The Transfer Files Podcast Episode 1

Welcome to the very first episode of The Transfer Files, the new tech podcast from Pro2col exploring the world of secure file transfer.

Hosted by Pro2col’s CEO James Lewis, and Marketing Manager Steph Johnson, this very first episode dives into the fundamentals of Managed File Transfer (MFT) - what it is, why organisations need it, and how it enables businesses to move data securely and efficiently.

They’re joined by Richard Auger, Principal Technical Consultant at Pro2col, who brings years of hands-on expertise helping organisations modernise their file transfer infrastructure.

The conversation explores the common triggers that start businesses on their MFT journey. They share real-world use cases, practical insights, security challenges – from bad actors and shadow IT – and the risks of ignoring outdated infrastructure, along with clear signs IT leaders should look out for inside their organisations.

Whether you’re new to file transfer solutions or looking to modernise legacy systems, episode one provides a clear, practical introduction to how MFT can reduce risk, improve visibility, and strengthen data governance.

Watch the full episode below.

Resources Mentioned in this Episode:

• The ultimate guide to Managed File Transfer 

• Benchmark your organisation’s file transfer maturity with the Enterprise Maturity Model for MFT

• A Zero Trust Approach to Data Transfer whitepaper

Episode Transcript 

Hello and welcome to the first episode of the Transfer Files, the podcast where we talk all things file transfer, security, automation, and more. In today's episode, I'll be joined by James Lewis and special guest Richard Auger for an introduction to MFT. Who's using it, how they're using it, and where they think MFT is heading. Whether you're a newcomer to the space or a seasoned software engineer, this episode is for you. Enjoy.

Welcome to the podcast, James and Richard.

Thanks, Steph. Great start.

How are you?

Very good. Very good. Looking forward to uh approaching some interesting topics today. We've got some great guests as well.

We do.

Some part of the team, but some great guests and some interesting things to dive into.

And how are you, Richard?

I'm very well, thanks. Nice to be here.

Good. Glad to hear it. Now, before we get into today's topic, which is obviously an introduction to MFT, I wondered if for the audience you can both introduce yourselves a little bit, how you have landed in the world of MFT and a little bit about your history. James, I'll start with you.

Sure. OK, so let's go way back then. So I came to Bournemouth University in 93, graduated in 97. The prospect of going home to live with my parents and teenage sisters didn't fill me with a lot of joy. Sorry if you're listening to this. So I decided to stay in Bournemouth. I ended up working for a file transfer company, this is pre-internet, who were moving data over ISDN connections and over leased lines. And I guess I caught the bug at that point. So when that business closed down, I set up a sort of protocol initially to service those customers that had uh used that technology previously and did that for a number of years and ended up distributing another product from Germany and that company went into administration. So we bought that software, ran a business in Germany for five years, which was an interesting segue from running a business in the UK. But running a business and having your own physical appliance, a two-use server and a one-use server, wasn't much fun for me. Going up and down the country in a car, replacing power supply units and heat sinks and hard drives was just not what I wanted to do. Moving on to where we are today, we had a lot of customers come to us and say, we're interested in your product. And we sort of were in a situation where it didn't do a lot of things. It was a bit basic. So that's where we ended up starting to work with some of the larger managed file transfer vendors. So we were generating opportunities ourselves, moving them onto different platforms. And that started really started the journey of us specialising in managed file transfer. I guess that's, yeah, I guess that's how I landed in the space.

And how about yourself, Richard?

Well, I've been working mainframe security for a few years, and I was headhunted for a position in Switzerland in a multinational. From working in mainframe security for them, I started with some basic file transfer, a lot of middleware, and then we realised that there was a real requirement for a managed file transfer system. After trying a couple of products, we settled on one, and I worked with it for several years, then relocated to Australia, where after, I think, nine years in Australia, I worked as a consultant for advising on managed file transfer. And then decided to come back to the UK where I joined James and have been there ever since.

And here you are today. Did either of you ever think you'd end up on a podcast?

No, not really.

Not really.

Here we are. Well, I don't think I could be in better company than to talk about today's episode, which is obviously an introduction to managed file transfer. Now, for my benefit and for someone completely new to this space, James, could you tell us what is managed file transfer and what makes it different from, and I know you're going to love this, sending files via email or over WeTransfer or something like Dropbox?

So all technologies have their place. It really depends upon what an organisation wants to do from the point of view of primarily security. So the platforms that we specialise in ensure that an organisation knows where the data is, knows where it's been to or come from, and that it is secure, what protocols it's been delivered via. So the difference when you're looking at something like a WeTransfer or an email attachment, an email attachment is terrible and anybody's sending email attachments and we'll talk about use cases a little bit later, but there was a certain government department was sending rather large and sensitive data sets via email attachments until we spoke to them. So email attachments are a non-starter. WeTransfer it's fine if unless you're groups of people, it doesn't really work from a GDPR perspective due to being a single nature solution. So really, really where we are, it's a technology that's used by an increasingly large number of organisations and architecturally, in its basics, it has a client and a the server. The server is the bit that lands the files. So it could be if you're from a comparison perspective, people work with share file. Sorry, SharePoint, not share file. And it's a file repository. So you pick files up from it and you upload files to it. So think about that as the server. The client is really the automation piece. That's the brains of the solution, which enables the movement of data inside and outside an organisation. And managed file transfer platforms have evolved a little bit over the years. And they're creating almost a bit of a spider's web inside an organisation. So they have things called agents now that enable movement of data around a much broader network both inside and outside of the organisation and they have gateways to secure the perimeter and I know one of the other episodes we'll be talking specifically around security and zero trust and that sort of stuff. So yeah, it's more of a tool for businesses to secure file exchanges primarily with their supply chain but also around their organisation, around the enterprise as well.

Interesting. And you obviously mentioned organisations and you touched upon compliance and GDPR and things like that. In terms of organisations, who is using MFT? What businesses are using it? And obviously, Richard, you're in the day to day of speaking to customers. I don't know if you have real use cases of different industries and how they're using it, but yeah, I mean, who's using?

So industries.

Yeah, industries. Who's using it?

Everybody. Everybody. So whilst we're quite niche in terms of the technology stack we take to market and we specialise in. The number of organisations or the industry sectors within which they work is extremely broad, whether it's utilities, whether it's sort of rail network providers, whether it's banks, you know, you name it, we are providing solutions and services to those organisations and where businesses need to comply with certain regulations, whether it's HIPAA from the states, which impacts some of our healthcare providers, or PCI DSS or DORA in financial services. All of those regulations impact how organisations need to treat and move data. So a lot of our solutions aid that compliance piece.

Interesting. Do you have anything to add Richard about those use cases?

Yeah, so one of the, I think one of the key things that starts people off on a journey into MFT is when they actually realise that they've got this uncontrolled mass of file transfers inside their organisation. So we quite often see customers will have a file transfer system, not a managed file transfer system, but just a file transfer system. And there might be multiple transfers going on inside their networks that they're just unaware of. These things, they tend to slip through the cracks. So we move into some of these enterprise spaces and we help people look at what they're doing. And we see any organisation needs to talk to every other organisation all the way through. So we'll see supply chain, we'll see retail, we'll see manufacturing. They all move the files from one place to another. And you know, you can. If I go back to James talking about client and server, if you consider a good analogy is a library, a public library and think about a file transfer system as being the library itself, it's full of books. You go to the library, you authenticate yourself at the library, you've got your library card and you go and take some books out or you put some books in, it's one thing or the other. That's the whole server side of it and that's existing in just about every organisation that we deal with. We all upload a file to another company for something, even if it's something simple as a photograph of your car after an accident, you're still uploading it into the insurance company. Then we have the other side of the library analogy, which is the client side, the whole automation piece of it. And this is becoming critical for so many companies now that they can actually track what's happening with their files when they move them. If you... If you think about the library, how do we get the books to the library? Well, we're taking them in the car or on the bicycle. Even when they get to the library, how do they move around and the books go on the trolley and get pushed here and there? As far as relating that to a real world use case, think about paying your staff, something as simple as that. You can't just go to a system, click a button and upload staff member A's bank details and payment details and then B and C and D and do all of this for thousands of employees. So we see people submitting a file containing all of the payment information they need to do maybe multiple times in a day or a week or a month and then having to consider the security of that transmission of that file. And that's where the automation piece is coming in the whole client side of the operation. But yeah, it's just into every aspect of modern business is MFT.

Interesting and you don't think about that as someone outside of this space you probably don't think twice about how often you're sending things anywhere.

I guess it's little known and this could be equally levelled at lots of different technologies that organisations use but it's little known how integral the movement of data is inside an organisation for their operation so we work with a rail operator who is capturing data as people pay for tickets on the train. When they turn up to the station, they pull in this system that they've got connects to the Wi-Fi. It moves the data from the train to a centralised point and then it backports it to the train operator. And when they've got that data there, then they know how many people have been on the trains, which means they can adjust the pricing, or they can adjust how many carriages that they're going to send out with the next train or maybe even the next day or the next week, they start to build up profiles based upon that data. We have customers such as organisations that operate the North Sea oil rigs. Now these things are seen as critical infrastructure. They have lots of little devices on there for measuring movement and tolerance and all these sorts of things. I can't remember the name of them, meters of some sort. And all that data gets backhauled from the North Sea oil rig. Some people don't know. Well, in fact, I didn't know until we were speaking to them is they've got a 50 meg lease line connection running along the seabed going back to the mainland, moving that data from those rigs back to the mainland where they process that information to make sure that the oil rigs are working with intolerances that they should be. And then other examples, you know, we work with some of the largest online retailers, probably the largest online retailer in the UK. All of the transactions that come through the website from an e-commerce perspective are moved through our systems to the warehouse management systems where they then decide which stock is going to be delivered to the person who's placed an order for a lamp or a pair of slippers or whatever else it is that they'd like to.

It's interesting you talk about the oil rig one because in that particular use case they have a layered environment and each zone is handled separately. So the data lands into zone A and then it has to move to B, to C, to D. And I think there were in that case four different zones that the data was going through. So the whole automation piece becomes very complicated. And it's very secure. And that leads on to what is becoming, I think, more important for us now, or more common for us, which is laboratories. So in a laboratory environment, you tend to have an operational layer and an information layer, and the two aren't allowed to talk. So people can't go to the operational layer and get data and move it in. It has to be controlled. And some of the people that we talk to that are only just automating this now, they're still using thumb drives. They're still putting files onto a USB drive in one layer to transfer it to another. And in some cases, that is very much a security aspect.

I guess it's safe depending upon who's walking around with the USB drive. I remember we went to an organisation who remained nameless, a large satellite provider in the, a global satellite provider based in London and they had a similar situation. They had their network operating centre, their business and then the user side of the business and never the two meet. They are entirely separate networks but they needed to get data between them and they needed a mechanism for doing it. So I think the tools that we've got, going back to the architecture side, they are structured by two main pieces. You've got the server that has the files, then you've got the automation. The automation is becoming more and more complex in terms of what it will do. But I mean, I know that one of the things we were going to talk about was replacing homegrown scripts. We have a variety of customers that come to us tearing their hair out. I remember one council that one Friday, a homegrown script was supposed to have run that was actually come back to the banking situation to take a file, send it to the bank so that every supplier and employee, I think it was employees, I'm just going to run with suppliers for the minute, but the suppliers were to be paid over the weekend. And the first, the finance director didn't know that this file had run as the IT director, who'd been lambasted by quite a lot of suppliers. No, in fact, sorry, it was the other way around. The IT director didn't know that the script hadn't run. But the finance director was getting slammed by all the suppliers who not been paid. He walks into the IT director's office and has a little chat with him and said, you need to sort something out. And within a week, we'd put a new system in for them, or maybe two weeks and address that problem. Security is hugely important. And it's important not just to think about replacing these sort of homegrown scripts to try to improve that security posture and that almost guaranteed delivery, but it's also important that we make sure that the systems that are in place are up to date. I mean, I know we had one situation late on a Friday where a rather large financial organisation called us and the operation director was a little concerned that Visa had blocked them from transacting any information with them because their ciphers were out of date. Basically meaning that the security posture of the system that they had wasn't up to speed and Visa had probably mentioned to them a few times, you need to get this sorted. And they hadn't done and Visa just cut them off. As a financial organisation, not being able to transact through Visa, pretty big deal. Yeah, lots of different use cases, lots of different industries, lots of different things we streamline and automate and provide visibility into, I guess.

Yeah. And I guess this ties in nicely to my next question is, what are maybe some other signs that businesses who may be listening or watching this that think they don't have a secure file transfer solution in place and are like, oh, I should, I should probably think about it. What are some signs within an organisation that IT team leaders need to be considering?

No, really that starts off with, when they have an audit, you audit somebody and they can't actually tell you what files they're sending or even who's receiving those files or whether they were received, then that's the first place that we see it. People will have, as I said earlier, they'll have a big network with file transfer solutions, basic file transfer solutions, even maybe insecure file transfers happening around the network. And they need to get away from it because you can't run in a sustained manner any organisation if you're producing data but you don't know what happens afterwards. That's the first bit that we see really.

I think a challenge is that a lot of organisations have grown organically or through acquisition over a period of time and they end up with a vast array of technology. There are instances where we talk to organisations that have multiple file transfer tools. But to go back to your point, when do they really realise? More often than not, it would be at the point at which they had an audit, but a lot of organisations don't know to get an audit. So if you're watching this podcast, probably get an audit. And there are some great tools out there to assess and sweep a network and just work out what's in place. But the biggest problem is as soon as you've been breached as an organisation, your hacker is going to be looking to move around the organisation to be able to bits of data. More often than not, and come back to Richard's point, more often than not, organisations don't know what data is moving around their business. They might know a little bit about what's coming in and going out. But more often than not, they don't know what scripts are moving data, whether they have insecure FTP servers or IAS servers or something like that running to move data around. Those are just perfect targets for hackers. And at that point, if they're in the network, that's a problem. If your infrastructure internally isn't secured, you're in a world of pain.

Yeah. And I mean, in a lot of cases, especially recent news stories you've heard about hackers, sometimes they get into the system and they could be in your system for months before you even know.

Yeah. And longer.

Yeah. It's a very real risk. It can happen. You know, another risk that you have, apart from somebody hacking into your network and stealing or corrupting or whatever is it's human nature that we try and make something work for as long as possible before we take the plunge and spend some money on something new. And the number of times that we go into an organisation and there will be one programmer or developer that has written scripts, loads and loads and loads of scripts that are moving all the files, taking care of all these automation jobs and tasks and what have you, and then he gets hit by a bus. It's a bad example, but you know, if it's a broken leg, he's not going to, he's not going to be looking after the scripts and nobody else knows how it works. Because when we have this whole ad hoc thrown together script, it does the business, it does the movement, doesn't necessarily report on it, doesn't log it in the way that you might expect. And it makes it a problem for whoever's got to pick up the pieces afterwards when, you know, it goes wrong or somebody questions something. And it also shows the ownership as well with the ownership of that data when it flies through the system. So these are all things that we look at that people say, oh yeah, I need to invest in MFT because risk, ownership, visibility, transparency.

And at that point, when they look at investing in MFT, typically it's to fix a problem that they found. It's typically a tactical solution or a band aid for a problem that they're aware of, rather than they are going to take a strategic position on this. And the reason that a strategic position is much more important is because there's a number of things in play there. You need to have a longer term view from a security standpoint as to what you're looking to do with regards to the data that's moving into and out of your business for starters. And two, coming back to the point with regards to proliferation of tools around the business, whether they're the likes of WeTransfer or Dropbox or those sorts of things. That aside, organisations typically have multiple systems that are being used for moving data in and out and that presents a real problem from a point of view of information security and a single pane glass of view of what the situation is with regards to data going in and out of that business. CIOs, IT directors and even enterprise architects just haven't got a clue a lot of the time. So our posture on this, I guess, is, you don't just look at this as a tactical problem. Try to have a look at a longer term or strategic view, whether that's, know, hybrid deployment as well, because a lot of organisations are moving things to the cloud or have moved things to the cloud, but they still have deployments on premises. But the key thing really for me is making sure that they potentially do an audit, whether that's with us or somebody else, but they look at consolidating what they've got into a single solution so that they have a proper view of what's going in and out of the business. And if there are organisations, shameless plug, if there are organisations that have an MFT solution, have a look at our enterprise maturity model because that's going to give them a view as to how they can evolve it to become a more strategic solution for their business.

And we do have an episode planned in for that.

We do indeed. Looking forward to dragging David in of camera.

Just going into the solution a little bit more then, are we able to talk to what is actually under the hood of a typical solution? You've mentioned automation. What else is there that, what features do they offer to companies?

So if I go back to that library analogy, when we talk about the difference between the client and the server, and of course I mentioned with the library side of it, with the server side, you will authenticate when you go to a library, you show them your pass, your library ticket. Inside an MFT solution, the first thing we have to think about is security. So everything has to be authenticated and we need to be able to see everything that's happened as well. So inside the MFT system, we have to have a user database. Okay. And then we can track actions inside the MFT system to that user database. Now the user database, for the authentication aspect of it, it might be backed off to an external authentication source. Commonly nowadays, it's Active Directory is looking after most things for us. Doesn't have to be, could be something else as well. And we do that in a variety of ways. So your secure MFT system has to be able to provide the user database, the way for users to authenticate themselves, whether it's directly through um LDAP, through SAML for doing a secure single sign-on. And then it has to be able to give those users permissions to whatever they need to see inside the system, but no more than they need to be able to see. So we look at people's home directories and how we deliver that kind of configuration to the system as part of its core function. Then you have the client side of it. And this was, you might remember how we get to the library, how we move the books around in the library on the trolley. Client side in olden days, back in early days, it would have just picked up a file from point A and delivered it to point B. So now it's doing a lot more and under the hood, as you say, we have to think about encrypting those files. So we need to look after the key management side of the transfers as well. It's no good just saying, I can encrypt my file and send it because anybody can do that, but I have to select the right keys to manage the expiry of those keys, when are they going to turn up? I need a warning weeks in advance of the expiry so that I can prepare for them. The files that we send might also need to be compressed, so we need to be able to do that inside our workflows as part of the automation side of things. Or in reverse, maybe we need to decompress them so that we can take the files out of a zip archive and treat them individually. We might be interacting with databases nowadays. That's very common to go and pull data directly from a database as part of the MFT system and then take the resulting data sets that we've pulled from a database and turn those into files ready to send off to whoever needs to do that. We also break down, commonly it's batch that we look at, It's computers to computers, but we also break down into computers to people or people to computers as well, one way or the other. So we look at a whole ad hoc transfer piece as well. Because no matter what business you're in, even if you've got everything tied down to a series of perfect batch flows, there will always be the odd requests. Somebody says, I need to be able to send this file to XYZ company, send it to Bob at Bob's spare parts, and it must get there by dinner time. So you can set these things up so that your end users or selected end users can have the ability to transfer that. And this all becomes part of the functionality that we see inside an MFT system. It's pretty much all of them will provide to some extent or another now. Mostly speaking, all of the MFT systems or broadly speaking, they provide the same sort of functionality, sometimes in a different way. Sometimes one will work better than another one in some use cases. But yeah, we look at in the automation, the encryption, the compression, the interaction with other systems, including, I don't know, I mentioned database, but perhaps also data leak prevention and so on. But there's a whole host of bits and pieces that are inside the system and probably more than most people will ever use, to be honest with you. They tend to be toolboxes for everything you want.

Anything to add to that, James?

Well, I guess it's the increasing number of endpoints that we talk to, I think is one of the interesting things. So in our tenure in working with managed file transfer, we just used to move files around in quite a basic manner. But now organisations need to move things to all various different cloud storage, S3, Azure, Cloud, whichever it is, various other versions. But there's also then integration with SaaS platforms, so people needing to move payroll data or HR data into different payroll systems, HR systems. And the list goes on, there are hundreds and hundreds of different platforms that are connected to now. But of course, it's not entirely just about the systems that we talk to, but increasingly, it's the number of systems that talk to us as well. So we might be possibly the last step in a process. There might be something that's taking place inside an organisation. And then an API call comes out to us to say, take this data that's dropped in here and move it to another organisation in the supply chain. So lots of different ways in which, I guess, file transfers are triggered, but also the endpoints that we can talk to. And I think the evolution of sort of a final point, I guess the evolution of MFT is continuing. So in our time, so Richard talks about ad hoc, which is to all intents and purposes, a bit of a grand version of WeTransfer. Obviously much more secure. But it provides that sort of similar type of functionality. So we've got a person to person piece, we've got the server to server, the computer computer configuration. But as we look to the future, there's an awful lot coming down the pipe. Richard and I were talking a little bit earlier reminded me about the large files that we're moving now. There's that integration with UDP types of technology for shifting large volumes of data, which might not typically carry so well over a TCP based protocol like FTP or HTTPS, that sort of thing. But we're also looking with some interest in how things like AI or machine learning is going to impact the industry and there are already some moves towards quantum and quantum encryption and how we can be quantum ready so that when quantum computing becomes financially viable, the data or the systems and the way in which they're talking to one another can still remain secure. So that's all going to be very interesting things to think about in the future.

An exciting future. You kind of beat my next question, which was going to ask about the future.

I know. Sorry about that! 

It's okay. So I guess one, one final question for you both is someone watching or listening to this, what is one key takeaway that they should take away with them? Whether they may not have a solution installed within the industry or organisation, I should say, but what's one key takeaway that they should take away from this episode?

You want to go first?

I'd go with control. Okay. And it's, it's a check to make sure that you know what's happening with your data in your file transfer systems and you have the ability to keep control and take control of your transfers. We mentioned WeTransfer a couple of times in here when your end users get to the point where they can't make use of your phone transfer system and they start to just go and find some freeware or a service that's available on the internet that they can access then you start to lose that degree of control. And at that point, all is lost.

I was going to say much the same thing, actually, but from an audit perspective, trying to ensure that you have a very clear view of what it is that you've got inside your business in terms of, and I was thinking more, more with regards to internal file transfers and securing your internal systems for moving data around. But interestingly, and maybe something to to more or less finish on, one organisation that I was talking to about their other MFT situation. I had a meeting before with Dropbox. We started down the path of becoming a Dropbox partner. And very interestingly, I went in to see part of their network operating centre, which was incredible. And this was a good few years ago, and they, I explained to them who I was going to see in my next meeting. They said, oh, well, that's quite interesting. Let's just pull up on our platform, see how many of this particular very large internationally renowned publisher, what they have on our platform. And they had some paid users. So they were aware of some of their internal users that were using this particular platform, but they had over 500 that were using internal corporate email addresses for moving data around. And Dropbox had in their platform eight terabytes of data under Dropbox terms and conditions that data was theirs because it wasn't a paid for account. Interestingly, when I went to see this internet show and I'm publisher, they said they didn't care. I was flabbergasted, but there you go. That's another story for another day.

Interesting. That was some great insights there. Thank you both. You'll be pleased to know you've made it to the end of episode one. Will you come back, Richard, if we invite you back for future episodes?

I could be convinced. Yes. Maybe.

Well, thank you to you both.

Thank you, Steph.

Thank you. And of course, a big thank you to our listeners and our watchers. Thank you so much for tuning in today. If you enjoyed the discussions and want to talk about your own MFT setup, please don't hesitate to reach out to our team. I will make sure that we leave our contact details in the notes below. Thank you again, and we'll see you in the next episode.