This organization uses multiple FTP and other file sharing sites to share documents internally and with partners and customers. Some of these are sanctioned by the organization, but many aren’t. The reason there are so many is because IT is very busy and hasn’t gotten around to creating an easy-to-use collaboration site for everyone. They also make it very difficult to implement anything as basic as a secure collaboration site without having to get vice presidential justification and jumping through hoops. There are Windows file servers for some internal projects and Microsoft SharePoint sites for others. People use email, free sites, like drop.io and YouSendIt, and FTP sites to exchange documents with outside people. Employees have resorted to “roll your own” because of the IT can’t meet the need in a timely way.
So here’s the bad part. One of these FTP sites has the same password they used 3 years ago. This is an external site that anyone can access. One division uses this site to share documents with their customers, including invoices and purchase orders. It has a simple password and people share it all around the company. The site is easy to use and works fine. Unfortunately no one is actively managing this site or thinking about changing the password. People who left the company can still access that site and a lot of confidential information. Talk about a security hole.
This is one of the problems with most FTP sites. They are easy to use but their security is very rudimentary. They usually have a single password for user access with no ties into a directory service, like Microsoft Active Directory or LDAP. Hence, no one changes the password, because you would have to notify a lot of people that it changed; that’s a hassle and people would complain. By using a directory service, access is individualized and each user’s password controls access to the site. When an employee or contractor leaves your organization, you can shut down their access by disabling their user account. Now you have to worry about changing the password on this one site and notifying the users every time someone leaves.
If you are thinking about implementing a risk management strategy or a data governance plan, the first thing to look at it is where you are putting your data. If you are using FTP sites, take a look at their security. I would get rid of them and use a secure file transfer service or a secure extranet portal that has individual user credentials. These are better options than an FTP site to let your employees, customers and partners securely share information.
If you suspect confidential documents walking out the door, check your FTP sites. Of course that assumes you can even find them all.
Photo credit chego101