A Quick Guide to Safely Transferring Files – Digitally
The safety of digital files in transit was recently thrown into the spotlight by the Accellion Breach. The breach compromised sensitive files from governments, banks, and large corporations around the world – including ASIC, the Reserve Bank of New Zealand, and Allens (who represent Westpac). Ransomware group Clop has threatened to make the sensitive data it gained in the breach public if companies don’t pay up.
As you can see – safely transferring files and, more specifically, the information of data subjects is a big issue. The consequences of malicious actors intercepting the information can be severe. Even where the transfers are lower risk, it is worthwhile implementing secure transfer methods as standard practice. Here’s what to consider when safely transferring files containing personal data:
What is the most secure way to transfer files containing personal data?
The most secure way to transfer files containing personal data varies depending on the technologies and tools available to both the sender and the recipient. But the safe digital transfer of personal data relies on a robust information security framework, which might include encryption, network security, and staff training.
The Importance of Encryption in Safely Transferring Files
Encryption is a tool that helps to ensure that information is stored or transferred in a form that cannot be easily understood by unauthorised viewers. Technologies in this area are constantly advancing, so it’s important that you use tools that are up-to-date or that remain effective. Doing so reduces the risk of personal data being accessed if files are accessed during transit over the internet or while they are stored.
Importantly, when you send personal data or files, you can (and should) rely on two encryption mechanisms: an encrypted message carrying the files and encryption of the files themselves.
Email Encryption Best Practices
Best practice says you should encrypt all emails. If you only encrypt the emails that contain sensitive or personal information, it acts as a flag for any hackers who might be spying on your email address. Even if they don’t manage to access the encrypted information, they may be able to leverage any details they do glean to access personal data via social engineering – which is basically the art of exploiting humans in a hacking effort, as opposed to attacking technological weaknesses.
Photo by Solen Feyissa on Unsplash
Encryption as a GDPR Supplementary Measure
Encryption has also been identified by the European Data Protection Board as a supplementary measure to protect personal data in jurisdictions where there may be concerns about government or other national agency access to that data. This issue was at the heart of the Schrems II decision, that has brought EU-US trans-Atlantic data transfers into questions.
Privacy 108 has worked with Cryptoloc to identify how their unique three-key encryption solution can overcome the issues at the heart of Schrems II and provide a supplementary measure to support EU US data transfers. More about this solution here.
The Role of Network Security in Safely Transferring Files
When files and data are accessed on unsecure networks, they are more vulnerable to attack. Network security plays a large role in keeping your files safe when they’re store, accessed, and transmitted.
Your network should have mechanisms in place to deter and detect unauthorised access. File downloads and transfers should be monitored, so that the theft of bulk data can be quickly picked up. And your network should be segregated, so that intruders can’t access the entirety of your system (easily). Moreover, network security needs to be equipped to mitigate risks poses by internal users and external actors.
Privacy108’s Training on Key Information Security Management Techniques
As we outlined in our recent post on Business Lessons from the OAIC’s 2020 Highlights, human error is a significant factor in data breaches. In fact, around 50% of data breaches reported between January and June 2020 were the result of data being emailed or posted to the wrong recipient.
Staff training and security awareness can greatly decrease the risk your staff pose to your company’s reputation – and the data you hold – including when it comes to safely transferring files.
We’re running an ISACA CISM preparatory course in June 2021. This course is for data protection officers, privacy managers, auditors, legal compliance and risk officers, security managers, information managers, and anyone looking to upskill and become a certified information security manager.
This CISM training course is designed to equip you with the practical skills you need to assess real-world information security risk. The course covers the following areas:
- Introduction to Certified Information Security Manager (CISM)
- Domain 1 – Information Security Governance, which includes effective information security governance, information security strategy, and action plans.
- Domain 2 – Information Risk Management and Compliance, which includes risk management, assessment, and monitoring as well as training and awareness.
- Domain 3 – Information Security Program Development and Management.
- Domain 4 – Information Security Incident Management, which includes business continuity planning and post-incident activities and investigation.
You can read more about the course here or contact us for further details.