NHBC is the National House Building Council, a building standards and insurance warranty provider in the United Kingdom. By implementing a Managed File Transfer (MFT) solution, NHBC is able to effectively ensure a constant flow of secure, confidential, copyright and personal documents and communications – a necessity in the heavily regulated insurance and building sectors. We spoke with Wayne Watson, information security manager for NHBC, to find out why MFT is critical to satisfying internal standards and external regulations.
Q. What issues was your organization facing?
We faced a regulatory challenge. We conduct our own internal audit, and are audited every year by the Financial Conduct Authority (FCA), which has very stringent guidelines regarding the transfer and management of sensitive data. Our challenge is proving to the FCA auditors the types of files and data that are leaving the company. If you don’t comply with the FCA – such as by losing or exposing someone’s financial information – you can get hit by a fine of 250,000 pounds. Plus it would damage our reputation, which we’ve built over 75 years, and people could turn to our competitors. Moreover, we need to comply with the Data Protection Act.
The threat is external because everyone who deals with us tends to want to use their solution, such as DropBox. The risk of having data leakage through sites like DropBox is just to great for a company like ours.
Q. What impact were these issues having on your business?
I would get lots of requests to download from sites like DropBox. For example, someone would say, “I need to download this file from this location,” and I would say “We’ll set up a folder so the person can upload to our site.” We need to get our users to educate the people that they work with from third-party companies to do things a bit differently, and that’s where the problem lies.
To send files, our staff was resorting to clunky measures, like encrypting and sharing files via SD cards, USB drives, CD-Rs, email attachments and an assortment of unsecured web-based file sharing applications.
Q. In a day and age where IT can only address the top issues facing your business, what made this something that had to be dealt with?
Because we are regulated, we like to monitor everything that is going in and out of the business, especially confidential and financial data. We’re trying to work towards ISO 27,000 on compliance, which is what all of our information security policies are based around.
Q: What impact has Managed File Transfer had on your business?
I think what’s most important to someone in my position anyways is visibility of what’s coming and having the ability to monitor. It has given me a warm fuzzy feeling that I can see what’s going in and out of the company and I can monitor people’s usage of the solution. From an IT perspective, it is definitely a best practice to use a commercial MFT solution rather than rely on something based on open source.
More and more people are using it rather than resorting to “old-fashioned” and insecure methods of saving to disk or USB. Staff in legal, claims, development, and training departments use it quite a lot, and we use it extensively in the IT department.