Government Data Security Starts with File Protection

December 15, 2021 Security and Compliance, MOVEit

Think about your organization for a moment, how much of your company’s sensitive data resides in Office documents? For most organizations, it's an alarming percentage. And what happens to all these files? They get passed around like hors d’oeuvre at a ritzy cocktail party.

SkyHigh Networks (now owned by McAfee) analyzed data from 23 million users and found that “15.8% of all the analyzed files were of a sensitive nature, 7.6% being confidential data, 4.3% holding personal data, 2.3% containing payment details, and 1.6% storing health information.”

All the firewalls and anti-malware solutions in the world can do nothing about data security when files are emailed around at near-spam levels.

These files must be encrypted by default and sen t safely as a rule.

This is just of the findings in Osterman Research’s new report Cybersecurity in Government Viewpoint 2021.

Large Swath of Government Bodies  

Governmental organizations come in all shapes and sizes – and so do the threats. “Anything from a large federal organization down to small towns can be classified as a 'Government' organization. With this variety comes a diverse threat landscape with countless attacks from relentless bad actors willing to do anything to break in. We know these threats are growing, but how prepared are you really?” Osterman noted.

Government agencies are an irresistible target. “Cyber criminals go after the government sector to undermine citizen confidence, steal vital and classified data, and leverage systemic cybersecurity weaknesses against agencies,” Osterman argued.

And who has bigger secrets than governments? When governments are hit, it hurts. “Some federal and central government agencies carry symbolic meaning for citizens in the wider country, and a cybersecurity incident at any of these organizations shatters the collective sense of safety and security on the global stage,” the research house said. “Undermining the confidence of citizens is an attractive outcome for foreign powers, nation-state attack groups, and activist cybercriminals.” 

While all governmental bodies have sensitive data, some rise to the secrecy top and require strong data security and file protection. “Government agencies hold data that is valuable to foreign governments, other political parties, dissenters, and hackers seeking data for identity theft and targeted phishing attacks. For example: Agencies create and maintain sensitive data on military maneuvers, defense plans, known and suspected terrorists, deployment locations and identity details of intelligence agents in other countries, and other issues of national security and foreign policy,” Osterman warned.

Smaller bodies still hold sensitive information about citizens. “Citizens have no choice but to supply their own sensitive and confidential data to government agencies during routine interactions, such as filing tax documentation, paying local and state taxes, and applying for business licenses. By virtue of what the government does, it accumulates a massive data footprint of some of the most sensitive and confidential data related to people and organizations,” Osterman pointed out.

These files can be filled with personally identifiable information (PII) such as citizens’ names, addresses and phone numbers, health information, welfare payment details, etc.

The Problem with Email: It’s a Big One  

Isn’t email wonderful? Not when it comes to file protection. Email is used for nearly everything, even things it shouldn’t — like transferring sensitive information. And email is used so often mistakes are sure to happen. How many messages have been sent to the entire organization – when they were meant for only one set of eyes? And given how commonly email is hacked, criminals can read all those confidential attachments, too.

Osterman noted this and warns against the use of email for sharing and transferring files. “The use of email as the primary means of transferring documents containing sensitive information raises several cybersecurity threats, including accidental misdirection of the original by sending it to the wrong person, unauthorized access to items in the Sent folder in an email account following credential theft, and unauthorized access to all messages and attachments stored in the email account—project documentation, sensitive data on people and citizens, organizational strategy thinking, and more,” the researchers explained. “The move to the cloud for email services has seen people gain access to 50GB and 100GB mailboxes. Whether originating from a phishing attack, brute-forcing a password, or another type of compromise, several of the data breaches profiled in this section have been centered on compromised email accounts.”

There is a better way to ensure file protection: Managed File Transfer (MFT) safeguards data when shared and in motion. “Email is currently the most common way of sharing documents and files within agencies, across agency lines, and outside of the government sector. Documents containing sensitive and personal data sent by email should be protected with additional protection using encryption. This reduces the likelihood of a data breach if the message is sent to the wrong person, and if the email account is compromised,” Osterman believes. “ Managed File Transfer solutions offer a much stronger foundation for sharing and protecting sensitive data. Transferred files are protected by encryption, access is controlled through identity verification, and files are never stored in email accounts.”

Three Cases in Point: How Govt. Organizations Leverage Managed File Transfer (MFT) for File Protection

Here are three case studies showing Managed File Transfer (MFT) in action.

Milwaukee County Centralizes Dozens of File Transfer Systems on Progress MOVEit

When Milwaukee County wanted to boost technological efficiency to better achieve its public-service mission, standardizing data file transfer on Progress MOVEit was the obvious choice. Dozens of file transfer solutions used across siloed County departments required manual work, custom coding and a huge time commitment.  

“I love its many capabilities. The developer in me can’t wait to use the API functionality. All around, MOVEit is a very solid, feature-rich file transfer tool.”  -- Ilija Lukic, Application Analyst III, Milwaukee County

The Milwaukee County team experienced the MOVEit difference right away, and more teams and departments were getting on board every day. Each team was happy they no longer had to manually transfer files, or spend time writing code in their applications to handle the file transfers between environments and systems. 

Cambridgeshire County Council Eases Secure File Transfer for 4,000 Users

Cambridgeshire County Council is the UK local government authority responsible for administering 60 electoral divisions in the county of Cambridgeshire.   

Prior to acquiring a managed file transfer solution, council users would transfer data between public sector organizations either via the Government Connect Gateway or a generic FTP solution. However, many employees regarded this as ‘clunky’, inefficient, and awkward to use. Users also noted there was no way of sharing sensitive information, for instance, healthcare, social care or childcare data with third parties such as emergency services or housing associations — which was a frequent requirement. 

The council required a secure managed file transfer solution that could:

  • Quickly and simply be adopted as the go-to solution for secure file transfers with third parties
  • Prevent any leak of commercially sensitive or confidential public information, such as financial deals with suppliers, or records pertaining to institutions such as care homes, educational establishments, or prisons
  • Require little or no user training and provide an easy learning curve to full adoption
  • Ensure complete visibility for files moving between the council and third parties
  • Meet any regulatory guidelines set by the Information Commissioner’s Office
  • Enable a more efficient ad-hoc route for the general sharing of large or numerous files

User feedback to date has been very positive, with the common opinion that because MOVEit uses a friendly portal with clear directions, it was very much like signing up a new consumer service, such as Gmail or Yahoo. Most users were immediately happy with the system with just a small pamphlet of instructions, and barely any support has been necessary.  

The City of Guelph Secures Employee File Transfers and Saves Money with MOVEit

Guelph is a mid-sized city in southwestern Ontario that consistently ranks among Canada’s best places to live. With 2,000 employees serving Guelph’s citizens from City Hall and 40 satellite offices that provide police, fire, emergency medical, public works, transit, permitting, and other services, safeguarding confidential information is of paramount importance, and Guelph must adhere to both Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) and Personal Health Information Privacy Act (PHIPA) requirements.

But the number of employees who needed to transfer these confidential files on an occasional basis was growing. As a result, many staff members were using consumer-oriented, non-secure file transfer sites for file exchange. This made it impossible for IT to keep track of what files were being transferred, who was transferring them, and where they were being sent. In turn, this made it impossible to fully comply with MFIPPA and PHIPA requirements, putting the City of Guelph at risk.

But now, Guelph is using MOVEit Secure Email Attachments to send large files securely and reduce the burden on their email systems. This solution supports sending and receiving files and messages between individuals and groups using Outlook or a simple browser interface, meeting employees’ need for convenience and ease of use, while enabling IT to exercise the visibility and control they need to address risky personal file-sharing practices. Guelph is deploying MOVEit File Transfer, Progress’ on-premises Managed File Transfer solution. MOVEit can also be deployed in the cloud, or in hybrid mode.  

Secure Managed File Transfer (MFT) Software Keeps Government Secrets Secret

Many data breaches occur when files are moved within your group or to partners and other organizations with a vested interest. With MOVEit Managed File Transfer (MFT) from Progress,  you can establish secure collaboration and automated file transfers of sensitive personal data. These files are not only moved safely, but they also include encryption and activity tracking.

By default, all files sent outside the offices should be handled in a secure and trackable way – which is  MFT. 

With MOVEit Managed File Transfer, you no longer rely upon your employees emailing personal data to other employees, outside entities, or using insecure file sharing services. With Secure MFT Software, you eliminate user error and can track and report the details of every file transfer.

The Benefits of MOVEit for Government Departments and Agencies

  • Increased Productivity:  employees can easily share files of any size and mime type with internal & external users
  • Ease of Compliance Reporting:  for regulations & standards such as GDPR, PCI, SOX, BASEL I/II/II, MiFID II
  • Reduced Risk of Data Loss:  increased visibility, control, security & auditability of your data transfers

Learn more about Managed File Transfer!

Doug Barney

Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.

Read next 6 Data Security Tips for State and Local Government Agencies