Discover in this article, how to secure file and data sharing in your organisation

Collaboration and circulation of information play a central role in the operation of any organisation. In an open environment, where information can flow in and out of the network without restriction, sharing files and data is often perceived as an innocuous action.

However, this exposes your organisation to several risks for its IT security. What are the cyber-threats associated with data sharing? What are your legal obligations and what precautions can you take to protect yourself?

Data sharing, the cornerstone of collaboration

Data sharing is the process of digitally transferring information to users, organisations, and IT environments. It involves the intentional transmission of data from one point to another, whether within an organisation, between organisations, or with external parties. 

Data contained in files or folders can be shared in several ways :

• by email, either in the body or as an attachment, and in collaborative applications, often designed to simplify communication and project management,
• through instant messaging services,
• through social networks, both internal and external,
• through storage systems hosted in the Cloud or on-premises, which enable files to be shared via download links or direct access to shared folders,
• using peer-to-peer protocols, FTP (File Transfer Protocol) or SFTP (Secure File Transfer Protocol),
• or via external devices (USB key, hard disk, etc.).

The wide variety of sharing methods means there are several major cyber-security risks for your organisation. 

Threats 

The risks associated with data sharing can be divided into two categories: those resulting from human error, and those resulting from malicious acts. These are the main threats your organisation faces when it comes to data sharing: 

• Unauthorized access to data: individuals are able to access confidential data without permission. This situation can be caused by human error, for example when choosing the wrong recipient for an email, but also by incorrectly setting user permissions, or by identity theft. 

Among French organisations that suffered a cyber-attack in 2023, 16% were victims of exfiltration and/or deliberate disclosure of data by an individual with legitimate access, according to the latest CESIN barometer. For example, this could be a departing employee trying to exfiltrate your customer base.

• Data loss: resulting from poorly managed file sharing which can lead to the accidental loss of important data, handling mistakes, overwriting files, or synchronisation problem.
• Man-in-the-middle attacks: cyber-criminals intercept data during transmission in order to access, steal or alter it. Public networks are particularly vulnerable to this type of threat.
• Malware/viruses: attachments shared with your organisation may be infected by malware or viruses capable of compromising the security of your data and IS. 
• Loss of control over data: sharing data outside the organisation is always a risk because you lose control over how the data is used or shared by other parties... which can lead to breaches of confidentiality or misuse. Data shared and the recipients must therefore be chosen with care.

The consequences of these risks, when they occur, can be manifold. While a simple data loss can affect your operations, a data breach generates numerous costs (notification costs, legal fees, etc.) and considerably damages customer confidence and your brand. If sensitive data, such as intellectual property, is stolen, it may be held to ransom and/or sold to competitors. 

Data sharing : what are your legal obligations?

Data sharing between organisations, employees and third parties is subject to legal obligations designed to protect the confidentiality and security of the information exchanged. These include: 

• The General Data Protection Regulation (GDPR): this European regulation stipulates that organisations are required to obtain clear and explicit consent from individuals before sharing their personal data. They are also required to ensure the security and integrity of data when it is shared and to notify the French National Commission for Information Technology and Civil Liberties (CNIL) in the event of a data breach.
• Industry-specific standards and certifications: certain industries are subject to specific data-sharing standards. For instance, financial organisations may be required to comply with PCI DSS standards if they share credit card data.
  In addition, it is important to note that when the new NIS2 directive will come into effect in October 2024, relevant organisations will be required to secure data sharing, e.g. by using encryption.
• ISSP and other contractual documents: if your organisation has an Information Systems Security Policy (ISSP), it should include a number of rules to be enforced to share data securely. These rules must be communicated to all employees to ensure their compliance. Similarly, if your organisation has signed non-disclosure agreements, it is important to comply with them: for example, a customer’s data cannot be transferred to a partner if the customer objects.

Compliance with these obligations is enforced by the Data Protection Officer (DPO) or the head of the organisation. 

Data transfer is an entry point often used by cyber-criminals to attack organisations. At the same time, internal threats, whether intentional or accidental, should not be underestimated. Raising employee awareness of these issues plays a decisive role in preventing incidents, as does secure access management and the adoption of appropriate security solutions.