At first glance, consumer Dropbox tools are convenient and easy-to-use, allowing users to share video, music, and private content with family and friends within minutes. It’s no wonder individuals bring these seemingly harmless tools into the workplace. However, consequences arise when these tools are inadvertently used to circumvent corporate security and policies.
Security and Compliance
Companies are exposing themselves to unnecessary financial and legal threats by unknowingly allowing consumer Dropbox type tools onto the corporate network.
Many customers do not understand that software itself does not undergo testing for regulations such as HIPPA, PCI, and SOX, but that the company must be tested for compliance. While the software alone cannot ensure a company will meet internal controls and stipulations required by law, storing data using these consumer applications can often ensure that the company will not pass its test.
Stringent policies have been mandated for protecting sensitive information regarding as evident with a Bank of America online statement in their FAQ:
“If you do not comply with PCI [Data Security Standard], your business may face significant financial and reputational risks.” “If your cardholder data is compromised, you could be required to reimburse us for card brand fines ranging up to $500,000 per incident, as well as subsequent fraud losses incurred by card issuers resulting from the compromised card data, which may exceed fine amounts.”
When uploading a file to a consumer Dropbox, surprisingly there is an absence of virus and malware protection. Skeptical of such statements posted by the user community, we attempted to dispute these claims but discovered that they were indeed correct. Although not official by any means, we were able to upload various viruses to some of the leading consumer file sharing services. (Feel free to test using the same test file, found here). Thus potentially creating a perfect forum in which a Worm/Trojan could be specifically written to take advantage of these tools, quickly spreading malware to and from millions of computers and consequently onto enterprise networks.
One of the more obvious difficulties with a consumer Dropbox is the separation between sensitive corporate information and private data. From its inception, the focus has been on the consumer market, making it widely installed on private devices (computers, laptops, mobile phones). Private devices are often inherently less secure, as do not focus on security, but ease of use. This was really never an issue before “bring your own device to work” emerged, users had few ways to share large quantities of data between home and work. Dropbox is now used to share both sensitive corporate information and private data. However users often do not realize accessing data on unsecure devices can put sensitive information at risk. Dropbox solutions needs to offer robust monitoring, policies and plugin to the existing governance framework, not just focus on the individual user, to mitigate data leakage.
Taking about data leakage, there is also a risk users choose a poor Dropbox password, which may enable unauthorized access to their consumer Dropbox and steal confidential data. My personal favourite though, is when data is stored on personal devices over which an organization no longer has control. Furthermore bypassing any automated document retention mechanisms in place, increasing administration for any document retention policies in place.
Join Our Webinar
These are just a few concerns that companies are facing today because of the onslaught of consumer Dropbox solutions that have crept into the enterprise. Join us on April 19th for a live Webinar, The Hidden Cost behind Dropbox Software in the Enterprise. Michael Osterman, President of Osterman Research, will discuss the concerns behind “consumer” file transfer solutions in the enterprise, and provide insight on how to give employees dropbox-type functionality with enterprise level security.
Also, if you are interested in protecting your organization from dropbox threats, check out Thru Collaboration solution.