14 Jan

The Do’s and Don’ts of ‘cybersecure’ file-sharing with contractors and consultants

Courtheath's blog
By

Cybersecurity is not always top of mind when sending and receiving documents to and from your third party suppliers. This blog talks about the pros and cons of some common ways of sharing files. 

It goes without saying that you will need to share files with third party suppliers, be they contractors or consultants – and that they will need to share files with you. However, standards for file-sharing widely vary between businesses and government and can, as a consequence, lead to some insecure file-sharing practices. Following are some do’s and don’ts of some basic file-sharing types for the routine sharing of non-security classified documentation.

Email

Email is widely used, and is a generally well accepted way to transfer documents between agencies and third party suppliers, providing both parties have incoming and outgoing virus checking. Email, however, has several drawbacks the least not being that it is often a cause of version control issues as multiple recipients will share copies and may each work on documents individually. Email also has size limitations, which may potentially differ at each end of the transaction (for example, the sender may be able to send a bigger file than the recipient can receive), so particularly large files including those that are media rich, cannot be sent. Another consideration in some contexts is that an email can very easily be sent mistakenly to the wrong person, resulting in probity breaches. CourtHeath’s podcast on this issue has more information about this.

Commercial ‘cloud’ services

The use of reputable commercial cloud services by your third party suppliers, which these days come with security by design, should be regarded as a blessing as they allow small businesses to outsource cybersecurity to the experts. This is not to say, of course, that problems can’t happen but leaving security in the hands of professionals, is a much better option than relying on a small business with little or no cybersecurity expertise.

Many of these services allow for sharing of specific files or folders, and for clients and suppliers to work on documents simultaneously, thus resolving concerns with version control. The drawback, unfortunately, is that some government/agency ICT policies do not permit the use of some specific services on their networks. If you find yourself in a situation where you can’t access a document you need for your work, the best approach is to contact your ICT team and ask how you can work together to overcome this problem. If a view is maintained that access is not to be permitted on network, then you could suggest a standalone machine with independent internet access (eg wifi) could be used. You should not, however, try to access government files using these commercial ‘cloud’ services via your personal devices and internet.

Disks, drives and USBs

Removable, external disks of any type are generally multi-use. This means they have most likely lived a varied and interesting life, containing a range of differing files and have been popped in and out of all manner of devices.  There is no telling, without a pre-use virus check if the disk is carrying something that could cause cybersecurity issues, however, it is common place for these disks to be transferred between organisations and individuals without a second thought. These external disks may present additional security issues because they may include confidential files irrelevant to the recipient (and the suitably-trained may also be able to recover deleted files), and can easily be lost, or even left plugged in ‘public’ computing devices which has been known to cause very embarrassing public probity breaches. They are also, obviously, impractical when you are not in a similar location to your third party supplier and, as with email, transferring files on disk can also make version control a challenge.

Conclusion

While all three methods of file transfer have their pros and cons, the sharing of files with third party suppliers by way of reputable cloud services is, by far, the safest approach. However, if your ICT policy does not allow this, external disks may be a viable alternative provided they can be encrypted or password-protected and that they are new (or completely wiped) and virus-checked at both ends. Email continues to be effective, but the version-control and security issues it brings should not be over-looked.

* * *

IMAGE: Used under licence from shutterstock.com

Written by 

​Dr ​
​Julia Cornwell McKean.

[category courtheath's blog]

[

​cybersecurity, contractors, government

]

CourtHeath Consulting

CourtHeath Consulting provides expert procurement and probity advice to government and not for profit organisations. We provide specialist consulting services about procurement issues and organisational procurement operations – as well as management of simple and complex tender processes. Our probity audit and advisory services help clients meet government probity standards especially regarding conflict of interest, confidentiality, ethical conduct and corruption risks.