11 proven tactics to safeguard file transfers and prevent data breaches
File transfer environments, with their many moving parts and frequent handling of sensitive data, require multiple layers of security. Here are 11 proven security tactics we’ve outlined for quick consumption. Feel free to go over them while on the go.
1. Steer clear of unencrypted file transfer protocols
What to do
Avoid using unencrypted protocols like File Transfer Protocol (FTP) and Hypertext Transfer Protocol (HTTP) when transferring files over insecure networks like the internet.
Why it matters
Data sent over unencrypted protocols can be eavesdropped upon using packet sniffers and other similar tools. If that data includes login credentials, such as usernames and passwords, whoever obtains that information can use it to gain unauthorized access into your file transfer system.
Impact on security
Mitigates the risk of a data leak when you transfer files over an insecure network.
Pro tip
Shift to encrypted alternatives such as Secure File Transfer Protocol (SFTP), File Transfer Protocol over SSL/TLS (FTPS) and Hypertext Transfer Protocol Secure (HTTPS).
2. Encrypt files while stored
What to do
When you store user files on your server, make sure you encrypt them with OpenPGP or other similar data-at-rest encryption tools.
Why it matters
Files stored in unencrypted form can be vulnerable to threat actors that target servers or storage devices. If those files contain sensitive data, you could suffer a reputation-damaging data breach.
Impact on security
Mitigates the risk of a data breach even if a threat actor manages to compromise your server or storage device.
Pro tip
If your file transfer solution supports it, configure your solution so that it automatically encrypts files upon upload.
3. Choose strong encryption
What to do
Use cryptographic algorithms and key lengths that have been proven to be computationally infeasible to break with current technology.
Why it matters
Some cryptographic algorithms and key lengths can be broken with readily available tools. The moment they are, the data they’re supposed to protect will be exposed.
Impact on security
Ensures data confidentiality is truly preserved and that you’re not relying on a false sense of security.
Pro tip
Use widely-recognized cryptographic algorithms and key lengths like AES-256. For highly sensitive data, stick with cryptographic elements recognized by security standards such as Federal Information Processing Standards (FIPS) 140-2.
4. Implement access controls
What to do
Grant users the minimum level of access or permissions they need to accomplish their tasks.
Why it matters
Malicious insiders or even threat actors who have taken over legitimate accounts can do more damage if the accounts they’re using possess more privileges than they’re supposed to have.
Impact on security
Limit what threat actors and malicious insiders can do, including data access, data deletion, system disruptions, lateral movement or privilege escalation.
Pro tip
Enable multiple access control mechanisms to establish a multi-layered defense, including IP-based access, file/folder access rights and time-based access.
5. Use multi-factor authentication
What to do
Add one or more authentication factors to the usual password-based authentication.
Why it matters
Password-based authentication is susceptible to a wide range of threats, including brute force attacks, man-in-the-middle attacks, credential stuffing, shoulder surfing, social engineering and phishing.
Impact on security
Prevents a threat actor from taking over an account even if that account’s password has already been compromised.
Pro tip
When choosing an additional authentication factor, take into account both security and user convenience. For example, you can use time-based-one-time (TOTP) passwords generated by an authenticator app, which many users find easy to configure and easily accessible.
6. Set access limits for shared files
What to do
When sharing files through ad hoc file transfer, limit access by protecting download links with passwords.
Why it matters
A download link that’s unintentionally shared with an unauthorized individual can lead to a data breach.
Impact on security
Mitigates the risk of a data breach due to accidentally shared download links.
Pro tip
If your file transfer solution supports the capability, set an expiration date for the download link as well.
7. Scan files for malware
What to do
Scan uploaded files for the presence of ransomware, worms, viruses and other types of malware.
Why it matters
Malware-infected files uploaded to a shared folder can lead to a malware outbreak.
Impact on security
Prevents the spread of malware due to an infected file upload.
Pro tip
If possible, use Internet Content Adaptation Protocol (ICAP) antivirus scanning to prevent computationally-intensive virus scans from affecting server performance.
8. Implement Data Loss Prevention (DLP)
What to do
Implement DLP, which scans files for sensitive data and then executes a predefined action that prevents the data in question from being exposed.
Why it matters
Some files contain sensitive data such as bank account numbers, credit card numbers and Social Security numbers. If this information falls into the wrong hands, individuals associated with it may be subjected to identity theft.
Impact on security
Mitigates the risk of a data breach involving sensitive data.
Pro tip
Always enable DLP on shared folders, as these folders are normally accessed by multiple users. Hence, the chances of an unintentional data leak can be quite high.
9. Train employees on secure file transfer practices
What to do
Educate employees about risks in file transfer environments and train them how to mitigate those risks.
Why it matters
No matter how strict your security policies are or how robust your security tools are, threat actors can still access your systems through your weakest link — your end users.
Impact on security
Mitigates security risks associated with insecure user practices such as the use of weak passwords, unencrypted protocols and shadow IT.
Pro tip
Conduct security training sessions regularly to update users about the latest threats, refresh their memory and cultivate a security-aware culture.
10. Enforce password policies
What to do
Take a proactive approach to enforcing strict password policies (e.g., using long passwords that include uppercase and lowercase letters, numbers, special characters, etc.) Don’t wait for users to adhere to the policy. Instead, automate enforcement in your file transfer system.
Why it matters
Regardless of how often users are reminded of security best practices, some users can be non-compliant. Others are simply forgetful. Therefore, you shouldn’t leave policy enforcement completely in their hands.
Impact on security
Reduces reliance on policy enforcement in your end users and increases overall adherence to policy.
Pro tip
Passwords, regardless how strong, are vulnerable to a wide range of attacks. Combine them with other factors of authentication. Review #5.
11. Log and monitor file transfer activities
What to do
Maintain detailed logs of both user and administrator activities.
Why it matters
Cyber incidents are a matter of when, not if. When they occur, detailed audit logs provide critical insights for root cause analysis and can help you understand how the incident developed.
Impact on security
Provides an audit trail for digital forensic investigation. The knowledge gained can be used to inform your future security strategies.
Pro tip
You can also use logs to detect suspicious events and then act on them before they escalate into full-blown cyber incidents.
Next steps
File transfer-targeted cyber threats can come from different directions and manifest in various shapes and forms. By adopting all the security measures recommended above, you’ll be able to establish a robust, multi-layered defense against a wide range of threats and significantly reduce the risk of a data breach, operational disruption and other cyber incidents.
That being said, there are certain types of threats that fall beyond the scope of any of the controls recommended above. Zero-day exploits are one of them. We’ve covered zero-day threats and how to how to address them in our comprehensive secure file transfer guide. Do check it out.