File sharing is a critical everyday practice across the enterprise. The wide-scale adoption of IM and collaboration tools, as well as cloud-based file-sharing sites, has made the process of sharing data easier -- but also less secure -- than ever. Compounding the security issue is BYOD, remote workers and work-from-anywhere employees.
Organizations must prioritize secure file transfers, as company files often contain sensitive, proprietary and classified information. Beyond standard security hygiene best practices of securing remote access, using strong passwords and multifactor authentication, and encrypting files, the market is full of enterprise-grade tools and products that help enterprises share files both internally and with third parties, such as partners and customers.
No matter the tools, however, organizations should follow these best practices to ensure secure file transfers.
1. Train and retrain employees
It has never been more important for organizations to train their employees about secure file transfers -- especially with the advent of the cloud. New, easy-to-use apps enable employees to quickly share information with colleagues and third parties. While these apps are convenient and easy to use, employees should remain cautious about using them to share files.
Regular trainings can help employees learn about potential security risks associated with file transfers. These programs don't need to be boring or long. Interactive apps and gamification can make security awareness training competitive and fun.
2. Integrate file-sharing controls with collaboration apps
Collaboration apps, such as Slack or Teams, enable employees to share files with the click of a button. These apps are largely developed with collaboration and efficiency in mind, and they can quickly become a security nightmare if left unmanaged. A data breach or malware attack, for example, could cause reputational and financial damages to an organization.
Security teams can reduce the risks associated with collaboration apps by implementing controls that prevent users from performing risky behaviors. For instance, enterprise-grade Slack enables enterprise admins to restrict file uploads.
3. Audit and act
Conduct audits on cloud storage and endpoint devices, especially following a security event or alert. An unauthorized user attempting to access a file or an employee accessing a file at an unusual time is an early indicator of a problem. Once security teams detect unusual behaviors, they can take preventive measures, such as revoking permissions or encrypting files.
4. Limit who can access what
Set controls to limit who can access which files. Not all employees require the same levels of access to all files. Access can be limited by group, role or individual. Restrict access based on the principle of least privilege -- only allowing users to access what is necessary for their job. Actions users can take on files can also be limited, such as who can read, write, edit or delete data. Also, regularly review and update users' access privileges.
5. Set expiration dates for files
Beyond access controls, some products enable organizations to add expiration dates to files. Google, for example, has an expiration feature for Google Drive, Docs, Slides and Sheets. Security teams can then limit employee and third-party file access based on the duration of a given project or engagement.
6. Limit physical sharing of files
Limit or ban the use of physical storage devices, including USBs, external hard drives and CDs. While the cloud has limited reliance on these devices, they are still in use -- and still a source of data leaks and attacks.
Security teams can prohibit employees using company-managed devices from transferring files to external storage devices. It's more difficult to enforce these policies with BYOD, however. In this case, employee training is key to help reduce risks.
In the event file sharing via a physical storage device is the only option a user has, they should encrypt the drive and/or files before sharing them.