We live in an always-on, digital world. Information is at our fingertips. Mobile devices are pervasive.
Interactive websites, allowing users to comment on posts, and social networking are de rigueur. All these things encourage us to consume—and share—information continuously and often without regard for the consequences. Criminals are increasingly using this information, often detailed about personal lives, to their advantage in social engineering exploits that specifically target individuals and that attempt to exploit the trust that they have in the technology, applications and websites that they use.
In recent years, consumers have flocked to file sharing sites that allow them to upload and share very large files such as photos and videos with friends and family. Seeing just how convenient such sites are, many users are increasingly adopting their use for business purposes as well, using them to upload information so that it’s available to them from any device that they wish to use, wherever they are. It has been recognized for some time that this creates security risks for organizations regarding sensitive data being placed on file sharing sites that are outside of the control of the IT department—often without their knowledge. Bloor Research has recently published research that discusses the problems surrounding unsanctioned use of file sharing sites in organizations and that provides pointers as to what organizations can do to provide employees with the convenience and flexibility they demand, but in a way that safeguards sensitive information and shields them from the perils of data loss.
But a relatively new problem with the use of file sharing sites is currently in the news. Criminals are turning to the use of such sites for hosting and spreading malware and viruses. In one such campaign, the Dropbox file sharing service has been targeted, with an estimated 500,000 users affected. In this case, ransomware was distributed, with attackers demanding users pay a ransom to have their files, which have been encrypted and are hence unusable, returned to them. It’s believed the attackers have so far netted $62,000 from this campaign alone.
Such attacks have been known about for some five years or so, but appear to be increasingly common. Just this month, an emerging practice came to light in terms of using file sharing sites for high-value, low-volume attacks against high-profile, lucrative industries that include banking, oil, television and jewelry businesses. Discovered by Cisco, these attacks are attributed to a group calling itself the “String of Paerls” group, which has been flying under the radar or security researchers since 2007, constantly changing their tactics to avoid detection.
These attacks highlight the problems many organizations are facing with the use of consumer-oriented services. Many organizations are still grappling with the issue of controlling the deluge of personally owned devices that are connecting to their networks—often outside of the purview of the IT department—as well as the use of cloud-based services by individuals or particular business units, many of which are not officially sanctioned by the organization. Now there is further evidence that they must add control of consumer-oriented file sharing services into the mix—not just to guard against the loss of sensitive information, but to prevent them being used as another vector for attacking the organization.
There are options available to IT that allow them to offer the same levels of convenience to users, but in a way that can bring back control over who is sharing what and with whom. Some of these options are discussed in the research published by Bloor Research referenced above. Centralized control and high levels of security are paramount. They must also be as easy to use as the consumer-oriented services employees are already used to if they are to gain widespread acceptance.
Today’s generation of consumers and employees demand convenience and the freedom to work as they wish. But that convenience brings many dangers to organizations if they cannot control where sensitive information is being posted or transferred, and who is accessing it, or guard against the dangers employees might be exposing the organization to through the use of unsanctioned services. There is a fine line to be tread between ensuring employees are satisfied and productive, and guarding the organisation from malicious exploits and data loss that could dent their revenues, brand and reputation.
Online file sharing services, which were initially developed to share personal files with friends and family, have spilled over into the workplace. Office workers turned to these services as their corporate email systems limited the size of attachments – it’s a challenging time for IT teams seeking to protect and manage their organization’s confidential information.
Surprisingly few companies have an IT sanctioned file sharing service, which is why Bloor’s new ‘Taking control of file sharing services’ white paper will become so useful to IT teams over the coming months and years.
The research, in partnership with Mimecast, identifies the key considerations for selecting an enterprise-grade service. For those who may not have the time to read the full report, I thought it’d be useful to summarize these considerations on Mimecast’s blog:
Security is the key criteria when selecting a file sharing service - in particular, safeguarding confidential files in the cloud. Therefore, role-based access control and encryption for files in transit and in storage is a must. Plus, enhanced authentication features, such as security tokens attesting to the user identity or mobile pass codes, should be used during very sensitive transactions or for access from less secure locations like public Wi-Fi hotspots.
Also, as malware infections can lead to security breaches, the service should provide integrated anti-malware controls, including content inspection for files and metadata protection. It should also protect against spam and phishing attacks, especially since the latter are used in the majority of advanced targeted attacks.
In addition to external threats, the service should be capable of limiting where and with whom files can be shared, as well as the ability to check content against data leakage prevention policies in order to protect against sensitive content leakage.
Administrative processes. For end user control, clear communication is required of expectations and procedures throughout the file transfer process. In order to ensure that such services can be used throughout an organization, the service should be highly scalable, providing support for an unlimited number of users. There should also be no file upload limit - both in terms of the volume of files and the size of files that can be uploaded. Otherwise, users are likely to bypass the service and continue to use consumer-oriented services.
Device and file support - a wide range of devices, including smartphones and tablets should be designed for. It should provide access via mobile browsers, web, desktop and mobile applications and provide support for a wide range of document types. Therefore, it should integrate with applications and document types commonly used by organizations, such as Microsoft Office, Office 365, email messaging systems, SharePoint and instant messaging.
End user tools such asself-service signup, file recovery and password resetsaid in productivity. Users should also be provided with the ability to perform search and retrieval activities without IT support and no action should be required on the part of the user in the event of a service outage, with the service providing automatic failover should a disruption occur. Ease of use should be at least as good as consumer oriented services, but the functionality offered must be far superior to provide a frictionless service. For example, it should be so tightly integrated with programs such as Outlook that users feel the experience to be seamless.
Centralized administration is one of the key features of an enterprise-grade file sharing and storage service, allowing for central administration and enforcement of policies covering document retention and deletion, scheduling, alerts and error handling. The console should provide reporting functions, including tracking of all activity, including logins, devices connected, and user identities and locations. To ensure that all actions can be attributed to particular users and to assist in provisioning and de-provisioning users, the service should provide native integration with Active Directory and other LDAP directories.
There are also a number of features of any service that should be considered for help in achieving governance and compliance objectives. These should include policy-based archiving according to attributes such as file type, size and date when last actions were taken. It must also provide the ability to adhere to e-discovery and legal hold requests, and ought to provide quick search and unlimited file retrieval capabilities for both administrators and end users.
Awareness and user training is of vital importance, but that is often overlooked. Users should be made aware of the security issues surrounding the use of online file sharing services and the behavior that is expected of them. Policies should be developed and communicated to employees regarding the use of unsanctioned file sharing services to prevent them bypassing the approved corporate service and they should be provided with training regarding the use of the corporate service as ease of use is of paramount importance for ensuring that the service is actively used.
To provide the necessary level of data protection and to benefit from what file sharing services offer in terms of reduced cost, added convenience and improved productivity, my advice is to take a step back - organizations should take a close look at what is already happening within their organization and look to implement a service that caters to all file sharing needs across the organization in a holistic manner. If you'd like to see the full version of the report, you can download a free copy here.
The ‘Taking control of file sharing services’ white paper was commissioned by Mimecast - if you’d like to find out more about Mimecast’s file sharing service, Large File Send, please click here.