process automations to handle the more complex actions involved in file transfers, including automatically
            encrypting and decrypting every file sent and received. That is the essence of secure-by-design, after all.
            Rather than sacrificing security for the sake of convenience, we make security itself more convenient,
            thus enhancing it.




            Secure by Design – and Deployment

            Another important consideration we made in our approach was an insistence that secure deployment be
            included in the secure-by-design concept. This became especially important as organizations adopted
            cloud and hybrid digital infrastructure, and as digital supply chains grew in scope and complexity. The
            prevalence of users operating outside the firewall meant it would be far more convenient if administrative
            tools were also deployed outside the firewall. Big mistake, and one that thousands of organizations would
            come to regret.

            Two of the biggest data breaches of 2023 involved the popular managed file transfer software products
            GoAnywhere and MOVEit, both of which were targeted by the Cl0p ransomware gang. To date the
            MOVEit breach alone has affected more than 2,600 organizations and resulted in the compromise of 90
            million  individuals.  In  both  cases  the  breaches  triggered  investigations  for  violations  of  the  Health
            Insurance Portability and Accountability Act (HIPAA) and other regulations. The common element for
            both MOVEit and GoAnywhere customers was the deployment of administrative dashboards outside of
            network firewalls, making it easy for cybercriminals to take advantage of vulnerabilities in the software
            and steal sensitive information as it passed through the products.



            Be a Moving Target

            That leads to the final lesson I’ll share here today, which is the importance of continuous testing and
            improvement in any product. Cybercriminals are clever and motivated, and they are always looking for
            weaknesses they can exploit in whatever software products are in the market. It’s harder to hit a moving
            target than one that is static, and so testing, retesting, and improving code is a must. That also means
            listening to customers when they report problems and investigating the underlying cause. Maybe the
            reason for trouble is operator error—or maybe it’s an unanticipated condition that has an unexpected
            result that could be exploited. It’s also important to follow relevant trends and add new features and
            capabilities  that  enhance  product  security.  There  is  no  excuse  for  any  vendor  to  skimp  on  ongoing
            investments for any product it is actively selling and supporting.


            Maybe those stories aren’t as gripping as something you might hear from a wizened old mariner, but they
            are told from the perspective of an organization that has spent twenty years “before the mast” navigating
            the treacherous waters of information security and managed file transfer.











                                                                                                              57