Archive for the ‘P2P’ Category

Data Breach Disease Strikes NHS – Again

Tuesday, August 24th, 2010

Yet again, an NHS trust is hit by a data breach, as reported in SC magazine today.  This time a CD of patient data was found at a bus stop. This is not to be confused with the data breach from the USB stick containing medical records that was found in a UK car park.

It is barely a month since we blogged on this topic, NHS Trusts Failing to Protect Information, and the Information Commissioner’s Office (ICO) issued a press release with the ominous title Poor Data Security in the NHS.  Earlier in June, Mick Gorrill, head of enforcement at the ICO, said: “Everyone makes mistakes, but regrettably there are far too many within the NHS. Health bodies must implement the appropriate procedures when storing and transferring patients’ sensitive personal information. We have taken a number of steps to explain the importance of personal data to NHS bodies and help them comply with the law. We will continue to do so.”

Looks like Mike and the ICO have their work cut out for them. Here is a checklist of to-don’ts that the ICO might find helpful in their data protection enforcement efforts with the NHS trusts.

• Don’t use USB sticks for transferring confidential patient data
• Don’t use CDs for transferring confidential patient data
• Don’t post confidential patient data on unsecure FTP sites
• Don’t allow use of P2P file sharing on NHS computers

Also our earlier blog posting Top 3 File Transfer Security Mistakes should be required reading for all NHS trusts.

Posted in Accellion, Data Breach, Data Security, FTP, Healthcare, P2P, UK | No Comments »

Top 3 File Transfer Security Mistakes

Tuesday, March 9th, 2010

Thought it might be helpful to share our perspective on the Top 3 Security Mistakes related to File Transfer along with some tips on how to avoid them.  After all, staying out of trouble is half the battle.

Mistake #1  - Using P2P file sharing software at work.

Using P2P file sharing in the workplace is just not a good idea. Installing P2P file sharing on a work computer can get you into a heap of trouble by inadvertently exposing computer files externally. The FTC recently had to inform 100 organizations that personal customer and employee data was being shared on P2P networks.  Legislation is under review that would require stricter notifications on the security hazards of P2P file sharing.  The best advice here is to practice P2P workplace abstinence – don’t use P2P file sharing in the workplace.

Mistake #2 – Sending confidential information via an email attachment, USB stick or CD

Email attachments, USB sticks and CDs are not a secure means of file transfer. When sensitive information is sent unsecured then an organization is at risk for non-compliance with industry and government regulations including HIPAA, SOX, and GLBA.  Files containing confidential information need to be protected to avoid data breaches. USB sticks and CDs, can easily be misplaced or lost in transit as the UK Government discovered in 2009 when disks containing personal information on 25 million UK citizens went missing in the Royal Mail. Email attachments are not secure and do not provide the encryption required by HIPAA. If a file contains confidential information it needs to be sent via secure, encrypted channels.

Mistake #3 – Forgetting to cleanup files on un-secure FTP servers

Everyone knows that FTP is not the most user friendly business application, and cleaning up files previously uploaded to an FTP server probably ranks right up there in priority with cleaning out the lint from your trouser cuffs.  In the hands of business users, FTP servers become a security breach waiting to happen.  Files uploaded and left indefinitely on the FTP server, can result in many years worth of files sitting out on unsecured FTP servers.  Coupled with the commonplace sharing of FTP account names and passwords, FTP servers are often a weak link in an organization’s data security program.

The good news is that managed file transfer can keep you out of trouble in all these areas.

Posted in Accellion, Data Breach, Data Security, Email Attachments, FTP, P2P, UK | No Comments »

Email Attachments – Misconceptions Compromise Security

Wednesday, March 3rd, 2010

Are organizations aware of the security risks from email attachments? Generally not.

With email attachments typically accounting for more than 70% of e-mail volume, the bulk of data on email systems resides in the email attachments not email messages. Unfortunately in many organizations the management of email attachments is an afterthought leading to security vulnerabilities.

The disturbing reality is that users will try to force as much information through email as they can get away.  Without adequate security controls in place users commonly send confidential information unprotected through email attachments.  In cases where users hit email attachment size limits, they rapidly seek out unsecure IT workarounds such as thumb drives, CDs, P2P file sharing, just to get their job done.

So why the apparent lack of concern regarding the security of email attachments?  Here are just 3 of the common misconceptions:

•  Misconception #1: E-mail attachments are limited to 10MB; therefore, the risk of a data breach from file transfer is minimal.
•  Misconception #2: FTP is available; therefore, the risk of a data breach from file transfer is minimal.
•  Misconception #3: We haven’t experienced a security breach from unsecure file transfer, so the risk of a data breach from file transfer is minimal.

To learn how these common misconceptions compromise security read the full article published in Enterprise Systems this week.

Given the increased profile of data breaches and updated and extended compliance regulations such as HIPAA, now is not the time to ignore security vulnerabilities. Organizations, large and small, are waking up to the hazards of email attachments and are deploying managed file transfer solutions to protect confidential information and ensure compliance.

Give us a call if you would like to review the security of email attachments and investigate deployment of a managed file transfer solution to protect your organization.

Posted in Accellion, Data Breach, Data Security, Email Attachments, FTP, HIPAA, P2P | No Comments »

FTC Raises P2P File Sharing Alarm

Wednesday, February 24th, 2010

The Federal Trade Commission raised the P2P File Sharing Alarm this week by sending letters out to 100 organizations informing them that personal information on customers and employees was being shared via P2P networks.  The FTC news was widely reported this week including a comprehensive article in InfoWorld.

The FTC Peer-to-Peer File Sharing guidelines for businesses includes this advice “Any company that collects and stores sensitive information must consider the security implications of using P2P file sharing software and minimize the risks associated with it.”

This isn’t news to Accellion – we have been raising awareness of hazards of P2P file sharing for quite some time.  Many business users don’t realize that the same P2P software they use to freely exchange personal files may also be configured to access and share virtually all of the files that reside on their computer hard drive or network servers.  In a business environment this leaves organizations exposed to potential data breaches.

Here are a couple of recent Accellion articles on this topic:

•  Is P2P changing How You Prepare for a Security Audit? published in the SOX Compliance Journal
•  Secure File Transfer – P2P Alternatives – published in Enterprise Systems.

Concerns regarding data breaches from P2P file sharing have been brewing for a while.  Some of the more interesting P2P embarrassments from last year included, Rampant P2P Medical Data Leakage and Obama’s Helicopter Plans leaked over P2P.

In a nutshell, P2P file sharing creates security vulnerabilities for organizations and Accellion’s advice is that implementation of a secure file transfer solution will safeguard organizations and their users from the hazards of P2P files sharing.

If you are one of the organizations who received a letter this week from the FTC, or are worried you might be next on the list,please give us a call – we’re here to help.

Posted in Accellion, Data Breach, Data Security, P2P | No Comments »