Minimising the Blast Radius: Why Secure File Sharing Is Critical
Organisations routinely share sensitive information electronically, including with external partners and clients. Many organisations also need to work with contractors and suppliers, such as someone who has temporarily joined the organisation and is working alongside you or an external organisation with whom you are collaborating.
People need to share documents easily to collaborate effectively and avoid delays or drops in productivity. The temptation is to use normal email, but when sending sensitive information, it can end up in the wrong hands. You may then be liable for fines – as seen with Capita’s recent £14 million GDPR fine – or suffer the business impact of others accessing confidential company information.
Email Attachments: Convenience but unsuitable for sensitive data
Email attachments are great for data that is already in the public domain or information that you don’t mind anyone seeing. A good question to ask yourself is, would I be happy if this data was sent to the wrong person at any point in the future? If the answer is yes, then it’s fine to send the data as an attachment. But if not, here are some things to consider before you hit send.
Data breaches are becoming more common, and it’s often seen as a case of when, rather than if one will happen.
In 2024, over 360 billion emails were sent and received each day, and the average office worker sent around 40 emails daily. Business Email Compromise (BEC) is a growing threat, where attackers impersonate trusted contacts to trick users into sharing sensitive data. Email account breaches are frequent, often occurring through phishing or weak credentials rather than sophisticated hacking.
Inboxes typically contain a large number of attachments, many of which include personally identifiable information (PII) or intellectual property (IP). Unfortunately, when an account is breached, all data within it is exposed. Accidental email forwarding is another common risk, leading to unintentional sharing of sensitive data.
Auditing is limited (most email servers only log IP addresses and login time) and even when audit logs exist, they are often disabled by default. There is generally no audit trail of which emails were opened and when, only that there was access to the account.
Pros
Email is easy to use and integrates seamlessly into existing workflows.
Cons
Guest Access on File Sharing Platforms: Use carefully and sparingly
Another method for sharing data is to open up your existing shared drive to your external partner or client by providing Guest Access or restricted permissions to a particular folder.
Pros
Enabling SharePoint access requires no additional tools. All shared files are stored in a single, organised location, reducing duplication and ensuring everyone works on the latest version. External users can view, edit, and comment on documents in real time, improving productivity and reducing reliance on email attachments. This method allows organisations to revoke access later and provides audit trails to track who accessed the data and when.
Cons
Providing guest permissions through SharePoint is not necessarily easy and can lead to errors. Vulnerabilities in such platforms can expose data if unpatched, and misconfigured permissions in tools like Google Drive can grant public access to sensitive files. Cloud storage services like AWS S3 and Google Project buckets often expose data inadvertently, and bug bounty reports on HackerOne highlight how widespread this is.
Misconfigurations are common, though hard to measure, as many go unnoticed. For example, organisations often misapply access, causing either blocked work or excessive exposure, sometimes to all company data. If permissions are granted repeatedly throughout the year, the likelihood of errors rises sharply.
Even polished YouTube tutorials on granting SharePoint access reveal confusion with comments showing users struggling with differing IT setups and unclear results.
Secure File Transfer Solutions: Minimising the Blast Radius
The third option is to use a secure file transfer service. This allows users to send files as easily as email attachments but in a more secure way.
Businesses need a way of working with third parties that is easy to set up immediately and is secure. More importantly, they need confidence that if something goes wrong — and people do make mistakes — the impact is minimised and the blast radius is low. If servers are breached, encrypted data remains safe, but only if the encryption has been implemented well and access to the keys is just to the sender and recipient.
For example, if someone shares a document with a third party using Hexiosec’s secure file sharing, Hexiosec Transfer, but makes a mistake in an email address, only one file goes to the wrong place. If it’s noticed, it can be instantly revoked. You can also see how many people have accessed that file, and it can’t be accidentally forwarded to anyone else, so the blast radius is very small.
This is in contrast to normal email or SharePoint access where, if or when there is a mistake, the impact can be very large. That’s why both the UK government and UK industry are investing in secure file sharing solutions like Hexiosec Transfer to secure their data and avoid fines like Capita’s £14 million GDPR fine or the recent MOD Afghan data breach.
Pros
End-to-end encryption ensures only the right people can view the file, as long as the encryption has been implemented well and access to the keys is restricted to just the sender and recipient.
Secure file transfer solutions offer a granular audit trail that shows who accessed the file and when. Access to files can be revoked as required.
No accidental auto-forwarding.
Cons
You need to be careful which file sharing platform you use to ensure that it is secure.
What to Look for in a Secure File Sharing Platform
When selecting a secure file sharing platform, it’s important that organisations look for a solution that is both easy to use and secure. It should allow your users to start working and collaborating straight away, without requiring the recipient to install any software.
When looking for assurance on security, most people understand that encryption is needed but don’t know how best to judge the different types of encryption that organisations offer.
File-sharing platforms that claim end-to-end encryption aim to protect data from your browser to the recipient’s browser, which is important to ensure that no one else can see the data. However, when we’ve looked at these claims from many other companies, we often find they don’t implement end-to-end encryption properly and they still hold the keys. This means that if those organisations are ever breached (and, as previously described, it’s often a case of “when”, not “if”), or have someone working for them who decrypts it, then all the data ever shared through their platform could be exposed.
Hexiosec Transfer is an easy way of sharing files that is end-to-end encrypted, and we never see the keys, so even if we were to be breached, no one could ever access that data other than you and the recipient.
It gives our UK government and industry customers the confidence to get on with their work with customers, partners and third parties, knowing that if they make a mistake, that mistake is contained and often reversible.
Related Posts
