By Yair Knijn · June 25, 2025
Why IT directors fund managed file transfer after the breach, not before
The budget owner sees the line item, recognizes the number, and files governed file transfer under discretionary infrastructure. It works today. The scripts run, partners get their files, nobody is complaining. So the request slides to next cycle, then the one after. The logic holds for everything but the risk with no row in the spreadsheet: the cost of not having governed transfer, which sits at zero until the day it becomes a headline.
I have watched this deferral, and watched the same request clear approval in under a week once a comparable firm surfaced in a breach notification. The technical case never changed. The risk just acquired a number.
The MOVEit lesson: file transfer is a primary attack surface
In late May 2023 the Cl0p group started exploiting a zero-day in Progress MOVEit Transfer (CVE-2023-34362), a SQL injection flaw in the web front end. They did not encrypt anything for ransom; they pulled the data straight out of the transfer servers. Emsisoft's running tally a year later put the impact at thousands of organizations and tens of millions of individuals, across banking, insurance, pensions, and government.
Here is the part that should bother any budget owner. The victims were not careless, and they were not running a hand-rolled hack. They had a recognized commercial MFT product in production. The file-transfer layer was the attack surface, because that is where regulated data in motion concentrates. Treating it as plumbing is exactly the assumption the attacker is betting on.
Why "it still works" defeats the proactive budget request
A functioning legacy setup is the strongest argument against replacing it, and it is the wrong argument. SFTP on a hand-built server with cron jobs and a shared service account moves files reliably, right until someone asks who downloaded what, when, and whether the payload was altered in flight. Reliability and governance are not the same property. One is visible every day; the other stays invisible until an auditor, a regulator, or an attacker makes you produce it.
That gap is the trap. A proactive request competes with capacity, latency, and feature work, all of which carry measurable upside this quarter. Risk reduction offers only avoided downside, and that rarely finds a champion in the budget meeting.
Pricing the breach: notification, fines, lost regulated deals
When the cost finally lands, it arrives in stacked layers, not a single figure:
- Notification and credit monitoring per affected individual, which scales brutally when one server holds millions of records.
- Regulatory exposure under
GDPR(up to 4% of global annual turnover) and reporting clocks like the SEC's four-business-day materiality rule. - Settlements, already landing from MOVEit litigation, with banks and processors agreeing to seven-figure class-action payouts.
- Lost regulated deals, the quietest line of all. A buyer in healthcare, finance, or automotive asks for an audit trail you cannot produce, and moves on. That revenue never shows up as a breach cost because it was never booked.
Put any honest version of that stack next to the annual cost of a governed platform. The platform wins on price, and it is not close.
Making the case before the incident
You will not win this with a threat model the budget owner cannot price. You win it by naming the peer. Pull the breach notifications in your own sector, point at the firm running the same ungoverned transfer pattern you run, and set their settlement figure beside your platform quote. Not fear. A sector-specific number a finance owner can defend to the board.
Do that work before the incident. The post-incident version of the conversation costs far more, and you no longer own the timeline. With xEvolve, every partner connection lives in one governed Environment with signed transfers, per-file audit, and access you can attest to, so the answer to "who moved what" exists before anyone thinks to ask. See how that maps to your obligations on the security page.