File sharing among colleagues or members of a team should be easy and convenient. Unfortunately, it is one way that a company can pave the way for hackers to access its data. The risk is compounded by the fact that many small businesses don’t have file-sharing policies in place.
As such, many turn to file-sharing practices that put their business data and client information at risk.
According to research by Ponemon Institute, although 37% of cyber-attacks are due to malicious activities, 35% of others are caused by human negligence. Another 29% occur because of system glitches. One significant contributing factor related to human negligence is the concept of Shadow IT.
Shadow IT is the habit of employees using IT solutions not officially approved or implemented by the IT department. The solutions include free cloud storage services, email accounts, and other consumer service systems. Once they share business documents through these programs, they expose the business to significant security risks.
File-Sharing and Security Risk
A majority of firms are yet to catch up with security matters when it comes to file-sharing. Some employees bypass IT and sign up for individual/department access to cloud-based file storage. By doing so, they gain short-term access to shared files but open the systems to potentially long-term risks.
Most of these individual or departmental accounts are opened on an ad-hoc basis without incorporating corporate permissions. When a member leaves the group, company or team, inactivating their user access comes as an afterthought.
Some other file-sharing habits that pose a risk to a company are as follows.
1. Using Email to Share Files
Sharing files through email is a dangerous habit, yet many companies still allow it without thinking about it. What they fail to understand is that email accounts aren’t designed to be secure. Anyone who can access an intermediate mail server between the mail servers can see any attachments sent between emails.
Some of the risks that come with file sharing include
- Downloading a file with malicious software
- Downloading an illegal or copyrighted file
- Using a file-sharing app that shuts off firewall services
- Exposure to sensitive or personal information
- Unintentionally placing sensitive data in a public hosting server
Signing a non-disclosure agreement doesn’t prevent hackers from snooping around emails and getting access to confidential information. Instead, what users should do is encrypt files and use secure file-sharing services.
2. Using Consumer-Grade Cloud Services
Unbeknown to them, many companies are putting themselves at risk by using unauthorized file-sharing services. These are installed on mobile and desktop devices, especially as more employees join the workforce.
The bring-your-own-device revolution has not made things any better. It has contributed to the increased use of insecure file-sharing services like Google Drive accounts and personal Dropbox, making the threat more magnificent than ever.
Companies should instead provide Dropbox-like solutions that come with enterprise tools, bringing it into the secure enterprise world. It’s crucial to encourage employees to use enterprise-grade security and have it approved by IT professionals.
3. Peer-to-Peer File Sharing
Peer-to-peer sharing is a great innovation for use over peer networks. However, it’s also excellent software for hackers to abuse. Installing the software allows anyone to get unauthorized access to the client’s information, leading to serious security breaches.
Identity theft and credit card fraud are also common hacking attempts that happen over P2P networks. In numerous cases involving government agencies, mortgage brokers, and drug companies, the agencies discovered P2P software on their systems after data had leaked.
Just recently, former President Obama’s private helicopters were hacked. It was discovered that a Maryland-based defense contractor’s P2P software was at play. It leaked the helicopters’ systems to the wild web.
Companies should have P2P policies that disallow the installation of P2P software on company computers and employee laptops as well. A quick search on the “All Programs Menu” will also reveal any program on the machines which should otherwise not be there. Set administrative rights that prevent the installation of unfamiliar software without the administrators’ permission.
4. Use of Flash Drives
Flash drives easily get infected with malware since they bypass network security measures. If a flash drive is infected and installed into a system, it starts an infection spread to or from the PC. Some systems auto-run flash drive scans, but this can give the malware administrator permissions that can pave the way for infections.
Unfortunately, most people don’t consider the habit risky, but they are the most unexpected and easiest to reach methods for hackers.
Instead of running auto-scans on flash drives, it’s better to install up-to-date antivirus programs that scan the attached devices and their files. Ensure that you’re also using encryption for an added layer of security.
5. Lack of Visibility
When employees don’t share in the vision of a company, they take matters into their own hands. In cases of cybersecurity, they may engage a file sharing service without the management’s approval. While making this decision, they may not think about the bigger picture of the organization’s requirements.
Their choice of service may appear to be the easiest and cheapest, but it may be void of the most critical functions. For example, it may lack persistent auditability and control, hence placing data at risk. Employees who use such solutions may also mix personal data with organizational data.
Visibility is crucial as it provides vital insights into the users of organizational data and at which frequency. If used in a regulated environment, visibility provides essential audit information necessary for compliance.
6. File Transfer Protocol
This is the most common file transfer system used to access or edit files among users with a password. The users gain access to the files shared on the FTP server site. Unfortunately, most FTP sites allow users to view or access files using a free password for public sharing.
Sometimes, the best a company can do is ensuring it has file-sharing security measures in place. Some measures, like document password protection, may not always apply to every file shared. This next section gives insights into other, more reliable steps an organization can take.
How to Make File Sharing Secure
Despite the risk it presents, file sharing can’t be ignored or done away with altogether. This is because it offers several benefits to an organization. It simplifies management, keeps files organized, and centralizes them for consistency. The benefits far outweigh the risks, and all that companies need to do is make the file sharing process secure.
One of the crucial things companies should do is to secure their data rooms. These are the spaces that hold data in a secured form. It’s an advanced form of an on-premise storage unit or cloud storage. Data rooms are the most secure file sharing systems for businesses that wish to share classified documents. They also provide workspaces that teams can share in a variety of ways to protect the company data.
Other ways to secure your file-sharing systems are discussed here.
1. Insist on Encryption
It’s not uncommon for people to send files through unencrypted channels, which is a very risky approach to file sharing. The only assurance that sensitive files you send to authorized parties are secure is to use a medium that offers encryption services.
Encryption scrambles the information in a file and makes it unreadable to hackers unless they have a decryption key for it. Files shared through removable media can also be encrypted using a variety of tools. For example, you can use self-decrypting USB drives, which embed algorithms on the hard drive. They eliminate the need to install encrypting software on your computer.
For P2P systems and file hosting services, the easiest and most common way to implement a solution is to use HTTPS. This is a protocol that comes encrypted with security algorithms like Kerberos, RSA, and ECHD. Through it, data becomes encrypted and is sent via a secure protocol to the receiver for decryption. The transportation happens over a secure sockets layer (SSL) and transport layer security (TLS).
2. Use Strong Passwords
Weak and default passwords are the leading reason for data breaches in file sharing. According to a report by a password management company, the most commonly used password throughout 2016 was “123456.” This means that companies didn’t bother changing the default passwords that came with the software they installed.
Creating strong passwords for your accounts and file-sharing systems is the first step towards reducing the chances of data theft. Create passwords using a combination of letters, both upper and lower case, numbers, and symbols. They also should contain more than eight characters and by all means, shouldn’t be dictionary words.
For stronger passwords, don’t ignore the two-factor authentication if the system has provision for it. It adds an extra layer of protection to your account. If a platform doesn’t offer the option, go for one that does.
3. Avoid Downloading Files when in Doubt
Protecting yourself from malicious files is two-way traffic. You need to protect those that you send to other people and also be cautious about the ones you receive. As such, it’s crucial that you only download files from trusted sources or only after verifying the source.
If ever in doubt about the source of a file, leave it alone. Suspicious files and links are the leading cause of phishing attacks for most organizations. As the level of sophistication increases, it’s crucial to be extra cautious.
While at it, avoid uploading copyrighted files. Sharing copyrighted material like a digital copy of a movie could land you into serious legal trouble.
In the same breath, avoid connecting portable devices to your computer if you don’t know its source. When connected, scan for malware before opening its content.
4. Adhere to Secure Email Practices
Phishing is a prevalent email attack strategy that has led to some costly data breaches in the past. Never open an email if you’re not sure of the source or sender. When you’re assured of the source, don’t open the attachment without first scanning it with your anti-malware program.
Sometimes, the sender may not be aware that the file is infected. Let your anti-malware software be set to scan all emails, both incoming and outgoing automatically.
5. Use Secure File Sharing Services
Cybersecurity defenders understand the risks that come with file sharing, and they work tirelessly towards creating security solutions. There are now several methods or services you could use to encrypt your data by default so that all the information you share stays protected and secured.
This is a cloud storage service that uses encryption to add an added layer of security to your files. With this service, there’s no limit to the size of files you can upload to the cloud. This makes it an excellent program for syncing huge files.
The service comes at the cost of $5 per month for 500Gb. However, you could opt to pay a one-off charge of $200 which will prove to be more cost-effective in the long run. The encryption option comes at a fee of an additional $5 per month but is worth the cost in every way.
pCloud Crypto is supported by a variety of platforms like Windows, Linux, macOS, Android, and iOS.
This software is for enhancing the security of your emails. While Mozilla is famous for the Firefox browser, people also tend to overlook that it provides some other alternatives to Outlook. The Thunderbird email client is a free open source alternative that can be installed on Apple, Windows, FreeBSD, and Linux systems.
Thunderbird comes with a wide array of plugins which include the Enigmail that encrypts and signs incoming and outgoing emails. It eliminates the need for the user to manually learn about encryption protocols to create their own security solutions. The only downside is that you have to use Thunderbirds as an email client for the full benefits.
Signal is considered the universal encryption tool for messages. It’s an open-source tool and publicly available for anyone to inspect. This doesn’t mean that it’s easy to hack, but rather more eyes are looking at the security of the encryption.
The tool is relatively plain and basic, lacking in visuals and appearance, but it does support group chats. It also sends files and photos in addition to text, which means that most of your data will be well protected.
The app can replace your default messaging app if you wish, but it won encrypt primary SMS texts. Besides, both you and the person you’re in communication with will have to install the app for encryption to work correctly.
The app comes with other useful features like video calling and message deletion after a certain period. This is perfect for business and personal conversations you don’t want to stay on record.
IV) Last Pass
Last Pass is a service that is best suited for use as a password manager. It helps keep passwords secret and hidden. However, it requires to be used on shared devices to operate optimally. One of its excellent features is that it allows you to share login details via email.
You may also choose to allow your correspondents to login and see files without seeing the password. Since the network is protected by SSL, it’s highly unlikely that anyone will connect to your data maliciously. Last Pass is one of the most preferred password managers available, and for a good reason.
You need to be careful when syncing your files online. One of the files syncing security solutions available is the Resilio Connect. It syncs your data using the BitTorrent protocol. This means that instead of sharing your files through a cloud service like Dropbox, you can sync them between two specific devices. The protocol is ideal for sharing huge files and folders, as this was its initial purpose.
The only requirement is that both devices should be online for files to be shared in real-time. The connection must also be secured by 128-bit AES. You can add more devices to share the files as you wish. The program works best for Windows, Linux, macOS, iOS, and Android.
Unfortunately, it’s not open-source software, which makes it difficult for security experts to check for vulnerabilities.
Box is a cloud-based file sharing service designed for businesses. It allows users the liberty to choose how they’d like to share their files, access, or edit them. They can also give other people the right to view the files in question. Its advanced encryption key management, security controls, and information governance provide a guaranteed level of high security.
VII) Secure Shell (SSH)
The secure socket shell is a network protocol that works by delivering a safe way for administrators to access a remote computer. It provides well designed client-server architecture connecting an SSH client application with an SSH server.
Its design is such that it sends information like passwords in plaintext in an encrypted format for enhanced security.
VIII) Secure File Transfer Protocol
Commonly known as SFTP, the secure file transfer protocol comes separately but includes SSH and hence works in a similar way. The difference between it and file transfer protocol is that SFTP can maintain a secure connection that allows you to transfer files.
An SFTP connection also transverses the file system on both local and remote systems and hence is more preferred because of the advanced security features. Its capability to draft onto a secure socket shell connection is also a desirable feature.
As an online cloud storage service, Tresorit focuses on enhanced security and data encryption. It’s an ideal program for both individuals and businesses. Its encryption feature encrypts files through client-based encryption before they’re uploaded.
The encrypted pieces of uploaded directories are known as tresors, and they automatically sync within the cloud as files. Other files can also be added or removed from the tresors, much like it happens with the Box software. Since Tresoit comes with end-to-end encryption, it makes it safe for users to share protected files and work on them while keeping them synced and secure.
X) InterPlanetary File System (IPFS)
This network is designed to make the P2P method of sharing and storing hypermedia possible. The protocol seeks to connect all the devices within the system to access the same files. Its features are notably related to the World Wide Web, but also closely resemble a BitTorrent system that helps exchange data in an encrypted manner.
The storage model of IPFS is capable of exchanging data blocks thrown through P2P networks in a manner that doesn’t damage or alter their formats.
XI) Amazon Drive
Amazon drive is one of the world’s leading cloud service providers. It’s popular because of the many storage options it provides while also being user-friendly. If you’re an Amazon user, the service offers you 5GB free storage, or you can alternatively subscribe for 100GB storage yearly.
An excellent perk of the service is that it offers unlimited photo storage. You can create shared albums and organize them by people, places, or things. However, it lacks management options as you may only create a customized folder through the PC client.
With all these safe file-sharing options available, there’s no reason why you should expose yourself or your business to hackers.
File-sharing within an organization is one of the ways a hacker can gain access to sensitive data. Sometimes, having a document protected through a password is not good enough. As cybersecurity defenders have revealed, there are better and more reliable ways of enhancing the security of your file-sharing systems.
Always strive to have your employees use cybersecurity-approved file-sharing programs. There also should be policies in place about personal devices at the workplace. With the right procedures and best practices for file sharing in place, the benefits will far outweigh the risks. Your business documents and files will be more organized, easy to manage, and easily edited and updated.