The risk of a data breach can be lowered by following file transfer best practices. This article explores 12 best practices for file transfer to inform businesses and executives.
Some file transfer practices can be applied to file sharing too. Hence, we first distinguish file transfer from file sharing:
Figure 1. Potential short and long term costs of cyber attacks.
File transfer vs. file sharing
File transfer and file sharing are related concepts, but they refer to slightly different applications.
Secure file transfer
File transfer sends files from one system or network to another. In secure file transfer, this is usually done by encrypting the data while it is being sent over secure protocols like SFTP, HTTPS, or VPN. It can also include other features like file compression, archiving, and automated workflows. Secure file transfer solutions let organizations send large amounts of sensitive data, like financial transactions or medical records, in a safe way.
Secure file sharing
File sharing, on the other hand, refers to sharing files over a network. One example is sharing files via cloud-based services such as Dropbox or Google Drive, as well as peer-to-peer (P2P) file-sharing software like eMule. Secure file-sharing solutions also include encryption, password protection, and access controls to ensure authorized personnel can see the files.
12 File transfer best practices
1. Verify recipients’ authenticity before sending information
Ensure that recipients are authorized. Confirm the recipient’s identity via
- phone: Call the recipient or send them a message.
- in person
2. Test file transfers
Send a test file. Picking an example from the file and sending it to the recipient can help them verify that your file transfer is received and readable.
3. Keep software and systems up to date
Keep all software and systems for file transfers up to date with the latest security patches. This helps protect your system against known vulnerabilities like publicly disclosed security bugs.
4. Implement a disaster recovery plan
A disaster recovery plan can ensure that files can be recovered during a disaster or system failure. This includes keeping a copy of the transferred files. Thus, in the case of unsuccessful transfers or any miscommunication with the recipient, it is ensured that the files are kept safe.
5. Control file access
File transfer includes data security. Use access restrictions to transmit files. You can follow file transfer best practices by setting up:
- Username and password authentication: This is the most basic type of authentication. It requires users to log in with a password to access the files successfully.
- Two-factor authentication: In addition to login with a password, two-factor authentication adds an extra layer of protection. Two-factor authentication requires users to fill out a second verification form through a phone code delivered.
- Multi-factor authentication: For enhanced security, multi-factor authentication requires a password and biometric information such as fingerprint or facial recognition.
- Permission-based access controls: This method assigns users permission to view, read, or edit files. Content services platforms (CSP) can provide businesses permission-based access controls.
Video 1. Permission-based access controls by a CSP.
- Role-based access controls: This assigns access to user accounts based on their roles in an organization. For example, these controls can be used in some companies where the HR executive can access personnel records, but marketing staff cannot. CSPs can provide role-based access controls too.
- Location-based access controls: This limits access to the files based on the user’s location using their IP addresses or geolocation.
- Time-based access controls: This block accesses the files for a time range. It can be used in companies where file access is limited to working hours.
6. Encrypt before transferring
Knowing about encryption types can be useful if you plan to use a tool for encryption services:
- Symmetric encryption: The common encryption method. It uses the same key for encryption and decoding. The sender and the recipient use the same key for encryption and decryption. For example, advanced encryption standards (AES) and data encryption standards (DES) are symmetric algorithms.
- Asymmetric encryption: This approach employs two keys, one for encryption and the other for decryption (Figure 2). This is sometimes referred to as public-key encryption. RSA (Ron Rivest, Adi Shamir, and Leonard Adleman) and Elliptic Curve Cryptography (ECC) are two asymmetric encryption examples.
- File-level encryption: This approach encrypts individual files or directories to prevent unauthorized access. This can be possible via CSPs.
Figure 2. Asymmetric encryption.3
7. Use a secure file transfer protocol and network protection
Use secure file transfer protocols and network protection to encrypt data during the transfer, making it unreadable to unauthorized parties. There are many types of these protocols and network protection, and they are often confused. Here are some protocols:
- AS2 (Applicability Statement 2): AS2 is a secure internet file transfer protocol extensively used for B2B (business-to-business) transactions.
- Firewall as a service: Firewalls can protect private networks from untrustworthy public networks by detecting and monitoring unwanted access. Controlling network access using a firewall can protect file transfers. Rules can prohibit all incoming traffic except for file transfer ports.
- FTPS (File Transfer Protocol Secure): FTPS is an extension of the conventional FTP protocol. It encrypts data during transfer and uses SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols to establish a secure connection.
- HTTPS (Hypertext Transfer Protocol Secure): HTTPS is a secure version of HTTP (Hyper Text Transfer Protocol) that encrypts data while it is transmitted. HTTPS establishes a secure connection using the SSL or TLS protocols and encrypts the transferred data. For example, when you visit an HTTPS-enabled website, your browser establishes a secure connection with the web server. All data transmitted between your browser and the server is encrypted.
- Secure access service edge (SASE): SASE provides unified network and security access services. It lets employees operate from anywhere on any device with the same security as if they were in a corporate office with corporate gadgets.
Figure 3. Components of SASE.
- SCP (Secure Copy Protocol): SCP encrypts data during transfer and establishes a secure connection using SSH.
- SFTP (Secure File Transfer Protocol): SFTP is a secure version of FTP (File Transfer Protocol). SFTP is safer than FTP because it encrypts both the data and the control channel, which is used for authentication and command execution. SFTP uses the SSH (Secure Shell) protocol to connect securely and send files.
- Software-defined perimeter (SDP): SDP conceals web hardware from foreign agencies and hackers (DNS, networks, etc.). SDP is an improved VPN alternative that reduces traffic latency and addresses granular access concerns.
- TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer): TLS and SSL encrypt data during the file transfer. They are used for secure communication over the internet, for example, in e-mail, instant messaging, and voice over IP (VoIP).
- VPN (Virtual Private Network): VPN establishes a secure, encrypted link between two places and enables secure file transfers. By utilizing encryption and tunneling protocols, VPNs build a private network apart from the public network. VPNs establish a secure connection between two remote locations to enable secure file transfers.
- WebDAV (Web Distributed Authoring and Versioning): WebDAV encrypts data during transport and establishes a secure connection via HTTPS.
- Web proxies: Web proxies can safeguard clients and servers during file transfers. They can filter traffic, limit particular file types, and encrypt traffic to prevent eavesdropping and tampering.
- Zero trust architecture network (ZTNA): ZTNA is an IT security solution that uses zero-trust policies to secure remote access to an organization’s applications, data, and services. ZTNA secures mobile workers’ laptops like they are in corporate offices.
8. Train employees in cybersecurity awareness
- Pop-ups, unidentified emails, and links: Cyberattacks often involve phishing, where hacking occurs by clicking a link, pop-ups, or using official-looking emails to steal employee data. Phishing is the cause of ~15% of data breaches. On average, it imposes ~$5 million in damage in the U.S. Regular cybersecurity awareness training can help all employees spot phishing emails and fraudulent websites.
- Passwords: Fraudsters can hack passwords with your name or date of birth. A team member’s password should be 12 characters, including numbers, symbols, and upper- and lowercase letters.
- Wi-Fi security: Wireless sniffer software can access data and transactions when employees use unsecured public access points. Thus, employees working on sensitive data should not utilize public Wi-Fi.
9. Compress large files carefully before sending
Compressing files can:
- minimize file size and wait time.
- save money if you use a paid service to transfer files.
However, certain types of files should not be compressed to retain the integrity of the data and prevent unauthorized access. Files that should not be compressed can include:
- Backup files: Backup files are designed to be restored to their original condition, and compressing them can interfere with the restoration process.
- Confidential or sensitive files: Financial records, personal information, and intellectual property are all examples of data. These files should be encrypted and password-protected and not compressed unless necessary.
- Encrypted files: Compression can undermine encryption and expose data to attack. Before compressing the data, it should be encrypted.
Files that can be compressed include:
- Text files: Text documents, such as texts and scripts, can be compressed without losing critical information.
- Image files: Image files like JPEG and PNG can be compressed without sacrificing much visual quality.
- Audio and video files: Audio files can be compressed without sacrificing quality, although the compression rate can vary based on the codec.
10. Enforce compliance in file transfer
Governments and/or industry standards can impose some regulations on file transfers. By promoting compliance, organizations (especially in finance and healthcare) can ensure that they meet legal and regulatory requirements and protect sensitive data during file sharing and transfer. These can include regulations like:
- HIPAA (Health Insurance Portability and Accountability Act): This rule compels healthcare organizations to ensure the privacy and security of protected health information (PHI). PHI can only be shared with authorized parties, like the patient’s doctor, and must be protected during file sharing and transfer.
- PCI-DSS (Payment Card Industry Data Security Standard): This regulation demands businesses accept credit cards as a payment method to safeguard cardholder information. Organizations must ensure that cardholders’ data is not shared with unauthorized parties and is protected during the transfer process.
11. Audit and log file transfers
Auditing and keeping track of file transfers is important to manage and comply with regulations like HIPAA Privacy Rule. Following the practices below can help audit and log file transfers.
- Track and monitor file transfers: To follow the status of a transfer, use software or services such as workload automation tools and/or CSPs. This software can provide track and report information on file sharing and transfer, including:
- when the file is sent
- when the file is received
- if there are any troubles in the file transfer processes.
- Auditing and reporting: Use software or services like CSPs that provide auditing and reporting features to identify any problems or security breaches. Content services platforms can automatically scan and analyze the log files to detect any anomalies or suspicious activity.
- Keep a log of file transfers: Keep a log of all file transfers, including the information about:
- the sender
- the recipient
- the date of the transfer.
This information can be used for compliance, security, and auditing purposes.
- Use event logging: Event logging can be implemented in the file transfer program or service to record all operations, including:
12. Use managed file transfer solutions
Managed file transfer solutions (MFT) provide a centralized point of control and visibility for all file transfers. Managed file transfer tools are designed to safely move large amounts of data between multiple systems, applications, and networks while complying with industry standards. Workload automation tools can provide managed file transfer solutions. Here are some MFT benefits:
- Security: MFT solutions can provide extensive safety measures such as encryption, access limits, and monitoring.
- High speed: MFT software automates the file transfer process and removes the need for manual intervention.
- Compliance: MFT systems can assist firms in meeting compliance standards by incorporating auditing and reporting capabilities. They can also support industry-specific rules like HIPAA and PCI-DSS.
- Effective manageability: MFT solutions can provide real-time visibility into the status of file transfers, such as when files are transferred, when they are received, and whether or not there are any difficulties throughout the transfer.
- Scalability: MFT systems can handle massive amounts of data and are thus ideal for enterprises of any size.
- Integration: MFT software can be integrated with other systems and applications like enterprise resource management (ERP) systems, customer relationship management (CRM) systems, and cloud storage services.
Figure 4. A managed file transfer workflow architecture.4
If you have any questions related to file transfer best practices, don’t hesitate to contact us:
Cem has been the principal analyst at AIMultiple since 2017. AIMultiple informs hundreds of thousands of businesses (as per similarWeb) including 60% of Fortune 500 every month.
Cem's work has been cited by leading global publications including Business Insider, Forbes, Washington Post, global firms like Deloitte, HPE, NGOs like World Economic Forum and supranational organizations like European Commission. You can see more reputable companies and media that referenced AIMultiple.
Throughout his career, Cem served as a tech consultant, tech buyer and tech entrepreneur. He advised businesses on their enterprise software, automation, cloud, AI / ML and other technology related decisions at McKinsey & Company and Altman Solon for more than a decade. He also published a McKinsey report on digitalization.
He led technology strategy and procurement of a telco while reporting to the CEO. He has also led commercial growth of deep tech company Hypatos that reached a 7 digit annual recurring revenue and a 9 digit valuation from 0 within 2 years. Cem's work in Hypatos was covered by leading technology publications like TechCrunch and Business Insider.
Cem regularly speaks at international technology conferences. He graduated from Bogazici University as a computer engineer and holds an MBA from Columbia Business School.
To stay up-to-date on B2B tech & accelerate your enterprise:Follow on
Next to Read
Your email address will not be published. All fields are required.