When you transfer documents as part of business operations, security is crucial. The growing volume of sensitive information involved in these activities puts businesses at greater risk of a data breach. If that information falls into the wrong hands, your business could suffer from reputational damage, lawsuits, regulatory penalties and other business-impacting consequences.
The average cost of a data breach is now USD 4.88M.
We’re sure you would not want to be part of a growing list of companies facing such devastating financial losses. To help you mitigate those risks, we’ve put together eight cybersecurity best practices designed to secure your document transfers.
1. Identify common threats to document security
To defend against threats, you must first know what they are and how they operate. When it comes to document transfers, your greatest threats include the following:
Man-in-the-middle (MITM) attacks: Threat actors that carry out MITM attacks intercept your file transfer connections in order to steal sensitive data or tamper with it. If they’re lucky enough to grab an end user’s username and password, these attackers can then use those credentials to log on to your file transfer server.
Server hackers: Hackers can break into your file transfer servers by using stolen credentials (e.g., through an MITM attack, credential stuffing, shoulder surfing, etc.), performing brute force attacks, exploiting unpatched software vulnerabilities, cross-site scripting (for web-based file transfer solutions) and other types of attacks.
Malware: These include viruses, worms, ransomware and other forms of malicious software that can infect your server through a file upload. Once inside, this malware can corrupt your system, lock up your files or degrade your server’s performance.
Insider threats: Also known internal threats, these are people you trust that deliberately or accidentally compromise the security of your file transfer system. They may belong to your organization or third-parties that have been granted access to your systems.
Now that you know the most common threats against your file transfer workflows, we can discuss some of the countermeasures you can apply against them.
2. Always send documents using secure file transfer protocols
Using secure file transfer protocols is a big step in protecting your sensitive files against threats. Most secure file transfer protocol implementations already come with at least three essential security features: data-in-transit encryption, a client and server authentication mechanism and a data integrity check mechanism.
- Data-in-transit encryption: Protects data confidentiality by rendering transmitted files unreadable to non-recipients. If an MITM attacker intercepts a file transfer connection protected by data-in-transit encryption, that attacker won’t be able to obtain any useful information.
- Client and server authentication mechanism: Ensures that the client is connecting to the right server and that the server is accepting requests from a legitimate client or user.
- Data integrity check mechanism: Checks if a received document was tampered along the way.
Some of the most commonly used secure file transfer protocols include the following:
- File Transfer Protocol Secure (FTPS): The secure version of plain FTP, FTPS derives its security capabilities from Secure Sockets Layer/Transport Layer Security (SSL/TLS).
- Hypertext Transfer Protocol Secure (HTTPS): The secure version of plain HTTP, HTTPS likewise derives its security functions from SSL/TLS.
- Secure File Transfer Protocol (SFTP): A file transfer protocol that derives its security capabilities from Secure Shell (SSH).
For a more complete list of file transfer protocols and their corresponding descriptions, check out our post: 12 file transfer protocols for businesses.
3. Implement strong authentication and access controls
Secure file transfer protocols already provide some form of user authentication, which allows your file transfer server to check if the requesting party has a valid user account. In most cases, the user authentication method used is password-based authentication. Although password authentication offers a decent level of security against unauthorized access, it’s also susceptible to a wide range of attacks. These attacks include MITM, brute force, credential stuffing, shoulder surfing and others.
To further minimize the risk of unauthorized access, you should augment password protection with at least one more methods of authentication. For example, if you’re using SFTP, you can combine passwords with SFTP keys. Other options include biometrics, security tokens and Time-based One-Time Passwords (TOTPs). By adding another layer of security to the authentication process, you’ll make it substantially more difficult for a hacker to log on to your server.
In addition to user authentication, you must also institute other access control mechanisms that limit what authenticated users can do once they’ve already logged on to your system. For instance, you might have a group of users that have access to a shared directory. However, you might want to control those users’ permissions based on their job roles and their need-to-know. These additional security measures ensure that only authorized individuals have access to sensitive data.
Recommended read: Groups and their role in regulatory compliance
4. Encrypt files when stored
Although threat actors can intercept an unencrypted file transfer connection to steal sensitive data, it would be more cost-effective for them to target file transfer servers themselves. It’s in your file transfer servers where the bulk of your data resides.
For this reason, it’s important to encrypt documents as soon as they reach your server. Data-at-rest encryption can prevent a hacker that has broken into your server from stealing sensitive information without the required decryption keys. If your file transfer solution supports it, you can set up an automated workflow that encrypts files using Pretty Good Privacy (PGP) upon upload. PGP can encrypt data-at-rest and can also be used to encrypt files at the sending side to provide end-to-end encryption.
Alternatively, you can integrate your file transfer solution with a storage system that has built-in data-at-rest encryption capabilities. For instance, reputable cloud storage services like Dropbox, Google Drive, Amazon S3 and Microsoft Azure Storage, all have built-in data-at-rest encryption capabilities. In fact, these storage services use AES-256 to encrypt stored files. AES-256 is one of the strongest ciphers in the world, and is compliant with Federal Information Processing Standards (FIPS) 140-2.
Recommended read: Using AES-256 to encrypt files you upload to your S3 trading partner
Recommended read: Using AWS KMS to encrypt files you upload to your S3 trading partner
.png?width=2500&height=525&name=FINAL_JSCAPE_CTA_wText_ver2%20(1).png)
Whichever data-at-rest encryption method you use, the key is to encrypt documents as soon as they arrive. The goal is to reduce, or even eliminate, a threat actor’s window of opportunity to exploit documents while they’re in unencrypted form.
Advanced file transfer solutions, like JSCAPE MFT by Redwood, seamlessly integrate with various cloud storage services and support PGP, so you might want to check them out. If you’d like to see these capabilities — along with several other security features mentioned in this post — in action, you may schedule a quick demo now.
5. Set access limits when sharing files
Many file-sharing solutions allow users to share files through a hyperlink. That hyperlink can be sent through email, a messaging app or some other out-of-band channel. While convenient, this file-sharing method has obvious vulnerabilities. If the link is accidentally shared with an unauthorized individual, the confidentiality of the document being shared could be compromised. Moreover, as long as the link is left active, the document is always at risk of a data leak.
When your users share files with other users through a sharing link, they should make it a habit to set access limits to that link. Not only should they set an expiration date for that link, but they should also protect it with a password and, if possible, limit the number of times the shared document can be downloaded. Again, the purpose of these security measures is to reduce a threat actor’s window of opportunity to exploit the link.
In managed file transfer (MFT) solutions, large files can be conveniently shared via email through a secure method known as ad-hoc file transfer. If you prefer to share files through email but don’t want to be hampered by the file size limitations of your email provider, check out that method.
6. Implement data loss prevention (DLP)
One way to prevent any logged-on individual, whether a legitimate user or an internal threat, from downloading documents that contain known sensitive data is to apply a security feature known as data loss prevention (DLP). If present, this feature detects sensitive data such as credit card numbers, social security numbers, International Bank Account Numbers (IBANs) and national insurance numbers.
Once the DLP feature detects these types of data in a document, it automatically takes appropriate action. The actions taken would depend on how the DLP module is configured. For instance, it can block any attempt to download the document and send you an email notification about the detection. We’ve published a three-part post illustrating how DLP is used to protect credit card data on JSCAPE MFT. Do check it out.
7. Implement malware protection
You can’t control what files users upload to your server. That can be a problem. What if they accidentally upload some type of malware? Due to the sheer number of files that are uploaded to a file transfer solution at any given time, that scenario is always a possibility.
Worse, since your server may be accessed by dozens, hundreds or even thousands of users, a single malware upload could potentially affect other systems in a short period of time. To prevent any malware outbreak, it’s crucial to implement some form of malware protection. If your file transfer solution comes with a built-in anti-virus function, make sure you enable it. And if it doesn’t, it’s probably time to look for one that does.
Recommended read: What ICAP antivirus scanning means for your file transfers
8. Ensure compliance with data privacy and protection laws and regulations
Documents that contain certain types of personal data are usually subject to data security and privacy laws and regulations such as the:
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry Data Security Standard (PCI DSS)
- European Union’s General Data Protection Regulation (GDPR)
These laws and regulations require a laundry list of security controls for compliance. If your organization is governed by any of these laws/regulations, make sure your file transfer solution has enough functionality to meet those requirements. Otherwise, you’ll be forced to integrate additional third-party tools to achieve regulatory compliance — or face significant fines and penalties for non-compliance.
If you think your organization is impacted by one or more of these regulations but aren’t familiar with the relevant requirements and how to meet them, you may use the following articles for guidance:
Recommended read: Guide to HIPAA compliant file transfers
Recommended read: Guide to PCI DSS compliant file transfers
Recommended read: Ensuring GDPR readiness with MFT Server
9. Educate your employees on secure file sharing and transfer practices
Unless all your document transfers are conducted via fully-automated server-to-server file transfers, your employees should play a major role in implementing your security strategy. If some employees aren’t on board with your strategy, they may circumvent the best practices we just talked about. If that happens, those employees’ actions will introduce vulnerabilities that threat actors can exploit.
To prevent that from happening, cultivate a culture of security awareness by educating your employees about the risks of poor document transfer practices and the corresponding consequences. Explain how a data breach can affect your organization and, as an offshoot, their job security. More importantly, train them to follow the best practices you have instituted.
Why use an MFT solution to implement secure document transfers?
We’ve mentioned JSCAPE MFT twice in this article. Allow us to explain what it is. JSCAPE MFT belongs to an advanced, enterprise-level category of solutions that are capable of supporting almost all types of secure file transfer and secure file sharing services. MFT solutions can even support fully-automated, real-time data transfers.
JSCAPE MFT, in particular, comes with an extensive selection of secure file transfer protocols and an array of additional security features. These include access controls, multi-factor authentication, data-at-rest encryption, file sharing access limits, DLP, malware protection and many others. JSCAPE MFT’s security capabilities simplify the processes involved in protecting document transfers and meeting compliance requirements.
JSCAPE MFT comes in two forms:
- An on-premises server application known as JSCAPE MFT Server and
- A Software-as-a-Service (SaaS) solution also known as JSCAPE SaaS.
Both solutions are offered under cost-effective pricing that can be customized to suit your specific needs. Book a quick demo and discover the ideal way of conducting secure document transfers.