We hear it in the news week in week out.  So and so company has left a laptop on a train containing 4 million unencrypted customer records, a hacker has infiltrated an online payment system stealing thousands of unsuspecting UK consumer credit card details – even today I have walked through the door and the first news alert in my email begins, “ChoicePoint to pay $275,000 for second data breach.” I can’t help but wonder why?

Recently, I’ve begun research into the current state of data security in the UK. As part of my research I contacted the ICO (Information Commissioner’s Office) and asked them to provide me with figures detailing reported breaches in the UK over the last few years.  According to ICO figures, 2008 saw the loss of sensitive data on 341 separate occasions, spanning all industry sectors.  So far this year, we as a nation have seen 348 instances of compromised data and we still have 2 1/2 months to go!!!  Before I progress any further I must emphasise the use of the word ‘reported’.  According to a study conducted by The Ponemon Institute using a sample of 615 UK based companies, 70% of the companies surveyed experienced a data breach in the last 12 months – a worrying discovery in itself.  Even more surprisingly, nearly 40% of those surveyed failed to publicly announce a breach in their security, as there’s no legal or regulatory requirement to do so because they are a private sector organisation.

Taking into consideration the growing prevalence of digital business systems and processes over the past decade, we all must be aware of the importance of data security in our digitally dominated world.  Especially in light of the abundance of publicity surrounding data breaches – surely it must weigh on the minds of CIO and IT personnel?  So if we are all so acutely aware of the risk, why do some companies not take the precautionary measures required to secure the data they hold or transmit?  I can only make assumptions regarding the factors involved and I would speculate its the cumulative result of a number of factors.

Firstly, the big stumbling block – finance.  From experience, I know there are companies out there that struggle securing the necessary funds from their annual budget to address data security as its often deemed non-critical, especially in the current economic climate.  With the inhibitive cost of some of the security solutions out there, I can’t really blame them.  On the other hand, there are lots of providers emerging in the marketplace offering affordable, scalable solutions, that provide not only the data security they need but also the ability to streamline business processes and reduce operational costs.  Solutions such as this, can provide a significant return on investment and in the long term actually save money – a win-win situation!

The financial consequences of a data breach should also be taken into consideration.  According to a study coordinated by The Ponemon Institute back in 2008, the average cost of a UK data breach incident is £1.73 million – substantially more than the cost of securing the data in the first place!  Then you have to take into consideration the financial implications of a blow to a companies reputation – these intangible costs are likely to be well in excess of any fines.

Secondly, I feel the lack of legislation has a big part to play in the predicament organisations find themselves facing.  Apart from a select few e.g. PCI DSS, the only legal guidelines UK businesses are currently required to abide by, are those outlined in the Data Protection Act.  The problem is, up until very recently the majority of this act has been unenforceable (more to come on that later).  I can’t help but feel this lack of legislation and an authority body promotes a certain amount of apathy in organisations.  If all of these companies in the public eye are receiving minimal fines and a slap on the wrist for contravening Data Protection laws, what is the motivation to spend money on securing data?  Consequently, many organisations opt to sit on an unexploded time bomb and when it finally blows (which it inevitably will)  hold their breath and hope no one gets wind of the incident during the aftermath and leaks the news to valued customers.

The recently appointed UK Information Commissioner, Christopher Graham, has addressed this very issue during his first speech at the Annual Privacy and Data Conference in London on 8th October.  The crux of his speech is that change is afoot.  Mr Graham made it perfectly clear that data privacy and information security are now ‘top of the agenda’ and with the new powers of enforcement being granted to the ICO in the forthcoming Coroners and Justice Bill, he fully intends to use them to maximum effect.  He added: “we’re going to have the resources to go after the bad boys – there’s a well-funded regulator that will hit you hard if you get it wrong… if you don’t take this stuff seriously its going to bite you in the bum.”  He also stated, “If you breach the law you’re going to be in trouble.  It (compliance with data privacy law) isn’t a nice to have – it’s the law of the land.  You will destroy brand value and reputation (by ignoring it).”  Some strong words!

Finally, although aware of the viable threat of data breaches, from our experience as security specialists we have dealt with a number of companies who believe their data is completely secure when in reality – it isn’t.  Therefore a lack of insight and knowledge when addressing company wide data security systems can result in inadequate protection.  This is where the value of a security specialist comes into play.  We can’t be masters of all trades, sometimes its beneficial in the long run to let the experts work their magic as data security can be a minefield, its best left to the professionals.

Taking into consideration the consequences associated with the loss of sensitive data, such as the tangible cost to the company and more significantly a serious blow to reputation, is it really worth risking the security of your company’s data to save money in the short term?

See here to find out more about some of the secure file transfer products available in the marketplace.

Bookmark It

So why FTP and what’s so great about it?  Well to be honest this isn’t necessarily a blog to evangelise FTP but more the way in which it works, lets call it ’sending files’.  With many businesses looking to adopt Managed File Transfer solutions, I thought it might be worth redressing the balance and putting things into perspective.  Managed File Transfer solutions have many good features but in the case of email based ones, sending files isn’t one of them.  In many cases the Managed File Transfer solution doesn’t actually send anything, rather it asks the company email server to send an email to a particular recipient.  The person receiving the email clicks on a link within the email to download the file or goes to a web site to log-in and manually download the file – so you see the responsibility is on the recipient to download the file and given this, there is no guarantee that the file will get there.  In fact there’s no guarantee the email is going to get there at all, asking the recipient to download the file(s).  Whilst Managed File Transfer solutions cater for the majority of ‘file transfer’ uses it is certainly not the right solution for every scenario.

So what do I mean by ’sending files’.   Well, historically the majority of solutions used to send files required a connection to be created between two sites and the files to be pushed/transferred to the receiving site using the appropriate delivery protocol for the connection method, e.g. Modem, ISDN or IP.   A typical example that many people would be able to relate to is FTP.  A user with an FTP client enters the details for the server, connects, selects the files to transfer, drags them over to the ‘remote server’ window (in many FTP client softwares) and the transferring of files starts straight away.  Once all of the files have been transferred you can see them on the remote server, they are there without question, the files have been delivered.

In contrast, Managed File Transfer solutions that use email messaging to deliver a message to request the download of the files, has several potential points of failure.  You’ve got to rely on two email servers to be happy to deliver the message and not overburdened with other requests, you have to ensure that SPAM filters don’t whisk away your all important message and probably most importantly – someone has to be there to open, read and perform the manual process of downloading the file.

In short FTP file transfer has a place in the enterprise.  If you want to be able to push data to a location with or without manual intervention, then FTP or another file transfer protocol with similar features will do.  Certain business to business situations will rely on data being sent from one location to the next e.g. a publisher to his printer, where time is of the essence and any doubt about the delivery of the data has to be avoided.

Finally it is possible to make FTP more functional and secure than many Managed File Transfer vendors make out, in fact some Managed File Transfer vendors have it built in.  Depending upon the solution you implement, you can get some great functionality to compliment this old delivery protocol and its also possible to integrate with workflow solutions, script integration and utilise API’s and SDK’s for complete integration.

Bookmark It

Right now there is a very clear shift towards Could Computing but are we all buying into the concept without considering the implications for our businesses?  Wikipedia describes Cloud Computing very simply as, “a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet. Users need not have knowledge of, expertise in, or control over the technology infrastructure in the “cloud” that supports them.”  It goes on to explain that it can also be described as, “technologies that rely on the Internet to satisfy the computing needs of users. Cloud computing services often provide common business applications online that are accessed from a web browser, while the software and data are stored on the servers.”

The key points to pick up from the above description is that ‘business applications‘ are provided online and that the ‘software and data‘ are stored remotely.  With security of data uppermost in the minds of many an IT professional its worth pointing out that there has been a rise in the number of companies using online file transfer applications to send mission critical information to trading partners.  Whilst many of these systems encrypt the data in transit using a variety of options which invariably result in SSL or 3DES usage many don’t consider the implications of this data then residing on remote servers waiting for the secure collection by the intended recipient.

An interesting, yet worrying article by Eric M. Fiterman about called Cloud Danger: Drag and Drop Theft highlights the inadequacies in the audit tools for the virtual cloud space.  He points out that anyone with access to the servers providing your business with a service could very easily walk away with confidential information;

“If your service provider has physical access to your environment, any person with access to the virtual servers can perform activity on your server. Think that some malicious activity involving your virtual memory would be logged or monitored? It’s not likely; audit tools for much of the virtual-cloud space appear to be non-existent. This means I could easily perform some malicious activity on your server – such as copying a file containing personally identifiable information off your server – then rollback the state of the server to hide my activity. You’ll never even know it was taken.”

When chosing a file transfer solution its imperitive that you know not only that your data is going to be secure whilst traversing  the Internet, but also secure on the servers which host the data.  Whilst its almost impossible to guarantee the security of your data at any time doesn’t it make more sense to have an in-house securely managed file transfer solution?

Bookmark It

Pro2col has been on Twitter now for a while and we’re starting to get the hang of it with over a 1,000 followers now.  We hope to be able to be all things file transfer to the marketplace at some point, we’ve got a little way to go with our portfolio at the moment but we’re talking to a number of vendors about adding some additional solutions.  Watch this space!

As this is our first blog entry I want to keep in brief but at the same time introduce the UK team:

• James Lewis – Owner and responsible for Sales & Marketing
• Charles Snell – Owner and responsible for Technical Services & Support
• Lindsay Lewis – Marketing and Office Manager
• Bibi Langston – Technical Support Engineer
• Peter Fox – Technical Support Engineer
• Lisa Arnold – Sales and Accounts Administration

You can contact anyone of us via email by using our intials in front of @pro2col.com e.g. jl @ pro2col.com – obviously without the spaces!

We’d love to hear from anybody who’s got any burning questions about file transfer in general or specific solutions and if you’ve got any recommendations about Blog topics please feel free to get in touch.

Bookmark It