Once again, Dropbox is in the news as a major security concern. Even though we're talking about a 2012 data breach, the company wasn't upfront about the scope of the problem – namely, the theft of passwords belonging to 68 million customers. This is poor form as far as data breach disclosure is concerned.
According to Hacker News, "Dropbox initially disclosed the data breach in 2012, notifying users that one of its employee passwords was acquired and used to access a file with users' email addresses, but the company didn't disclose that the hackers were able to pilfer passwords too."
The concern is big enough that Dropbox had to go public about recent actions taken to secure potentially exposed users. This included a "proactive password reset" action the company completed last week which essentially forced users to reset passwords that pre-dated the breach.
So what does this mean for your organization? Considering end users will take shortcuts as a matter of convenience (and to bypass IT saying "no"), they download all sorts of apps like Dropbox. The resulting "shadow IT" effect means that company data gets dropped into enterprise file synchronization and sharing (EFSS) products like Dropbox.
And considering that end users are not experts at locking down data, there's a lot of company information that ends up in-motion and at-rest in repositories not managed by IT admins. Given all this, you and your fellow IT teammates may be asking "just what is our exposure"? Here are four questions to consider, along with four areas to drill down into to make sure your data is protected:
1. Do you have a stated policy concerning employee use of file sharing services?
If not, then it is highly likely your employees are transferring data any way that works best for them. If any portion of those transfers are external, you have a significant security risk on your hands.
Once employees turn to external services, it becomes more likely that some of them, already struggling to remember a wide array of passwords they use every day, will use their company access passwords with an external vendor. Now you are exposed data breaches the external vendor may encounter. Or, you could lose corporate access passwords to phishing attacks. (BTW, Dropbox phishing scams are very productive tactics for cybercriminals.)
2. Do you collect, transmit or store sensitive data protected by regulations?
If you are in financial services, the government sector, insurance, healthcare or retail you don't have to do any research to find the answer – it is yes. If your company is publicly traded or in sensitive manufacturing industries (like suppliers to power plants) the answer is also highly likely to be yes.
In that case, not having a good answer to the first two questions actually puts you at risk of huge fines in the event of data loss. Having employees that use unapproved third party services increases your risk to eventual data breach.
3. Do you have a secure means of executing file transfers?
If you are already in the business of sharing data with external customers, partners, vendors or governmental reporting agencies you should be using a secure file transfer solution. Whether or not that is a cloud-based service should be more dependent on your security needs than convenience.
Recent rulings have come down hard on companies that relied on the compliance assertions of a third party vendor. The fact is you are only compliant if your company has implemented the right security and governance provisions. Compliance is your responsibility.
Best practice typically involves on-premise solutions or strict governance with fully compliant third parties. Common on-premise file share technologies include secure FTP (file transfer protocol using SFTP/SSH or FTPS/SSL) or managed file transfer (MFT).
4. Do you have an easy to access, secure alternative to ad hoc file transfers made by employees?
If you already have secure FTP or a managed file transfer solution you should investigate the availability of 'ad hoc' user features. Many vendors provide easy to use browser or Outlook plug-ins. Distributing these to employee desktops can go a long way to mitigating their need to look elsewhere for easy file transfer.
At the end of the day, end users will take the shortest route and use apps (including Gmail) they are familiar with already. Considering this, why not just give them something just as simple to use, that you can manage and lock down yourself?