Apr 21 2021

5 Ways to Balance Secure File Sharing and Productivity During Telework

Users should be able to share information easily, but agencies also need to be able monitor data transfers to guard against cyberattacks.

The mass shift to remote and hybrid work environments has forced government agencies to rethink their perspectives on file sharing. 

Traditional approaches that place extreme restrictions on file sharing or block it altogether are outdated and counterproductive in today’s remote work environment. But static security policies can limit employee productivity and increase frustration during a time when workers are already facing significant challenges. 

Thus, it’s becoming increasingly apparent that agencies must relinquish some of their restrictions on file sharing so their employees can remain productive, connected and informed.

In a recent Defense Department Inspector General survey, respondents reported positive experience with maximum telework. Specifically, 88 percent of survey respondents said their productivity levels remained the same or increased during maximum telework, regardless of their components’ initial telework challenges.

Many respondents said they requested access to file sharing applications, and a large number used third-party tools to share files to accomplish their jobs.

As always, security is a primary concern in environments where employees are exchanging files. One of the most popular file sharing tools, Dropbox, is not authorized by the Federal Risk and Authorization Management Program (FedRAMP). However, security must not be the enemy of productivity. Agencies must allow employees to exchange information in a frictionless manner while continuing to monitor data transfers so as to intercede in the event of a potential breach.

Here are five strategies agencies can use to ensure secure file sharing that does not affect workers’ productivity.

1. Set Dynamic Policies for File Sharing

Most federal security policies take a binary approach to file sharing, restricting some types of sharing while allowing others. Some of the more stringent rules are usually applied to cloud services. 

While that’s understandable given uncertainties surrounding some of these services, the fact remains that many cloud applications are easier and faster to use than traditional methods of communication, such as email. 

Instead, agencies should consider implementing data loss prevention policies. With DLP, the focus is on protecting the loss of data in-flight, not stopping transfers altogether. Risk is assessed dynamically based on a single predefined policy that assigns specific actions based on which file service is being used. 

For example, files sent via OneDrive might be analyzed under different criteria than files shared over Box or Google Drive. Meanwhile, internal file sharing may be analyzed differently than files shared externally. The analysis may show that a particular file should be blocked, but that does not inhibit other files from being shared over the same service or different services. The balance of productivity and security is maintained.

DIVE DEEPER: Find out what document management systems are and how they can help your agency.

2. Expose and Control the Use of Unauthorized Cloud Services

Of course, this does not mean that users should be allowed to leverage any cloud service they prefer. Even while working remotely and with their own devices, employees must adhere to using well-fortified cloud services deemed safe and provided by the agency. Unfortunately, the use of unsanctioned cloud and third-party file sharing services has grown in today’s remote work environment. 

More than ever, IT managers must gain visibility into the applications employees are using to share files across networks. Unsanctioned cloud applications must be identified and potentially blocked and removed.

If managers discover a large number of employees using the same unsanctioned applications, they should consider it a chance to evaluate whether their authorized applications are still contributing to employee productivity. In any case, security policies must be applied to all applications, even those deemed appropriate, to ensure file transfers remain secure.

MORE FROM FEDTECH: How can agencies secure data from shared documents when users leave? 

3. Calculate Risk Based on User Behaviors

Combining DLP and application visibility with employee behavioral analysis forms a powerful defensive posture. Behavioral analysis — the monitoring of risk based on employees’ typical behavior patterns — can help agencies identify and address true file sharing red flags without sacrificing the productivity of the entire organization. 

Most employees’ activities tend to be low risk. Even if they are using cloud services to share information, their actions usually present very little threat to the agency. 

However, when an anomalous pattern emerges, security managers can take immediate action and target the employee account in question without forcing a blanket shutdown that affects others.

GET INFORMED: How can your agency best support hybrid work environments?

4. Implement a Zero-Trust Architecture

A zero-trust approach should be implemented to further solidify the agency’s security foundation and mitigate the potential for exposure. Trust in users should never be implicit; rather, each time a user attempts to access or share information, that user should be subject to verification. Only users who need access to certain information should be allowed access.

This approach should apply to everyone in the agency, but it’s especially important for those who are working with highly sensitive information or who have shown signs of risky behavior. 

A person with a secret clearance level, for example, clearly poses greater risk than someone with a confidential clearance level. The former has a higher risk profile and therefore should be subject to greater scrutiny. 

Likewise, a person who routinely exhibits potentially risky actions — regularly uploading personal files to a cloud drive, for example — also requires careful consideration. 

Still, every employee should be considered a potential conduit for data leakage. Combining zero trust with behavioral analytics can help agencies determine which employees are more likely to introduce risk — thereby allowing agencies to focus their efforts on those users — while continuing to analyze the rest of the organization.

EXPLORE: Find out how zero trust is gaining ground in the military.

5. Embrace an Agile Approach to File Sharing Security

It’s clear that hybrid and remote work are here to stay, at least in some capacity, and that the use of cloud services will only continue to accelerate. 

The DOD IG report stated 68 percent of surveyed employees want to work from home for more flexible work hours, a better work-life balance and reduced commute times. Agencies must do what they can to balance employees’ desires for productivity from anywhere with ever-present security challenges. 

Taking a nonstatic, targeted and agile approach to security can help agencies meet employees’ needs while protecting their data.

fizkes/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT