Bring-your-own-device (BYOD) policies and an increasingly mobile workforce are putting new pressures on IT and changing the requirements for how workers want (and need) to access corporate data. Workers need to connect across distance, not just with coworkers, but also with customers and suppliers. Consider that 73% work with customers on a typical day; 68% work with coworkers on a typical day; and 59% work with suppliers on a typical day.
Dropbox is recognized as the first company that made cloud file sync simple and free. Today, with 300 million users as of May 2014, the service is one of the fastest growing in the world. But amidst this rapid adoption, business owners are asking, “Is Dropbox safe for my business to use?” Before we answer that question, let’s take a look at why employees are using Dropbox.
- “Dropbox is easy to use.”
- “Dropbox is free.”
- “It’s what I use at home.”
All of these reasons explain why Dropbox is popular among consumers. But they do not justify the major security risks that the free version of Dropbox creates in a business environment. Which brings us to our last reason why people use Dropbox:
4. Because they don’t know any better
Dropbox’s free service lacks the security, administrative, and productivity features that a business needs. Any business that uses Dropbox exponentially increases their risk of data being lost, stolen or shared with the wrong parties.
We frequently meet business owners that will say, “But I use Dropbox at home.” The overarching theme is that just because something is good for personal use or for one employee does not mean it is good for your business as a whole. Personal needs vary substantially from business needs, especially as it relates to data and security. Your business is your livelihood and your data is of quintessential importance – there is a good reason why you use a basic lock and key on your home front door and an alarm system in your office.
Let’s take a look at some of the risks and dangers associated with Dropbox…
Unfortunately, what works for family pictures does not work with corporate files. In most cases, Dropbox quick-to-install, easy-to-use consumer-grade services present unacceptable security, legal and business risk in a business environment. Here are seven of those risks, including data theft, data loss, corrupted data, lawsuits, compliance violations, loss of accountability, and loss of file access. Let’s go through each of these…
Data theft –
Most of the problems with Dropbox emanate from a lack of oversight. Business owners are not privy to when an instance of Dropbox is installed and are unable to control which employee devices can or cannot sync with a corporate PC. Use of Dropbox can open the door to company data being synced (without approval) across personal devices. The proliferation of these personal devices, which accompany employees on public transit, at coffee shops, and with friends, exponentially increases the chance of data being stolen or shared with the wrong parties.
Data loss –
When administrators cannot manage and monitor file sync activities across an organization, they risk losing critical data. If an employee (or group of employees) adopts Dropbox and starts using it to sync and share sensitive files, administrators without proper oversight cannot manage data sprawl, initiate remote wipes in the case of lost devices, and are unable to guarantee that files are properly shared with the right people.
Corrupted data –
In a study by CERN, the European Organization of Nuclear Research, silent data corruption was observed in 1 out of every 1500 files. Dropbox and other consumer-grade file sync services disclose few, if any, details about how they prevent data corruption from occurring. True business-grade file sync services cryptographically tag every piece of data and redundantly store data on multiple data center racks to virtually eliminate any chances of silent data corruption, which has been shown to be common in large-scale storage systems.
Dropbox gives carte blanche power to employees over the ability to permanently delete and share files. This can result in the permanent loss of critical business documents as well as the sharing of confidential information, which can break privacy agreements in place with clients and third parties.
Compliance violations –
Many compliance policies require that files be held for a specific duration and only be accessed by certain people; in these cases, it is imperative to employ strict control over how long files are kept and who can access them. Since Dropbox has loose (or non-existent) file retention and file access controls, businesses that use Dropbox are risking a compliance violation.
Loss of file access –
Dropbox does not track which users and machines touched a file and at which times. This can be a big problem if you are trying to determine the events leading up to a file’s creation, modification, or deletion. Moreover, at a moment’s notice, files and folders may not be in their proper locations or readily available to employees.
Let’s play a quick game of “Did you know?”
Dropbox is the No. 1 most commonly blacklisted app
In general, BYOD and the advent of mobile applications has made employees more productive. But when it comes to mobility, there are some applications that companies should avoid. In a survey by Fiberlink of over 4,500 corporate and employee devices, Dropbox was the No. 1 most blacklisted iOS and Android app. Business owners and IT administrators are blacklisting Dropbox applications because it lacks the administrative control and oversight necessary to avoid data leakage risks. The top five also included SugarSync, Box, Facebook, and Google Drive.
Dropbox shares can be accessed by anyone
Sharing with Dropbox is easy. Protecting your files with Dropbox? Not so easy. When a user shares a file or folder, Dropbox generates a public URL that can be accessed by anyone, without any password enforcement. In a study conducted by Intralinks, these fully clickable URLs were used to access sensitive files, including income tax returns, a mortgage application, bank information, and personal photos. Intralinks also found evidence of intermingling of personal and corporate files. All of this begs the question: When you share files and folders with Dropbox, who are you actually sharing it with?
Dropbox only retains deleted files and revisions for 30 days
Business-class file sync services maintain a rich file and folder history so that companies may recall historical data, including deleted files and revisions. Moreover, retention of data is important for business that handle sensitive data and legally required for certain verticals. The Sarbanes-Oxley Act, the Federal Rules of Civil Procedures, tax laws, and other federal and local statues have distinct requirements for the retention of data. Dropbox’s decision to permanently remove deleted files and revisions after 30 days is inconvenient and puts businesses at risk of legal and compliant disputes. If Dropbox customers want to retain deleted files and revisions for more than 30 days, they are directed to download and pay for a third-party application.
Dropbox uses a single encryption key
Encryption is the primary safeguard against hacking and security breaches. Unfortunately for Dropbox customers, the keys to encrypt and decrypt files are with Dropbox – not on each user’s machines. Worse yet, Dropbox uses a single encryption key for all customer’s data. This insecure architectural design prompted Christopher Sighoian, a prominent security researcher, to issue an FTC complaint against Dropbox in 2011. His complaint alleged that Dropbox puts users at risk of government searches, rogue Dropbox employees, and even companies trying to bring mass copyright-infringement suits. In light of these charges, Dropbox scrambled to change language that appeared on its website. But the facts remain: Dropbox does not provide a way for users to encrypt files before they are transmitted to the cloud, Dropbox employees have access and can see the contents of a user’s storage, and “Dropbox has exposed its users to unnecessary risk of data theft by hackers, who if they break into the company’s servers, may be able to steal users’ data and the keys necessary for decryption.
Dropbox reviews your data to save costs
When a user uploads a file, Dropbox will review the data to see if it has been uploaded by a different user. If it has been uploaded before, Dropbox deduplication technology will point to the previously uploaded file, thus saving Dropbox from keeping two copies of the same file. According to Dark Reading (InformationWeek), “For starters, deduplication can make it easy for outsides to know what’s already on the Dropbox servers, since the website studies a file to see if it’s seen it before.” In sum, the deduplication technology imposed by Dropbox saves the company storage costs, but places your files at risk.
FAQs and Forums not good enough? Because Dropbox does not offer live support, you’ll have to fill out a form for someone to get back to you. In addition, Dropbox has experienced outages, downtime, and security breaches over the years, causing business users to reconsider the reliability of the service. According to ReadWrite, “(Dropbox) checkered history of security breaches may make it a tough sell in the enterprise,” including “a (2011) bug in the company’s authentication mechanism, allowing third parties to log into user accounts and access files,” and a 2012 breach that “allowed attackers to penetrate accounts used by Dropbox employees, including a document from which they may have been able to harvest email addresses…those email addresses were apparently used to send Dropbox users spam.” In March of this year, Dropbox suffered an outage which caused errors and rendered the desktop and mobile file sync feature useless. In light of these events, a lack of live support is only the beginning of service issues that Dropbox faces.
Based on these risks, it is clear that Dropbox poses many challenges to businesses that care about control and visibility over company data. Allowing employees to utilize Dropbox can lead to massive data leaks and security breaches. Many companies have formal policies or discourage employees from using their own accounts.
Here are four practical steps to prevent Dropbox use in the workplace:
1. Create a formal policy against applications like Dropbox
Communicating that Dropbox is not acceptable on work devices is the first step in protecting your data. This communication needs to take multiple forms, especially written, so that employees have no excuse for continuing to use Dropbox. Creating a formal, written policy, with specific consequences, communicates that “Dropbox is strictly prohibited.” Remember, if it’s not written, it doesn’t exist.
- Communicate this policy from the top level of the company
Lead by example. Schedule internal meetings with managers and subordinates to make sure that they understand why Dropbox is prohibited. By arming senior employees with the education and resources that they need to quell the problem, you will avoid embarrassing conversations and nip problems in the bud. More importantly, by taking a top-down approach, you ensure that the individuals with the most access to sensitive data are aware of the problem first.
- Block applications with the company firewall
Most companies use a corporate firewall to protect their employees and data. Today, company firewalls can also be set to detect and prohibit certain types of applications and websites. While this functionality was typically reserved for leisure applications, the focus has now shifted to applications that can be used to transfer data. Fiberlink, a company that specializes in mobile device management, conducted a survey of 4,500 corporate- and employee-owned devices and found that the top blacklisted iOS and Android apps included Dropbox, SugarSync, Box, Facebook, and Google Drive, in that order. System administrators should consider blocking these applications to protect sensitive data.
- Replace Dropbox with a business-grade file sync application
The best way for businesses to handle the “Dropbox problem” is to deploy a company-approved application that will allow IT to control the data, yet grants employees the access and functionality they feel they need to be productive. A business-grade file sync service – besides replacing Dropbox – will include features that make the business more secure and employees more productive. For example, unlike Dropbox, a business-class file sync service can cloud-enable the file server so that employees can sync files and folders between the company’s file server and their mobile devices and computers, without the need for cumbersome technologies, such as VPN and FTP.
What alternatives to Dropbox are available?
Intelligent Networks Anchor allows you to work…with any content…across any device…with anyone…without compromising security and control.
What is Anchor?
Anchor provides file sync between PCs and mobile devices
Anchor is the only secure cloud file sync service that we stand behind and guarantee
Access files from anywhere
Anchor updates and protects your work
Users can access their files from their laptops, tablets, and phones
Collaborate with ease
Anchor empowers users to collaborate on files using Team Shares
Any time a file changes on a Team Share, users will have access to the most recent version
Share files securely
With one click of the mouse users can share files, set expiration dates, track downloads, receive notifications, and send messages
Control your data
Anchor tracks all user activity, including adds, deletes, and changes, making it easy to download and restore any deleted files and previous versions
Eliminate FTP and VPN
Anchor allows businesses to cloud enable their file server, minimizing dependence on FTP and VPN
No more cumbersome technologies
Anchor gives you the ability to work anywhere, across any device, with anyone, with any content, without compromising security and control
Anchor allows you to:
Access files from anywhere
Collaborate with ease
Share files securely
Control your data
Eliminate FTP and VPN
File syncing access and syncing across all devices
Cloud-enable existing file servers
Third-party file sharing and uploads
Comprehensive usage reports
448-bit Blowfish encryption, on-device and in-transit
Remote wipes of desktops and devices
Custom retention period for deleted files and file revisions
Granular user-access and security controls
Revised file backup
Managed file sharing for internal and external parties
Multiple folder backup (Documents, Desktop, Pictures, etc.)
Continuous real-time backup
*data from eFolder, Inc.