Intrigue and Espionage May not Come to Mind when You Think of MFT—But it Should
By Gregory Hoffer, CEO, Coviant Software
When you think about secure, managed file transfer (you do think about that, right?), it’s not likely that the topic of international intrigue and espionage comes to mind. Yet, according to the Wall Street Journal, that’s precisely what you should be thinking about.
In a March 10, 2021 article entitled, Solving Data-Transfer Impasse May Require Diplomatic Agreements on Espionage, the Journal reported that a key element for compliance with the European Union’s stringent privacy and data security requirements is navigating the complex regulations involved in cross-border data transfers.
“Companies that conduct trans-Atlantic business have been left scrambling to ensure that they are able to transfer data across borders since a July ruling from the European Court of Justice struck down an existing legal arrangement known as the Privacy Shield.
“The EU’s top court said U.S. laws on government surveillance endanger the personal data privacy that European citizens won under the 2018 General Data Protection Regulation [GDPR].”
The message from Europe is clear: cross-border data transfers are serious business. Whatever agreement is eventually struck between the U.S. and the EU, authorities across the Atlantic will not tolerate organizations that take a lax view of the process. Violations, whether due to a disregard for the law, or simple carelessness, will be punished. Having a secure, reliable way to handle these routine—but extremely sensitive transfers—is of vital and growing importance.
Managed file transfer is a proven, mature technology that is simple to use, and that tackles a lot of the processes that make manual data transfers inherently risky. Among the key pieces that make secure, managed file transfer an essential part of a data protection strategy is that transfers are encrypted, so data in transit it protected. Second, because routine and regular transfers are automated, the likelihood of error is minimized. Finally, because a record is made of all transactions, the critical element of auditability is built in. What’s more, most MFT platforms integrate easily into whatever other systems are in use for processing, storing, and moving data, whether on-premises, in the cloud, or hybrid.
These features are important for maintaining compliance with the EU’s General Data Protection Regulation (GDPR) and other regulations and data management standards like the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLBA), Sarbanes-Oxley (SOX), the Payment Card Industry Digital Security Standard (PCI-DSS), Mass 201 CMR 17, and the Cross Border Privacy Rules (CBPR) provisions within the United States-Mexico-Canada Agreement (USMCA) and the Asia-Pacific Economic Cooperation (APEC) forum.
But this is not another article on the importance of regulatory compliance and avoiding the big fines that are levied on organizations that fail to follow the rules. It is about the simple, often overlooked processes that take the burden from data administrators, no matter what legal framework is in place. It is about the often overlooked—but vital—process of secure, managed file transfer (MFT).
These days there’s a great deal of attention being paid to security innovations involving cutting edge technology like artificial intelligence and machine learning, 5G connectivity, automation and orchestration, quantum computing, the cloud, and more. And while these are exciting advancements that help address some of the biggest threats faced by today’s enterprises, there’s still a lot of blocking-and-tackling that has to take place for a data security program to be effective.
Secure MFT is one of those foundational processes, and there’s a lot at stake. According to a 2017 report by the Commission on the Theft of American Intellectual Property, the annual cost to the U.S. economy resulting from the sale of pirated goods and software, and the theft of intellectual property is as much as $600 billion, and that IP theft alone may account for $540 billion of quantifiable loss. The actual figure is likely much higher.
The 2020 Congressional Research Service report Intellectual Property Rights and International Trade says the $540 billion “estimate does not include the costs of patent infringement and economic espionage because they are difficult to quantify.” The Wall Street Journal article contends that concerns over industrial espionage under existing U.S.-EU data transfer rules are a big part of the concern driving change to the current data transfer agreements.
The integrity of high value data and the protection of intellectual property from the perpetrators of industrial espionage is a major concern for companies heavily invested in research and development. A 2019 survey conducted by CNBC found that, “One in five North American-based corporations on the CNBC Global CFO Council says Chinese companies have stolen their intellectual property within the last year. In all, 7 of the 23 companies surveyed say that Chinese firms have stolen from them over the past decade.”
CSO Magazine offers ten steps to protect your IP from theft and misuse. Turns out managed file transfer addresses a number of their recommendations.
- Know what intellectual property you’ve got
It’s important to identify the types of IP your company has. This goes beyond technical plans and scientific formulae, but includes sales and marketing plans, corporate financial records, and even human resources files.
- Know where your intellectual property is
CSO points out that the care of IP is often overlooked in “areas where it might be stored or processed,” including “cloud applications and file-sharing services, [and] third-party systems… Make sure your contracts with those parties define how those third parties must secure your IP and have controls in place to ensure those terms are followed.” That is a sweet spot for MFT.
- Prioritize your intellectual property
By identifying what IP you have and where it is, CSO says you can “consider which of those assets are most at risk of being stolen [and] figure out where to best spend your protective efforts (and money).”
- Label valuable intellectual property
According to CSO, identification of IP not only raises awareness of its security among employees but makes it easier to prosecute offenders who may obtain and misuse it.
- Secure your intellectual property both physically and digitally
“Physical and digital protection is a must,” CSO says. Secure areas where IP is kept, including limiting access to digital IP through passwords and access controls.
- Educate employees about intellectual property
“Awareness training can be effective for plugging and preventing IP leaks, but only if it’s targeted to the information that a specific group of employees needs to guard,” says CSO. “IP protection effort that counts on firewalls and copyrights, but doesn’t also focus on employee awareness and training, is doomed to fail.”
- Know your tools to protect intellectual property
CSO says that a “growing variety of software tools are available for tracking documents and other IP stores.”
“Encrypting IP in some cases will also reduce risk of loss. The Egress survey data shows that only 21 percent of companies require encryption when sharing sensitive data externally, and only 36 percent require it internally.” Secure, managed file transfer (MFT) that automatically encrypts data can close that gap.
- Take a big picture view
Knowing who has access to sensitive data and how they use it can help determine if their habits fit their authorization and user profiles. The auditability that MFT makes possible can help identify misuse while protecting those whose use conforms with policy.
- Apply a counter-intelligence mindset
Look for the gaps in your data handling and transfer processes and close them.
- Think globally
It’s important to know where your data is headed and what the risks are in different geographies. According to CSO, “France, China, Latin America and the former Soviet Union states have all developed reputations as places where industrial espionage is widely accepted, even encouraged.” And, according to Transparency International’s 2016, Corruption Perceptions Index, Somalia, South Sudan, North Korea, Syria, Yemen, Sudan, Libya, Afghanistan, Guinea-Bissau, Venezuela, Iraq, and Eritrea are “perceived as most corrupt.”
Secure managed file transfer may not seem sexy when compared to the latest in cybersecurity innovation, but it works. And when the world’s foremost experts on data transfer press their case before the European Court of Justice, maybe it’s time to take a second look at MFT. What’s old is new again, and as with all things fashionable, the classics never go out of style.
About the Author
Gregory Hoffer is CEO of Coviant Software, maker of the secure, managed file transfer platform Diplomat MFT. Greg’s career spans two decades of successful organizational leadership and award-winning product development. He was instrumental in establishing ground-breaking technology partnerships that helped accomplish Federal Information Processing Standards (FIPS), the DMZ Gateway, OpenPGP, and other features essential for protecting large files and data in transit.