GRC
HR
SCM
CRM
BI


Article

 

Ease Audits and Prevent Regulatory Fines with Managed File Sharing

by Rohit Khanna | insiderPROFILES

July 1, 2013

Chief security officers and IT teams work rigorously to avoid security slip-ups in their organizations that can result in serious financial penalties. Unfortunately, many businesses leave a critical crack in the compliance infrastructure by neglecting to plug a major source of data leaks: company insiders. Learn how Managed File Transfer (MFT) technology can help companies avoid compliance chaos.
 

Organizations everywhere are feeling the financial pain of running afoul of regulatory mandates. BlueCrossBlueShield of Tennessee was fined US $1.5 million for a data breach that exposed personal health information on more than one million members.1 The UK’s Greater Manchester Police paid £120,000 for a lapse that compromised details about 1,000 people linked to serious crime investigations.2 Sony’s European arm was slapped with a £250,000 penalty for a hack of the company’s PlayStation Network that jeopardized personal data on 77 million customers.3

Chief security officers and IT teams work rigorously to avoid security slip-ups that lower the regulatory boom on their companies. They build costly perimeters around their network to keep hackers at bay and fulfill data security requirements of mandates ranging from HIPAA, PCI DSS, Sarbanes-Oxley, and Gramm-Leach-Bliley in the US, to BASEL II, the Data Protection Act, and EU Directive 95/46/EC overseas. They may establish encryption policies to protect data on laptops, hard drives, or USB keys in the event the devices are lost or stolen.

Unfortunately, however, many businesses leave a critical crack in the compliance infrastructure by neglecting to plug a major source of data leaks: company insiders.

According to a Forrester survey, 47% of security breaches are caused by either inadvertent misuse (32%) or deliberate abuse (15%) by an employee or business partner.4 Yet most organizations have no way of controlling who shares what with whom or maintaining a central record of file exchange activity. This complicates compliance audits as well as forensic investigations and e-discovery initiatives if an insider-caused breach occurs.

Putting Companies at Risk

The problem is thousands or even tens of thousands of unstructured files circulate between people and systems every day, at every company, using unsafe and unmonitored methods of data exchange. Microsoft Word documents, PowerPoint presentations, CAD designs, customer lists, financial statements, contracts, RFPs, and more fly across the enterprise and supply chains with relatively little governance or traceability.

FTP servers are scattered across different locations and business units with no central visibility. Network shares lack an audit trail and version control. Storage devices like USB drives and CDs are easily lost or misplaced. Email is insecure, largely immune to corporate governance policies, and typically unable to handle attachments larger than 10MB. Web-based consumer file sharing services like YouSendIt and Dropbox — now used by nearly one-fourth of information workers5 — are missing enterprise security and central activity log capabilities.

On top of all of this, the rise of mobile computing has added a whole new layer of challenges. In addition to needing real-time information exchange to do business, many mobile users today upload critical documents to online services to avoid carrying a laptop or digging through email attachments on the road. This increases the number of files flowing in and out of the enterprise without a “traffic cop” to keep things in order.

The result is compliance chaos. There is no way to enforce corporate and regulatory information security policies, guarantee or track file delivery, or merge all of these disparate file sharing channels into a single audit trail.

Securing, Centralizing, and Governing File Exchange

Companies can avoid this compliance chaos by replacing their fragmented, everyone-for-themselves file sharing landscape with Managed File Transfer (MFT) technology. In this approach, all large and/or sensitive file exchanges are encrypted, authenticated, managed, routed, and tracked through a single system. This not only increases security — a compliance necessity — but also simplifies regulatory compliance by centralizing visibility, administration, auditing, and reporting.

The strength of MFT technology lies in its unified architecture. MFT platforms can control file transfers inside or outside the firewall, whether ad hoc or scheduled. They cover user-to-user exchange between colleagues or with third parties, such as customers; system-to-system transfers that move application data between servers; user-to-system transfer scenarios for data updates; and desktop-to-mobile file transfers for users on the road.

Systems like SEEBURGER Managed File Transfer can also ensure safe data exchange with offshore manufacturing facilities, outsourced professional services, remote offices, and others with erratic network connections, limited bandwidth, or no business integration infrastructure.

Improving Compliance — Five Ways

With an MFT platform in place, organizations have powerful protections against insider-caused data leakage and associated compliance problems. Key governance and compliance benefits provided by advanced MFT systems include:

  1. Enhanced security. Features such as automatic encryption of transmissions, checkpoint, and restart capabilities to guarantee file delivery in case a network connection is lost during file transfer, and notification of transmission failures help companies remain compliant and secure.
  2. Automatic policy enforcement. Rules-based routing ensures that the right file is transmitted to the right person at the right time. Administrators can establish rules on who can send what to whom, whether a manager must approve certain types of transmissions, if a given file must be routed with a specific protocol like SFTP or AS2, who has access to that file, and more.
  3. Automated content filtering. Integrated data loss prevention (DLP) technology blocks transmission of any file containing data that violates corporate security or regulatory policies. Administrators can flag terms like “confidential,” “Social Security numbers,” or “earnings,” and the DLP engine will check for those terms before a file is sent to help keep sensitive data out of the wrong hands.
  4. A complete audit trail. Real-time visibility of all data exchange activity, including the people involved in each step, enables easy message tracking, ensures that users cannot deny having sent or received a message (non-repudiation), and expedites compliance audits.
  5. Secure mobile file sharing. MFT systems enable users to download and upload business files to and from their tablets or smartphones with the same automatic encryption, policy enforcement, and centralized file transfer management and tracking as other files.

In addition, MFT systems are engineered to meet specific security and technical requirements of regulatory mandates, including protecting data both in motion and at rest.

With more than 80% of corporate information assets estimated to reside in unstructured files rather than in structured files coming from systems like ERP and EDI/B2B solutions, unstructured files bear the lion’s share of the compliance risk when it comes to data exchange. Adopting MFT technology can dramatically reduce that risk and protect your company from the fallout of a compliance breach.

Learn More

To read more about the benefits of MFT technology for compliance, visit www.seeburgermft.com or download the white paper “Secure Managed File Transfer: Bringing Coherence & Control to Compliance” at www.seeburger.com/uploads.  

         
     

Rohit Khanna
Executive Vice President of Global Strategy and Corporate Development
SEEBURGER AG

         
         

1Health Data Management, “OCR Fines BCBS Tennessee $1.5 Million for Breach” by Joseph Goedert (March 13, 2012). [back]

2Data Breach Today, “Police Pay £120,000 Breach Fine” by Jeffrey Roman (October 16, 2012). [back]

3InformationWeek Security, “Sony Slapped With $390,000 U.K. Data Breach Fine” by Gary Flood (January 24, 2013). [back]

4Forrester Research, “Understand The State Of Data Security And Privacy: 2012 To 2013” by Heidi Shey (January 7, 2013). [back]

5Forrester Research, “Forrsights Workforce Employee Survey, Q4 2012” (October 2012). [back]

An email has been sent to:






More from SAPinsider



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ