Many organisations fall into the dangerous trap of unmanaged file sharing. The situation often arises when a project group starts to collaborate and version control, via email exchanges, starts to become an issue due to the complexity of the edits and number of people involved. Project groups eager to get on with the business at hand may instead turn to an ad-hoc file sharing and collaboration service, which can lead to serious problems, including data leakage.
Unfortunately, IT departments are often unaware of this ad-hoc file sharing activity, which tends to grow as projects and teams evolve. What may have originally started as a small team within a single department sharing content in this manner, may ultimately grow to include multiple departments, partners, suppliers and external specialists from PR or marketing.
However, as this file-sharing group is not managed and monitored, it is easy for sensitive documents to be accidentally sent to group members that should not have visibility into certain content, or to be copied into third-party apps. In addition, many of these ad-hoc file-sharing solutions offer no active user authentication, encryption or audit controls.
In some cases, group participants will send the document or give sharing rights to a “friend” who could be a journalist, business rival or disgruntled ex-employee. Either through malice or accident, sensitive documents can be disseminated outside of the shared workspace. To make matters worse, many of these ad-hoc sharing solutions may reside within a different legal jurisdiction from the company or users, such as a European organisation sharing files from a US-based service.
The disclosure of sensitive files, lack of audit control and legal jurisdiction issues may well trigger a compliance breach, calling down the wrath of the regulator. The result could be a company-wide audit, fines or criminal litigation. Worse, it is almost impossible to track down those at fault, because there is often no proper audit trail within many of these ad-hoc sharing services.
Through conversations with enterprise customers, I know that the situation outlined above has happened more frequently than most companies would care to admit. The reality is that consumer-grade file sharing and collaboration services were never designed for true enterprise usage. The ease of deployment and use is great for personal content but they can quickly become a liability for enterprise content, while IT and compliance officers remain in the dark.
IT departments have responded in part by using next-generation firewall technology. However, it’s sometimes hard to spot all new file-sharing variants. In addition, when the employees using these types of solutions are the CEO or other executives, it takes a brave junior administrator to ban unsafe file sharing, even though it can put the company at risk of regulatory reprisal or potential security breaches.
Instead of ignoring the issue at hand, IT departments, compliance officers and senior managers should accept that employees need a way to securely share files and collaborate, and look for a solution to implement. Although there are a plethora of competing products, a simple checklist will help sort out the products that are up to the task and those which fall short.
- What types of data are employees sharing? If this material is sensitive or likely at some point in the future to include sensitive details, then there is a need for encryption both at rest and in transit.
- Are the files likely to have multiple editors using different devices? If so, then version control and backup must also be in serious consideration by the IT department.
- Where is data going to be stored? If this information must remain within a particular region, then using an off-site public cloud will be a problem. If a vendor cannot guarantee where all data will be stored, then an on-premise solution will be a better fit, especially in highly regulated industries.
- Who is part of this collaborative group and how do you authenticate each user? A true enterprise-ready solution will require that the collaboration space be under the control of the company and not individual users. For flexibility, the IT department can defer creation and management down to users but it’s essential that the workspace be driven by an enforceable policy. This way there will be a method to remove user access when the project ends or if members are no longer with the company or partner community.
These four questions should be the answered before selecting a file sharing or collaboration solution. In addition, the solution should also have the ability to define and manage policy as part of the wider corporate IT environment. Any true enterprise file sharing and collaboration system should be able to work with common user authentication systems such as Active Directory and Enterprise Content Management (ECM) systems such as Sharepoint. If the worst-case scenario does occur and sensitive data leaks to those outside the company, then failure to take even these basic steps could well be considered corporate negligence.