IT Security News & Blog

4 Security Compromising File Transfer Mistakes You Are Probably Making

Posted: 7 January 2019

Here at Advanced Cyber Solutions, we speak with customers and prospects about their file transfer activities and needs, almost every day of the year. After 8 years, certain identifiable patterns start to emerge, such as common requirements, challenges and areas which can be improved.

In all of the instances, we are told by our customers and prospects how fundamental the smooth movement of file transfers are to their business.


In this blog, we want to highlight 4 of the most common mistakes which some of our customers, prospects or just those we observe sometimes make when it comes to file transfer workflows.


1. There is Nothing Secure About It

The most common method for file transfer is by email attachment.

Research tells us that on average, there were 269 billion email sent each day in 2017. Although there are no specific details on how many of those contained attachments, even 10% of that number would be significant.

Emailing attachments is incredibly convenient, something which even the least technically savvy user can probably muster.

But did you know that there is no security whatsoever, built into the standard SMTP email protocol?

The content of an email, its attachments and the addresses of whom you are sending it to, are all send in clear-text. Which can be intercepted and read with very little effort.

Where content is not sensitive, does not contain personal data and is not commercially sensitive, email is a very useful tool for sharing files. In all other cases it is wholly inappropriate.

So much so that the Danish Supervisory Authority, which is responsible for upholding data protection law in Denmark. Has ruled that as a consequence of the GDPR, any Danish businesses which transmit personal data via email must use an encryption tool or TLS.


2. You Have No Visibility of What is Sent

If you consider the dangers of point number one being that someone on the outside could intercept sensitive files. What about those who seek to do harm on the inside?

Email systems typically do have some form of audit logging which allows administrators to peer into the content being sent from their systems. However, the use of online file transfer solutions such as Dropbox, OneDrive and YouSendIt all offer individual accounts, without insight.

Usually as a consequence of shadow IT, whereby users use unsanctioned tools to complete their jobs, are services like this used. We often witness that IT have put in place a low maximum file size limit on email attachments, which leads users to seek alternative methods.

The danger here is that even with a secure email platform to rectify point 1, your users may be taking a completely different route out of your network.

The content being shared this way could be sensitive; and therefore, would be considered data breach based on unauthorised data processing, under the GDPR.

You can read more about the Danish GDPR recommendations for email security when sending personal data in our blog.


3. You Rely on Scripts to Move Critical Files Periodically

This is an incredibly common scenario for us to come across; and usually happens as a result of a small task growing in importance and size over time.

In the beginning, it probably seemed like a great idea to save cost on a solution by moving a couple of files each day via a script. Some years later, it is hundreds, if not thousands of files, being moved to multiple locations.

Scripting is great and we have the utmost admiration for the person who ends up managing and writing these complex beasts. Yet, they end up causing a number of potentially debilitating issues:

  • Often no high availability.
  • Bugs are discovered during operation.
  • The viability of the script is heavily dependent on the author or maintainer remaining in their role.
  • Scripts quickly become outdated as technology changes.
  • Usually there is no logging built in.
  • There is no role-based access or authentication to prevent unauthorised access.
  • Any passwords in use are usually stored in the script, in clear-text.

Once automated file movement scripts become a linchpin for your organisation's operations. It is time to find something which can mitigate the issues highlighted above.

Not all automated transfers require scripting. Take a look at our blog on how to create automated file transfer workflows with no code.


4. You Cannot Guarantee the Identity of Recipients

Building on the flaws of point 1. Even when a secure channel can be guaranteed between sender and recipient, we often find there is no attempt to verify identity.

Take the humble fax machine as an example. You punch a telephone number in, feed it the document and whether or not your intended recipient is at the other end of that line is very much based on hope, chance and your ability to enter the correct number.

In some scenarios we have seen an attempt to verify identity using a username and password prompt, however this can be further challenged by the poor reputation humans have for password security. The recommendation of course would be to employ some form of multi-factor authentication.

What is often not considered about good recipient validation is that it improves your non-repudiation capabilities. In other words, the harder it is for someone to receive a file or document by unauthorised means, the more you can guarantee that the correct person have received it.

It sounds simple enough!

All of the concepts covered in this blog can be helped by using a managed file transfer solution. We recommend Ipswitch MOVEit managed file transfer, of which we have been working with for more than 8 years.

If you would like to learn more about managed file transfer solutions or Ipswitch MOVEit, you can book a call with one of our solutions specialists today.


Systematic Case Study for Ipswitch MOVEit

Topics: MOVEit, Managed File Transfer, File Transfer, Email Security, Email Encryption

Chris Payne

Written by Chris Payne

Managing Director - Advanced Cyber Solutions