Not long after news of the MOVEit exploit broke, I wrote a blog post to help shine some light on what an organization can do to make sure their deployment of managed file transfer software is not subject to the same vulnerability that affected MOVEit and GoAnywhere a few months earlier. That vulnerability was associated with an internet-facing administration dashboard deployed outside the firewall—something that should not be done, even if it is more convenient for users. Commercial and public enterprises around the world were hit when the vulnerability was attacked by the Cl0p ransomware gang.
The blog post, Seven Best Practices to Ensure File Transfer Security, was meant to offer insights to clear up misconceptions, reassure MFT users (not just our Diplomat MFT customers) of their own situations, and provide a simple plan to double-check that their software wasn’t similarly exposed and at risk. Good answers can often be hard to come by when cybersecurity is involved. So-called experts are quick to offer theories and opinions with no specific information.
A Trusted Perspective
To be clear, there are aspects of the recent breaches that are unknown, and so the intent isn’t to add to the noise surrounding those breaches. But with more than twenty years in the MFT business I’ve got a pretty good idea of what’s happening based on what has been disclosed in these instances. And we’ve got a good track record of performance with our customers, which translates to trust in our perspective. If we can anticipate and answer questions and keep people from overreacting (or under-reacting!), we should. And because everyone’s situation is a bit different, it’s hard to think of every scenario, but at least we can offer a place to start.
That became clear to me when a customer reached out after seeing the best practices post. This person works for a large, prestigious East Coast hospital and while not directly affected by the recent breaches, he did want to know what his organization’s level of exposure is if any of their partners, vendors, or other organizations use either product. In other words, although his organization uses Diplomat MFT for their automated file transfers, what if one of the organizations they do business with uses one of the other products.
My first thought was, “What an insightful and interesting question!” (My second thought was, “I wish I had included that in the blog post!”)
The World Still Runs on Files
File transfer is usually not a one-direction affair, and while the brands affected by attacks targeting those other MFT products are the ones in the spotlight once they disclose the event, the compromised data may not be their own. That’s because data flows through a complex web of customers, suppliers, government agencies, contractors and consultants, service providers, and so on. Around here we like to say that “the world still runs on files,” and because organizations often have a wide range of data in their care comprising files it has received from other organizations in its network, there’s a good chance that other organizations were affected.
So how does any one company protect the data that they, in turn, transfer to others?
Be a Good Partner and Data Steward
To be a good data steward, it is imperative that you mandate strong security from all trading partners with whom you exchange data. Do your due diligence before engaging with any organization that you have to share data with and understand:
- What information security and access management controls are in place?
- Do they perform regular penetration tests, attack simulations, and security audits?
- Do they have a written information security program (WISP) and have you reviewed it?
- Does their WISP include an incident response plan, including partner notifications?
- Do you have documented requirements for their minimum cyber security standards?
- Can they provide documentation to show you proof of cyber incident insurance coverage?
- Can they furnish ISO 27001 and/or SOC 2 certifications as part of your on-boarding process?
And don’t overlook the importance of having a process for secure off-boarding when a partnership or customer relationship ends. That includes disengaging all associated data connections, revoking all permissions, and deleting all files that are no longer relevant in accordance with associated regulations.
Trust, But Verify
Because the world still runs on files—files that are exchanged between many different organizations—be sure that the data you are managing flows only to those trading partners that are up to the task. All too often we think only of our own information security, but it is vital to remember that, in any exchange of information, all participants must be good stewards of the data that is shared, or everyone in the chain of custody is at risk. That is why it is imperative that we only exchange data with trustworthy organizations using products and processes that are secure by design.
And never assume that everyone else is as careful with their data as you are. To borrow a phrase from the Cold War: Trust, but verify.
If you are looking for a managed file transfer solution, why not give award-winning Diplomat MFT a try? You can download a free 15-day trial to see for yourself how easy it is to adopt and use secure-by-design MFT software. And if you have any questions you’ll even get to experience our industry-best customer support.