At first glance, consumer Dropbox, Inc., tools are convenient and easy-to-use, allowing users to share video, music, and private content with family and friends within minutes. It’s no wonder individuals bring these seemingly harmless tools into the workplace. However, consequences arise when these tools are inadvertently used to circumvent corporate security and policies.
Security and Compliance
Companies are exposing themselves to unnecessary financial and legal threats by unknowingly allowing consumer Dropbox, Inc., type tools onto the corporate network.
Many customers do not understand that software itself does not undergo testing for regulations such as HIPAA and SOX, but that the company must be tested for compliance. While the software alone cannot ensure a company will meet internal controls and stipulations required by law, storing data using these consumer applications can often ensure that the company will not pass its test.
When uploading a file to a consumer Dropbox, surprisingly there is an absence of virus and malware protection. Skeptical of such statements posted by the user community, we attempted to dispute these claims but discovered that they were indeed correct. Although not official by any means, we were able to upload various viruses to some of the leading consumer file sharing services. (Feel free to test using the same test file, found here). Thus potentially creating a perfect forum in which a Worm/Trojan could be specifically written to take advantage of these tools, quickly spreading malware to and from millions of computers and consequently onto enterprise networks.
One of the more obvious difficulties with a consumer Dropbox is the separation between sensitive corporate information and private data. From its inception, the focus has been on the consumer market, making it widely installed on private devices (computers, laptops, mobile phones). Private devices are often inherently less secure, as do not focus on security, but ease of use. This was really never an issue before “bring your own device to work” emerged, users had few ways to share large quantities of data between home and work. Dropbox is now used to share both sensitive corporate information and private data. However users often do not realize accessing data on unsecure devices can put sensitive information at risk. Dropbox solutions needs to offer robust monitoring, policies and plugin to the existing governance framework, not just focus on the individual user, to mitigate data leakage.
Taking about data leakage, there is also a risk users choose a poor Dropbox password, which may enable unauthorized access to their consumer Dropbox and steal confidential data. My personal favorite though, is when data is stored on personal devices over which an organization no longer has control. Furthermore bypassing any automated document retention mechanisms in place, increasing administration for any document retention policies in place.