Ooops! Did I Really Send That?

By Doug Kern, Inovis, August 2009

It’s no secret that banks are under the gun today. The economy is forcing a radical restructuring of markets, while the Internet continues to change expectations and business models. Both trends place a mandate of new data security requirements on the laps of IT managers at banks and insurers. But how are companies handling security and compliance across the most widespread data exchange method – email attachments? This article provides five tips for creating a delicate balance of centralized file transfer control and end-user email simplicity.

We’ve all done it before.
Have you ever gotten that queasy feeling in your stomach, right after you click “send”?  Have you ever thought “I didn’t just cc: the wrong person on that email, did I?”?  Or, weeks after hitting send, did you realize that the spreadsheet you emailed to your customer had an extra tab with another customer’s trading data?

For both employees and IT groups, email attachments continue to be a fact-of-life, and security risk, as teams create a delicate balance between enabling ease-of-use and centralized security.

Information flows.
For banks, insurers and other information-driven businesses, the data exchanged with third parties is the “supply chain”. Like hard-goods companies, banks get material (data) from upstream sources, add value, and deliver goods to downstream customers.

Quite simply, how these information-driven companies manipulate the numbers and words in data files determines their competitive differentiation, customer loyalty and profitability. It’s not a stretch to make this claim for companies in tangible goods markets, such as auto manufacturers and retailers.

An age-old problem.
The act of transferring files between companies is not new.
Companies across industries have been exchanging data with partners for decades. Retailers send purchase orders to suppliers, manufacturers transfer product inventory positions to assemblers, and banks transfer transaction records to corporate clients. Some transfer thousands of data files a day.

What’s new are the demands on the IT groups and businesses to exchange a larger, more complex flow of transactions while providing a higher level of transparency on top of a leaner pool of resources.

How data is exchanged.
At a high-level, data enters and exits companies in two ways.

At headquarters, centralized systems automate the exchange of daily reports and transactions. This can be viewed as machine-to-machine or process-to-process, with little or any human intervention needed. And at the front-lines, there are the ad-hoc data exchanges by employees using email attachments. While never meant for delivering and securing huge file attachments, email continues to be at the front lines of the file transfer process.

Both processes – centralized file exchanges and ad-hoc email attachments – need to be managed to ensure that the right data is getting to the right destination.

Why securing email attachments is hard work.
For both employees and IT groups, securing the data that goes inside and outside the company has become harder to manage, yet more important. Three factors are contributing to this challenge, including an increasing number of transactions, the need for visibility and limited resources.

A river of data.
First, the river of data flowing between you and customers, partners and agencies is growing. B2B transactions will at least triple from 2008 to 2013, and it’s not unusual for a company with 2,500 knowledge workers to generate eight terabytes of email attachments, according to Gartner. This data explosion is a product of two trends: first, the definition of “trading partner” is expanding, with enterprises establishing connections with a growing number of customers, agencies and partners; and second, the types of data files exchanged are expanding, including the use of electronic check images that banks use to reduce the costs of handling traditional paper checks.

The call for transparency.
Second, the demands for visibility and compliance are growing for financial services providers, making it more important to have a paper trail to support security audits and reports for compliance mandates such as Sarbanes Oxley, TARP, HIPAA and TAF. This is particularly important as the number of people who have access to sensitive data is on the rise, including employees, contractors, partners and customers.

The demands for visibility are often fueled by high-profile data security issues. Each week, 12,000 laptops get lost, risking corporate records. Each year, 100 million records containing personal identity information are lost or stolen.

Accidental architectures.
Third, IT groups have less ammunition to deal with file transfer projects. The economy has forced budget cuts and layoffs, resulting in cancelled projects and reduced staff. The ways a user can exchange files has expanded, including smart-phones and instant messaging (IM), making it harder to control. And the underlying IT systems in many banks and insurers are hard to adjust, cobbled together in an “accidental architecture” after years of add-ons and company consolidations.

What doesn’t work.
What doesn’t work is relying on old-school tools like file transfer protocol (FTP) applications as an alternative to email attachments. FTP has been around since the 1970s, well before the Internet became widely used. While FTP is still prevalent, and the networks it runs on are typically secure, FTP is problematic for a number of reasons. Most FTP systems have no way of encrypting the data transferred, with files sent “in the open” and at risk for sniffers or theft. FTP is often a manual process, with files placed up on servers until manually deleted. And FTP has poor support for audit trails, unable to verify if a file has been delivered.

What’s a data security manager to do?

5 tips for securing email attachments.
Creating a delicate balance between centralized file transfer control and end-user email simplicity is an ongoing tightrope act for many IT groups. Here are some basic steps to take.

1. Create a consistent file transfer policy.
The first step in securing email attachments is to define an overall security policy, with emphasis on how data is transferred inside and outside the company and covering data in motion and data at rest.

2. Communicate clearly.
Regularly tell staff about your policies and best practices for handling secure data, including the consequences for security breaches. Since the goal of a file transfer policy is typically to influence behavior, clarity of purpose is critical. If it’s unclear, the policy will mistakenly attempt to solve too many problems or too few. In addition to setting formal rules and technical processes defining file transfers, consider adopting a code of conduct, such as an ethics policy to help set a tone on how your organization does business.

3. Create a centralized a managed file transfer (MFT) service.
Data security impacts every part of the business, so a central management focus is a best-practice. An MFT service should focus on the services delivered, not the underlying technical components, including provisioning connections, monitoring data flows, validating transactions, and measuring compliance. It’s critical to include start-to-finish visibility of the file transfer, across transactions, applications, and systems.

4. Pull email under the umbrella.
Two capabilities are key to adding email attachments to a central MFT process. First, create a simple, no-brainer capability for users to attach files in their current system (eg., a toolbar in Microsoft Outlook) with as little training or new process as possible to ensure usage. Second, setup an attachment unloading service that strips off the attached file and places it in a secure process.

5. Report, measure, adjust.
Providing real-time dashboards with drill-down capabilities not only gives you a current view of file transfer compliance (instead of reports being delayed by weeks- or months-) but also gives teams granular insight into root-cause data when transaction errors occur.

Beyond email.
Managing email attachments is but one piece of the file transfer process. And the landscape of approaches for managing data security and compliance is enormous, requiring a much larger discussion. Role provisioning, encryption, intrusion prevention, firewalls and content filtering are but a few tools that deserve their own place in a discussion on safely managing applications and files.

Beyond email attachments, IT groups should focus on the ways that governance and security can be integrated across the company, and how all transactions (including structured and unstructured data) can be pulled under a single file transfer governance system.

About Inovis
Inovis offers software and services that enable companies to do business electronically across their entire trading community. Each day, over 20,000 companies across the globe rely on Inovis to reliably send and receive purchase orders, synchronize data and manage exceptions in order to lower supply chain costs and get products to customers faster. Founded in 1983, the company is based in Atlanta, Georgia and has offices across the United States, the United Kingdom and Hong Kong. For more information, please visit www.inovis.com or email info@inovis.com.

Doug Kern is the Product Marketing Manager at Inovis (www.inovis.com), a provider of B2B integration software and services for banks, manufacturers and retailers. When he's not teaching capsize drills to four-year-old sailors, Doug can be reached at doug.kern@inovis.com.