Call for ban on physical transfer of digital files

Never say "the disc is in the post", recommends report

A complete ban on using physical media to transfer digital files has been called for in a recent report, which found that nearly one in five companies is still using couriers such as the postal system to send media containing large or sensitive files.

This is despite the well-publicised data breach caused when the HMRC misplaced a number of discs in 2007 and the publication of the Poynter Report two years ago.

The Information Commissioner's Office now has the power to levy fines of up to £500,000 on businesses that compromise data through negligence. The commissioner has also said he favours compulsory disclosure of serious breaches of the Data Protection Act, which are currently voluntary.

The survey by security firm Cyber-Ark, which admittedly has a vested interest, found that 19 per cent of firms still use couriers for transferring large files. Alarmingly, the number using the postal service has increased from four per cent in 2008 to 11 per cent this year.

However, PricewaterhouseCoopers chairman Kieran Poynter did not write his report in vain. The survey shows considerable awareness of the issues, with the number of firms relying on email to transfer sensitive files reducing from 35 per cent in 2008 to 16 per cent this year. Two-thirds of respondents use File Transfer Protocol (FTP) and 28 per cent put their trust in web services.

Even these methods are vulnerable, according to Cyber-Ark's report.

“With FTP, and even encrypted FTP sessions, the problem arises after data has moved while it sits on the FTP or SFTP server in plain text. The service is connected directly to the internet leaving it open to violation, and as there is no audit trail, there's no record of who accessed the files,” said Mark Fullbrook, UK director at Cyber-Ark.

“More alarmingly is those organisations that are using a web-based offering – they may just as well stand on a street corner and give away their information; these services weren’t designed with sensitive corporate data in mind,” he added.