All the way back in November of 2007 the Wall Street Journal reported on the risks of file sharing. Citigroup had confirmed a mere two months earlier that an employee using the peer-to-peer (P2P) file-sharing application LimeWire had lead to a breach that resulted in the names and social security numbers (SSN) of over 5,000 customers being inadvertently leaked.
A few months before that, in June, Pfizer had revealed it had suffered its own data breach due to P2P file-sharing software: the names and SSN of 17,000 current and former employees were leaked when an employee’s spouse downloaded file-sharing software onto a company laptop.
Although these data breaches happened in 2007, too few companies have taken the necessary steps to protect themselves against similar breaches today.
What is P2P File Sharing?
P2P file sharing allows users to share and distribute files (often music, videos or PDFs) from their hard drives to other computers over a P2P network. According to the Identity Theft Resource Center, there are typically 20 million users on P2P networks at any given time.
P2P file sharing can be deadly when it comes to protecting a business’ sensitive information. Whether trying to download music or transfer work-related files that are simply too large to send via email, employees do not typically mean to create a data breach when they access these P2P file-sharing networks. Unfortunately, that doesn’t mean the risks aren’t real.
The Risks of P2P File Sharing
According to the US Computer Emergency Readiness Team (US-CERT), in addition to the possibility of sensitive data being leaked directly over the networks, there are several other concerns.
- Installation of malicious code, including viruses, spyware, Trojan horses or worms
- Susceptibility to attack, by requiring users to negate firewalls that otherwise prevent hackers from accessing sensitive data directly
- Denial of service, since downloading files causes a significant amount of traffic over the company’s network, reducing the system’s ability to handle other, work-related, tasks
- Prosecution, since often the files shared over these networks include copyrighted, pirated and/or pornographic materials — if an employee downloads such files via a company network the company may be held liable
Preventing P2P File-Sharing Risks
There are three primary strategies companies can employ that will significantly decrease their sensitivity to the threat P2P file sharing offers.
1. Educate Employees — Most employees do not understand the risks that P2P File-Sharing networks pose. They may know they’re not supposed to use them, but without understanding why, they may decide to ignore the rules and do it anyway. Companies who explain to their employees the reason that file-sharing networks are decreed off-limits increase the chances that those employees will comply with the rules.
2. Store Sensitive Data in a Secure Location — Data breaches occur when files are easy to access; storing them in a secure location, such as in a secure virtual data room, makes it almost impossible for someone to accidentally share important documents, and makes it much harder for hackers to access that information as well. Secure virtual data rooms have extra protection, multiple levels of authorization and track who accesses files. This makes it easy to monitor them for inappropriate usage and to keep sensitive data safe.
3. Check Computers for P2P File-Sharing Software — By regularly checking company computers (or any computer that is allowed to store sensitive company data) for P2P file-sharing software, companies can ensure employees aren’t using such networks. As a bonus, if employees know their systems will be monitored for the software and that they will face disciplinary action should they be caught using it, they will be much less likely to ignore company policy.