Questions About File Sharing App Security
The settings that often work behind the scenes of file-sharing apps may create risk issues. For example, the ShareFile setting in the question above allows recipients to open the email as long as they enter an email address that includes the @ sign and any characters for the first and last name box. If our institution allows users to choose this setting (or IT defaults to it), is the content secure?
If the file gets “grabbed” in transit by bad actors, can they not open the attachment as if it were attached? Sure, they have to fake an email and first/last name, and yes it sends an email to the sender saying John Doe at daffy@fgx.com opened the ShareFile. By then, the bad actor has the info, right?
Answer:
ShareFile, like any file-sharing platform, comes with risks. We always recommend a formal, written pre-implementation risk assessment be conducted on the vendor and the specific product/service when considering any new third-party software program. This way the inherent risks of the program/service/ platform can be considered for mitigation or acceptance prior to implementation. This effort is especially important when considering new engagements with Cloud-based service providers.
Considerations to include in your pre-implementation risk assessment process for a new product/service include:
- A complete understanding of the flow of your data with use of the software including points of vulnerability and associated control features built into the platform. This should include how the software platform’s encryption algorithm works (this may provide a layer of protection provided by encryption in-transit with the email itself).
- A complete understanding of potential security vulnerabilities created by mis-managing software security patches and best practices to mitigate these risks.
- A complete understanding of the impact of human error, such as misconfiguring access permissions or accidentally sharing sensitive files which can lead to data breaches/exposure.
The results of this pre-implementation risk assessment process will provide factual data that stakeholders (including senior leadership) can use to make informed decisions for ethical use of any new software services.
Note: For Safe Systems, Inc. Information Security Program customers, see references to the Policy Manager application: APPENDIX B – Third-party Management Policy (Cloud Based Services) and references to the Strategic Roadmap and Initiatives Risk Assessment
Related Resources
Ask a Question, Get an Answer!
Ask a question and our compliance experts will email you back!
Explore Other Risk Management Articles