile apps.

[1] IPSwtich, "'Good Enough' File Transfer is Not Nearly Enough to Succeed in 2015", available at
http://www.infosecurityeurope.com/__novadocuments/196579?v=635881987045870000.

Share