File Transfers Can Be The Weakest Link

Uploaded on 2025-02-06 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Sending files used to be easy, just a matter of attaching them to an email, but as files are getting bigger, and anything over 20MBs is likely to be rejected, people have moved to using more complex, web-based, sharing platforms. These methods are often complicated, and most are not wholly secure.

Files reside anywhere in the world and are accessible by unknown people. They are regularly uploaded and then forgotten, left dormant on an unknown server. File transfers need to be easy, quick and most of all, safe.

The big challenge today is getting back to a simpler way of transferring files via email but it requires more than just a traditional email gateway solution to protect businesses and their people from malicious actors.

As email threats evolve and multiply worldwide, demand for email security protection increases. Common email threats include phishing, business email compromise (BEC) and malware attacks, with phishing being the cause of 84% of cybersecurity data breaches. As human error or inaction lies at the heart of a breach, a deep understanding of human behaviour is the key consideration in protecting companies and employees from attacks. CTOs must look for the right tools, specifically to suit the needs of their businesses and employees, rather than buying ‘off the peg’.

File-sharing based phishing attacks have skyrocketed over the last year, exploiting the most commonly used webmail and sharing platforms and because they have recognisable brand names, they are not always treated as threats. Threat actors use popular file-hosting or e-signature solutions as a disguise to manipulate their targets into revealing private information or downloading malware. A file-sharing phishing attack is a unique type of phishing threat in which a cyber-criminal poses as a known colleague and uses a familiar file-hosting solution to send a target a malicious email containing a link to what appears to be a shared file or document. Clicking on the link can result in infecting the device with malware or stealing login information.

Another common security threat with file transfers is that the data being transferred is often highly confidential in nature. Examples include sending briefing notes and slides to an external agency partner or client on new product or corporate services launches or sending files containing customers’ confidential address and credit card data. Popular file transfer systems are not only inherently insecure, but users often forget to delete files after sending them. Leaving these files out there on the internet makes them easier to find and hack, and it is often these larger files which include sensitive information which poses a huge security risk.

One landmark security breach, which happened a decade ago, involved a huge data leak from Sony Pictures. The hack not only led to the leaking of unreleased films and confidential data but also highlighted the serious implications of inadequate cybersecurity measures for corporations and governments alike. Over 100 Terabytes containing confidential company activities were breached, resulting in well over $100 million lost. The phishers pretended to be colleagues of the top-level employees who opened the malicious attachments in the phishing emails. Specifically, a fake Apple ID verification email was used in the attack.

Security has moved on significantly since then but is ever-changing as businesses continue to respond to new threats.

To comply with the highest security requirements today, businesses should consider including file-level password protection, file retention period or one time retrieval. Any file not retrieved within the retention period should be deleted and the sender notified so that the sender can keep tabs on where exactly the file is at any point.
As the law changes to protect consumers, businesses must be mindful of meeting legal requirements such as GDPR when it comes to sending confidential data.

All businesses from corporates to micro businesses have a responsibility to protect sensitive data and use a file transfer system that allows them to do that; a system where files are encrypted in transit and transferred to selected recipients.

To resolve this, businesses should use Public Key Infrastructure (PKI) certificates and ensure files are removed from the system once retrieved by the recipient for increased security. PKI uses asymmetric encryption methods to ensure that messages remain private and also to authenticate the device or user sending the transmission. In essence, it verifies that the data and files are received by the right person whilst encrypting the data during the transit.

Whatever the size of the company, organisations must adopt a holistic approach to mitigate the risks posed in email cybersecurity, starting with enhanced internal employee training programmes that emphasise real-world scenarios, such as identifying phishing attempts or responding to suspicious emails. Regular updates are crucial as threats evolve, as is creating a culture of vigilance.

Businesses that want to remain cyber safe in 2025 need to think about investment in advanced email security tools that use AI to detect and block sophisticated threats.

These systems should complement, not replace, human awareness and judgment and regular phishing simulations and penetration tests need to be conducted to assess vulnerabilities and improve response strategies.

Richard Bourne is CEO of Liverton Security

Image: Ideogram

You Might Also Read:

The Challenges Of Middle Management In Email Cybersecurity:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.