“Good things come in small packages.” This time of year we think about what those good things might be. Perhaps a nice piece of jewelry in a fancy little box. Or a gift card to a favorite store or restaurant. Maybe it’s a year-end bonus check in a company envelope. Or not.
What if that tiny little Dropbox icon at the bottom of a worker’s computer screen is the “small package”? Maybe the “good thing” going into the virtual box (really an online storage facility) is the company’s confidential financial statement. Or perhaps a spreadsheet full of customer names and contact information. Or a list of loan applicants and their social security numbers. That would be…not so good.
Dropbox is a handy little application for consumers who want to trade photos and other personal files with each other. I’ll admit, I’ve got the box icon on the bottom of my PC screen, and I do use and like the tool. However, Dropbox use is growing in the enterprise, mostly unbeknownst to corporate IT or information security groups. This is putting corporate data at risk and creating regulatory compliance problems for many companies.
The company that produces Dropbox says it has 100 million registered users worldwide, and that number is growing exponentially. In September 2012, the storage company Nasuni conducted a survey of more than 1,300 corporate IT users and learned that 1 out of 5 respondents place work files in a personal Dropbox account. What’s more, 13% of the survey respondents admit to using Dropbox to access work files on a mobile device. According to Nasuni, 29% of the corporate users of Dropbox are at the director or vice president level, and 22% are at the C-level. These are people that would have access to some pretty sensitive information.
Why do people use Dropbox and other tools like it for work? It’s simple, convenient, and free. It works on multiple platforms, including PCs, smart phones and tablets. It lets people access work data when and where they need or want to; for example, when they are killing time in waiting rooms or at their kid’s sports practice.
Perhaps more importantly, workers use Dropbox to take their company files home because they haven’t been told NOT to do this. What’s more, the IT department often doesn’t provide an adequate (or easy to use) alternative: email attachments are limited in size, FTP is cumbersome, and managed file transfer applications are rarely available to everyone who needs them.
I’m preaching to the choir when I tell you what problems this practice causes. Who knows where corporate data is going, or who has access to it? If a worker leaves the company, the Dropbox account – and everything in it – goes with him. What if he’s going to work for a competitor? All of this may lead to data leaks or breaches as well as regulatory compliance violations.
Companies that have not addressed the issue of corporate data going out the door via consumer-oriented storage tools should consider their options before a data breach forces their hand. Options include:
- Create a corporate policy regarding the use of Dropbox and similar tools and make sure all employees are aware of the policy. Now, people won’t always follow policy when convenience and necessity are at stake, but making people aware of an acceptable use policy is an important first step.
- If you know that your workers like to use Dropbox, at least consider licensing the business edition, which claims to have enhanced security. (I’ve not tried it so I can’t vouch for it.) Be aware, however, that Dropbox has twice acknowledged vulnerabilities in its data security, so this company may not be worthy of your corporate business just yet. Check out this article about recent hackings: http://www.zdnet.com/dropbox-gets-hacked-again-7000001928/
- If you simply don’t want people using Dropbox or tools like it, block the applications by blacklisting them and by removing them from corporate-owned end points.
- If you haven’t done so already, conduct an exercise in data discovery and data classification so you know what data you have, where it is, and what level of sensitivity should be assigned to the data. Using the administrative tools you have, tighten access to sensitive files and make sure you know who is doing what with them.
Too many data breaches are hitting too many organizations. While consumer-oriented cloud storage tools are easy for workers to obtain and use, they aren’t appropriate for the enterprise. Companies need to address the issue before they become the next data breach headline.