The Hidden Cost of FTP: Why “If It’s Working, Leave It Alone” Is Costing You More Than You Think

There’s an old systems programmer rule that’s been passed down through generations: “If it’s working, leave it alone.”

It’s practical wisdom. Why risk breaking something that’s been running smoothly for years? This mindset has kept mainframe environments stable and reliable for decades. But when it comes to FTP on z/OS, following this rule isn’t just outdated, it’s expensive.

The Comfortable Lie We Tell Ourselves

FTP is everywhere in enterprise mainframe environments. It’s been there since the 1970s, pre-installed on virtually every platform, with a simple command structure that everyone understands. Your batch jobs use it. Your partners expect it. Your applications were built around it.

“It just works,” we tell ourselves.

But let’s be honest about what “working” actually means in 2026. Yes, your files are transferring. Yes, your jobs are completing. But working and being secure are not the same thing. And the gap between those two states is where the real costs hide.

The Math That Keeps CISOs Up at Night

Let’s talk numbers. According to IBM’s 2025 Cost of a Data Breach Report, the average cost of a data breach is $4.44 million. For organizations in heavily regulated industries such as healthcare and financial services, that number climbs even higher.

Now consider what FTP actually does, or, more accurately, what it doesn’t do:

• It transmits your data in plain text
• It sends passwords without encryption
• It provides no protection against man-in-the-middle attacks
• It offers no data integrity verification
• It leaves no comprehensive audit trail

Every FTP transfer is essentially broadcasting your sensitive data in the clear. If you think your internal network is safe enough, consider that 83% of organizations reported experiencing insider threats in 2024.

The Real Costs You’re Already Paying

Let’s break down the hidden expenses of maintaining FTP:

1. Compliance Penalties (The Big One)

PCI DSS explicitly requires the encryption of cardholder data in transit. HIPAA demands safeguards for protected health information in transit. SOX mandates secure financial data handling. GDPR insists on data protection during transfer.

Using unencrypted FTP violates these standards. The penalties aren’t theoretical:

• PCI DSS violations: $5,000-$100,000 per month until resolved
• HIPAA violations: $100-$50,000 per violation, up to $1.5 million annually
• GDPR fines: Up to 4% of annual global revenue

One compliance penalty can dwarf your entire IT budget for a year.

2. The Audit Scramble

How many FTP transfers happen on your mainframe today? This week? This month?

If you can’t answer immediately, you’re not alone. Most organizations have zero visibility into their FTP traffic. When auditors ask (and they will), the scramble begins: emergency reports, manual log reviews, educated guesses.

The cost isn’t just the staff hours spent reconstructing history. It’s the findings in the audit report, the remediation plans you’re forced to write, and the additional scrutiny you’ll face in the next audit cycle.

3. The Data Breach You Haven’t Had Yet

Here’s the most dangerous cost: the one you’re currently lucky enough not to be paying.

Every unencrypted FTP transfer is a potential breach waiting to happen. The longer you wait to address this vulnerability, the more likely you are to experience the full financial impact of a data breach:

• Direct costs: Forensic investigation, notification expenses, legal fees
• Indirect costs: Regulatory fines, customer compensation, increased insurance premiums
• Long-term costs: Reputation damage, customer churn, lost business opportunities

The average breach takes 277 days to identify and contain. During that time, compromised credentials from unencrypted FTP transmissions could give attackers the keys to your entire environment.

4. The Missed Innovation Opportunity

While you’re maintaining a 50-year-old file transfer protocol, what else could your team be doing?

Every hour spent managing FTP security workarounds is an hour not spent on initiatives that drive business value. Every senior engineer who knows the intricacies of your FTP infrastructure could be working on modernization projects.

The opportunity cost is real, even if it doesn’t show up on a budget spreadsheet.

“But Migration Is Expensive Too”

This is the objection we hear most often. And it’s not wrong, migration does require investment. But let’s compare:

Traditional SFTP Migration (Manual Approach):

• Rewrite batch JCL: Weeks to months of developer time
• Application code changes: Testing, quality assurance, deployment cycles
• User training: Learning new command syntax, new procedures
• Risk: Downtime, broken dependencies, emergency rollbacks
• Estimated cost: $100,000-500,000+ depending on environment complexity

VFTP-SSH Automated Migration:

• No JCL changes required
• Transparent FTP-to-SFTP conversion
• Leverages OpenSSH already on z/OS
• Granular control over which transfers to secure
• Complete visibility into all transfers
• Implementation time: Weeks, not months
• Significantly lower total cost

Here’s what makes the economics work: You don’t have to migrate everything on day one. With VFTP and VST, you can:

1. Gain visibility into all FTP activity (Week 1)
2. Secure the most critical transfers first (Week 2-4)
3. Gradually migrate the remaining transfers at your own pace
4. Maintain both FTP and SFTP during transition

This phased approach minimizes risk while providing immediate compliance value.

What “Working” Should Actually Mean in 2026

It’s time to update that old systems programmer rule. In 2026, “working” means:

• Secure: Data encrypted in transit, passwords protected
• Compliant: Meeting PCI, HIPAA, SOX, GDPR requirements
• Visible: Complete audit trail of all file transfers
• Manageable: Centralized control and monitoring
• Reliable: All the stability you expect from z/OS

FTP may be transferring your files, but it’s not really “working” if it exposes your organization to millions in potential losses.

The Cost of Waiting

Every quarter you delay migration, the risks compound:

• Compliance standards get stricter
• Cyber threats become more sophisticated
• Audit scrutiny intensifies
• The competitive disadvantage grows

Organizations that have already migrated to SFTP aren’t just more secure—they’re more efficient, more confident in audits, and able to focus their security resources on emerging threats instead of managing legacy vulnerabilities.

What’s the Real Cost?

The question isn’t whether you can afford to migrate from FTP. The question is whether you can afford not to.

When you add up compliance risk, audit overhead, breach potential, and opportunity cost, maintaining FTP on z/OS is far more expensive than securing it.

The good news? Migration is easier than you think. With the right solution, you can eliminate your FTP vulnerability without the massive project you’re imagining.

Take Action Now

Download our comprehensive whitepaper: “Securing and Managing File Transfers” for a detailed look at:

• Why FTP remains such a prevalent security risk
• Best practices for secure file transfer on z/OS
• A step-by-step migration framework
• How VFTP and VST make migration seamless

Or schedule a personalized demo to see exactly how VFTP-SSH can secure your z/OS file transfers with zero JCL changes. Request your free demo.

Don’t let “if it’s working, leave it alone” become “why didn’t we do something sooner?”

Related Resources:

• Is Your z/OS Environment Still Using FTP? It’s Time for a Security Upgrade
• Webinar: Peeling the Onion – Mainframe File Transfer Methods
• VFTP-SSH Product Overview

Ready to stop leaving money on the table? Contact SDS today.