Jump to content

We use Sharefile. Any other options?


Recommended Posts

We use Sharefile and I suppose it is OK, but it is too complicated for a lot of our clients and I presume there must be a better option out there.  I'm curious if anyone uses a different system. Sharefile is integrated with Outlook so we can easily encrypt our attachments, AND our clients can upload files directly to our own personal in box.

But the password thing is clunky, clients always forget their passwords, etc. Anythng better out there?

Austin Powers, CPA, QPA, ERPA

Link to comment
Share on other sites

Thats the Office 365 one. It is brilliant.  You can either sign in or get a one time code sent that is valid for I believe 10 minutes or something.  The problem as you suggested is they have to find an early secure email from you be able to get back in and send something encrypted. Sharefile allows you to upload files through the use of a simple link that we can include in our email signatures (so our clients need only find the last email we sent them).

Austin Powers, CPA, QPA, ERPA

Link to comment
Share on other sites

We use PensionPro and most of our clients manage to submit their annual data collection and other sensitive through it with no trouble.

Gmail has confidential mode which helps with sending sensitive data if you are on G Suite, receiving not so much.

I have one client who has added me to their Dropbox and uses that to send me files.

Worst case, I will tell clients to password protect their Excel file and send it over regular email. It's not perfect, but better than nothing.

Free advice is worth what you paid for it. Do not rely on the information provided in this post for any purpose, including (but not limited to): tax planning, compliance with ERISA or the IRC, investing or other forms of fortune-telling, bird identification, relationship advice, or spiritual guidance.

Corey B. Zeller, MSEA, CPC, QPA, QKA
Preferred Pension Planning Corp.
corey@pppc.co

Link to comment
Share on other sites

2 minutes ago, EMoney said:

We use Sharefile but don't have it set up to require client passwords. Maybe that is something in the settings? The recipient only has to enter their first name and last name.

I can;t figure out why that's even an option.  Anyone with the email can access the files.  I strongly recommend you require the passwords to open.  The email (and thus the key to vault since the email itself includes the credentials (aka their name)) is traveling unencrypted all over the place and can easily be snagged in transit.  Maybe its ok for internal financil documents or soemthing, but definitely not for SS#'s and DOB's.  I'll bet if you asked Sharefile they would say the same thing I am.  

Austin Powers, CPA, QPA, ERPA

Link to comment
Share on other sites

17 hours ago, austin3515 said:

I can;t figure out why that's even an option. 

Its because secure file transfer and restricted file access are not the same thing.  At a VERY basic level, when you send data over the internet without a secure connection, it is like passing an open letter hand to hand until it gets to the end recipient.  Someone could access that letter at any point until it reaches the end recipient.  A secure file transfer uses algorithms to scramble what is in the letter, so that the data is useless even if accessed before it reaches the end recipient.  It doesn't restrict who can access it at its end point, but it is secure from point A to point B.  

 

 

Link to comment
Share on other sites

I was speaking in very general terms, but the answer is probably no if you want to restrict access of the document to specific people rather than just the recipient. What I am saying is that it is enough to protect your data from point A to point B, but it is not enough to restrict who can see it at point B (or that you sent it to the correct point B).  From an IT security standpoint, sending a password protected file without some sort of secure file transfer system, is not enough to consider it secure or safe. Getting around passwords is easy, getting around encryption is not easy.

 

 

 

Link to comment
Share on other sites

I dont undertand though.  Between point A and point b the email istelf is on a dozen different servers and travelling over "public" lines.  Anyone can snag the email in transit.  In other words, if what you were saying was true, and email could not be snagged in transit, why would we need encryption at all?  You would never send an Excel file unencrypted in any way right?  Isn;t that because it might be captured in transit?  If it can be captured in transit so to can the email (which includes the combination to the lock?).

Austin Powers, CPA, QPA, ERPA

Link to comment
Share on other sites

13 hours ago, austin3515 said:

I dont undertand though.  Between point A and point b the email istelf is on a dozen different servers and travelling over "public" lines.  Anyone can snag the email in transit.  In other words, if what you were saying was true, and email could not be snagged in transit, why would we need encryption at all?  You would never send an Excel file unencrypted in any way right?  Isn;t that because it might be captured in transit?  If it can be captured in transit so to can the email (which includes the combination to the lock?).

Obviously things will vary depending on the system.  On a very basic level, when something is sent encrypted, the data still travels the same way it would without encryption, but it is useless until decrypted.  Encryption does not prevent it from being captured in transit, but what is captured would be of no value.  Encryption is more important than password protection, but that doesn't mean that you shouldn't use passwords.  Passwords are great for controlling access at the end user.  For example, the client might not want everyone in their office to access the file, and it is unlikely that Betty in AP will try jump through hoops to break the password for one of Steve's files in HR.  Passwords are not great for securely transmitting data.  If I send a password protected file unencrypted, chances are very good that if someone has the ability to intercept it in transit they also have the ability to backdoor an excel password.  If it is worth password protecting, it should absolutely be sent with encryption.

If I send an encrypted message with a link to john.doe@ABCcorp for a file download, that link will not be accessible to anyone except for those with access to the john.doe account.  If intercepted, it will just be scrambled data. 

 

 

Link to comment
Share on other sites

10 minutes ago, RatherBeGolfing said:

but it is useless until decrypted.  Encryption does not prevent it from being captured in transit, but what is captured would be of no value. 

Why would it be of no value?  The link is in hand, and the credentisals are in hand?  This is akin to locking a deadbolt but leaving the key in the keyhole?  You agree that if it was snagged in transit, then anyone (including a hacker in North Africa) can access whatever is "encrypted"?  All they need is the name or email address, and that is already in the email.  Whatsmore, when you click the link it will say "Please enter your email address" so it's not even like they have to be clever about trying to solve a puzzle.

Austin Powers, CPA, QPA, ERPA

Link to comment
Share on other sites

9 minutes ago, austin3515 said:

Why would it be of no value?  The link is in hand, and the credentisals are in hand?  

You are missing the point.  If the link and credentials are sent through an encrypted message, only the recipient actually see the link and credentials.  The encrypted message would just be scrambled data to anyone else.

Now, if you send the message with the link and credentials unencrypted, then I agree with your assessment unless there are other things at play

 

 

Link to comment
Share on other sites

To be more precise:

  • Sharefile has an option where  you can "encrypt" a file and it is replaced with a link to their servers.
  • When the user receives the email with the link, they click the link and are brought to a page that says "Please enter your email address to decrypt this file." .
  • The message itself is NOT encrypted.  It is traveling over normal email pathways.
  • Anyone who can access the email itself can unencrypt the file because the credentials are contained within the body of the email, and again, if anyone clicked the link it would say "enter your email to decrypt." No "hacking" required. 
  • This is literally no different then sending an email with a password protected spreadsheet, and then in the body of the email tell the recipient what the password is.

So are we on the same page that this is not adequate for SS#'s? This is what EMoney is doing (I know this because I use Sharefile with lots of other firms too and have accessed files using this "email validation" method).

Austin Powers, CPA, QPA, ERPA

Link to comment
Share on other sites

If that is it, I agree it is not adequate.  A simple link access sounds more like a large file transfer solution than secure transfer.

I'm not super familiar with sharefile, but I think they have an email encryption feature as well don't they?

Our IT department has us set up with a program that works two ways.  We can put secure in the subject line which trigger encryption protocol.  The software automatically scans our emails and attachments for things that indicate sensitive information (like SSNs) and applies the encryption protocol regardless of "secure" in the subject line.  It is compliant with FINRA, HIIPA, and a bunch of other stuff (I'm not IT I just try to pay attention when they explain things).

 

 

 

Link to comment
Share on other sites

3 hours ago, austin3515 said:

To be more precise:

  • Sharefile has an option where  you can "encrypt" a file and it is replaced with a link to their servers.
  • When the user receives the email with the link, they click the link and are brought to a page that says "Please enter your email address to decrypt this file." .
  • The message itself is NOT encrypted.  It is traveling over normal email pathways.
  • Anyone who can access the email itself can unencrypt the file because the credentials are contained within the body of the email, and again, if anyone clicked the link it would say "enter your email to decrypt." No "hacking" required. 
  • This is literally no different then sending an email with a password protected spreadsheet, and then in the body of the email tell the recipient what the password is.

So are we on the same page that this is not adequate for SS#'s? This is what EMoney is doing (I know this because I use Sharefile with lots of other firms too and have accessed files using this "email validation" method).

Oddly, I just has a version of this conversation here.  We use Sharefile.    To prove to myself there was a gap I did the following. 

1) I took an e-mail a co-worker had sent to a client with a distribution form and had cc my work e-mail address and forwarded it to one of my personal e-mail addresses.

2) To be very clear I am now working from an e-mail address that was not listed on the original e-mail.  I was using a computer that is not a work computer.   Sharefile asked me for my name.  I gave as a first name:  identity as last name: thief

3) Sharefile allowed me to see and download the distribution form.  At this point I would try and ask for the distribution claiming I moved and put a new address on the form. 

 

Yes, I have brought this to the attention of my IT people and management. 

 

I think this is what you are saying is your problem.  While the whole thing might be encrypted while being transmitted once someone gets the e-mail it doesn't seem to do anything to determine if you OUGHT to be allowed to open the attached file. 

It is my understanding there is a setting on sharefile that makes a person set up an account and only the account holder can access the e -mail and attachments  But it is a setting you have to set.  

Link to comment
Share on other sites

12 minutes ago, ESOP Guy said:

It is my understanding there is a setting on sharefile that makes a person set up an account and only the account holder can access the e -mail and attachments  But it is a setting you have to set. 

Yes, it is a global setting so it can be enforced on an organization basis.  The checkbox on the local software is disabled so the "require recipients to login" is checked and cannot be unchecked.

Austin Powers, CPA, QPA, ERPA

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...