Ask a group of office workers how they would send a file from one person to another (with the recipient being able to easily receive and view the file), but with the requirement that it has to be secure and available only to the intended recipient, and it’s likely that they would not know how to accomplish that task.
It is not uncommon practice today for many companies to send confidential or sensitive information, files, and data across a medium that is insecure — namely email, FTP, and the Web – technologies that were not designed to address security or robust reporting requirements. Many people using the Web or an email system are unaware of the risks they take when sending or receiving confidential or sensitive messages or files. Email has significant risks associated with it, particularly because the route an email takes from sender to recipient may not be as straightforward as one might imagine.
Locking down information is a difficult task. The Internet, highly connected corporate networks, and a multitude of information delivery and sharing applications, including email, have made companies extremely permeable with respect to the inflow and outflow of data. Of particular importance is the potential transfer of sensitive information to unauthorized recipients.
Two ways that data can leak out include internal removal of data by an employee, and externally by a malicious hacker. The intentional removal of sensitive information, usually by someone internal to the organization, is hard to prevent. (There are many ways to take information out of an organization, including uploading it to an external site, storing it on a flash memory stick or CD, sending it out via email, taking a picture of a monitor, and printing it out, to name a few.) Organizations can also be hacked by malicious users who look for security holes in the network, through poorly protected applications and interfaces, and unpatched servers. Hacking goes beyond the scope of this post, but a full security and penetration testing audit can help identify and prevent potential breaches before they happen.
The third, and arguably the most common way that information leaks out of an organization, is not through any maliciousness or evil intent, but rather because the proper tools are not available, or people don’t realize the risks of certain activities. Preventing accidental exposure of sensitive data can be accomplished with good document delivery systems, proper user training, definition and enforcement of security policies, or even reviewing and changing user behaviors.
Ensuring security is as much a technology deployment matter as it is a user training issue. It is possible to implement an extremely secure system, but it may require exceptional knowledge on behalf of both the sender and the recipient of the data. If the tools are complex or difficult to learn and apply, it’s often the case that people will simply refuse to use them, or revert back to their “tried and true” methods, even if they aren’t secure. If tools and applications exist that are easy to learn and simple to use, people will be more likely to adopt them. You can’t only focus on ensuring a simple yet secure way to send information out, you also have consider how easy it is for the recipient of the information.
To maximize the reach of any delivery tool, it is imperative to make sure the recipients of a secure delivery need no special software to install or run to retrieve a delivery. Using ubiquitous technologies, such as Web browsers, as opposed to specialized applications, ensures maximum compatibility and makes the retrieval of information as simple as possible. Requiring a recipient to run client-specific software, or have a specific computing environment set up, is difficult, except in highly controlled environments, and makes ad-hoc delivery to new recipients difficult.
The need to deliver files securely is increasingly important, not only to regulated organizations that are required by law to protect confidential information, but to any organization that wants to assume greater control over how critical files and data are transmitted and received. With the increased enforcement of compliance regulations, a growing number of hackers attempting to steal confidential data, SPAM filters removing valid messages, and additional strains put on email servers, a system that is easy to use, but can provide better security and make communications more efficient is not just a luxury, but is now often a requirement in today’s world.
Byline by Bill Ho, President of Biscom.