Not long ago I wrote an essay for Cyber Defense Magazine entitled “Complexity is Still the Enemy of Security” in which I argued that even software products tested and built to be secure, but that are difficult to use, make enterprises less secure. That is because:
“Even if created using the security by design approach, and tested to assure an absence of known vulnerabilities, when technology is difficult to use it can cause people to avoid using the product and instead find unsecure workarounds, thereby creating more security issues for the organization.”
I stand by that position. But recent events in the managed file transfer space demand a reiteration of what should be obvious: convenience is never more important than security.
Making it Easy for Threat Actors
Attacks on enterprises using two different managed file transfer products targeted a common vector: an internet-facing, browser-based user interface. Internet-facing, browser-based interfaces make it super convenient for users, customers, and partners to access and transfer files, but they are also notoriously difficult to secure. Why even offer a product designed to make it convenient to access and transfer sensitive, business-critical data if you are also going to make it convenient for threat actors to compromise it? Too often it seems IT departments gravitate toward browser-based file transfers systems under the assumption that end-users don’t know how to, or are unwilling to learn how to, use something “scary” like SFTP. We have found that this is absolutely not the case. For ad-hoc or intermittent transfers, there are excellent (and free) SFTP clients that can be used just as easily as a browser (and with far fewer risks). Regularly occurring file exchanges should be automated anyway, so an easy-to-use automation tool like Diplomat MFT fits the bill nicely, while minimizing the chance of human error.
It is hard to design software products that are bulletproof. And even the best vendors using the best methods to design secure products often have to issue patches for vulnerabilities discovered long after introduction. Technologies operate in fast-moving, complex, and interconnected environments, and there are many bad actors out there motivated by greed and ideology to find ingenious ways to crack them to get inside organizations to disrupt operations, steal data, and blackmail them with what they’ve stolen. Knowing that, it makes no sense to give the bad guys an advantage.
Don’t Tolerate Poor Security from Vendors
We need to stop making assumptions that end users are unwilling or unable to use SFTP software, and the recent spate of MFT breaches illustrate this point clearly. Now enterprises around the world are in damage control mode because of it. The technology trade journal TechCrunch reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed twelve different federal agencies have active contracts with one of the MFT vendors, and multiple agencies were affected. TechCrunch confirmed that organizations within the Department of Energy were among those breached. Organizations in other countries that were breached include the BBC, British Airways, the Canadian Province of Nova Scotia, Genworth Financial, PriceWaterhouse Coopers, Ernst & Young, and more than 100 others.
Why do we tolerate it when technology vendors sacrifice security on the altar of convenience? Annual wellness checkups are not convenient (and sometimes unpleasant), but they keep us healthy. If it is to make their products more appealing by touting “ease of use,” that’s deceptive. My essay says that software that is difficult to use incentivizes users to find shortcuts and workarounds that put data at risk. The answer isn’t to design those risky workarounds into the product, but to design ways to make a product easy to use while still prioritizing security.
Simple Doesn’t Have to be Unsecure
At Coviant Software, we have intentionally avoided internet-facing dashboards and interfaces, and instead focus on enabling secure file transfers by automating file encryption using OpenPGP, supported encrypted transportation protocols, like SFTP, and restricting user access by requiring multifactor authentication for employees with a need to know. Maybe that makes Diplomat MFT a little less convenient (although our customers don’t think so), but it also eliminates a major security gap. And we don’t apologize for it. In fact, if the vendors, customers, and partners that exchange data with you need help, we’re more than happy to work with our customers to show them how easy it is. And to make it even easier to keep your data transfers secure, we offer Diplomat MFT in three right-sized editions for organizations with every range of data transfer needs, and at an ethical price point that is not prohibitive.
Let’s stop using “convenience” as an excuse for bad data security. The only thing that should be convenient about managed file transfer is the ability to download a free trial version of Diplomat MFT so you can see for yourself how easy it is.