Is FTP still a viable option for sending file transfers? While organizations across all industries have started shifting to secure FTP protocols like SFTP and FTPS, a surprising number of businesses still use FTP to transfer sensitive documents across internal and external networks. The search “how to use FTP” comes up with over 163 million results on Google, for example, versus only 29 million for the more secure “how to use secure FTP” search. Why? People are always on the lookout for free or open-source software that will help them do their job quickly and efficiently, and FTP is no exception.
While it may sound counterintuitive, FTP is a dying protocol. Created in the 1970s, FTP was only meant to be used during the early years of the internet—back when security concerns weren’t as prevalent and data breaches were almost non-existent. Almost 50 years have passed since 1970, but while much has changed, FTP has not kept up with modern security standards. It’s a cheap but terribly outdated option for organizations today.
Consider it this way: if you wouldn’t use an old, unsecure desktop computer from the 1970s to do your job, it’s probably safe to say you shouldn’t use FTP either.
The Negative Effects of FTP on Today’s Industries
Some professionals are aware that FTP isn’t ideal but don’t understand how dangerous it is. If you fall in this category, here are a few news articles on FTP you should read to help enlighten FTP’s risks.
2. 2018: MedEvolve exposes 205,000 patient records through a misconfigured FTP server. These records were not password protected.
3. 2017: FBI warns healthcare organizations to increase FTP server security. They state that “the FBI is aware of criminal actors who are actively targeting FTP servers.”
4. 2010: 43,000 names and SSNs of Yale affiliates are shared when Google starts to include FTP servers in its search results. This information was not encrypted.
Help Net Security also reports that, according to survey responses, 40% of organizations claim file sharing services like FTP sites have caused an employee-driven data breach.
Other FTP Considerations for IT Professionals
FTP isn’t authenticated:
When you send files over FTP, information like your user ID and password are sent as plain text. Files are sent “in the clear,” which means it’s not coded, scrambled, or protected in any way. Any information sent through FTP is extremely vulnerable to any hacker (or even others in your organization) who uses a packet tracer on your network.
Unfortunately, there’s no real way to circumvent this lack of FTP authentication. FTP cannot be propped up with crutches or temporarily patched. To improve the situation, you either need to use separate encryption software to secure your data or make the move to a secure FTP server and client.
FTP isn’t maintained or updated:
While organizations still opt to use FTP, this protocol was never intended to be used in 2019. Other file transfer protocols, like FTPS, SFTP, HTTPS, and AS2, have since been created to replace FTP and protect data in transit between recipients.
Even if you’re happy with FTP use, that’s often not enough to remain in line with business requirements. Many data security standards and regulations now expect organizations to use modern protocols when passing data to their trading partners and clients.
The Bottom Line of FTP Use
FTP is dying a slow death. Organizations are transitioning steadily to secure methods of file transfers in order to meet compliance requirements, trading partner requests, data security standards, and customer/public expectation. While FTP may be around for many more years, it’s always a good idea to avoid the temptation of free or open-source FTP tools and invest in a secure solution.