by Mike Batters, Technical Director, NETprotcol, www.netprotocol
Dropbox has featured frequently in the news recently with headlines about a number of security breaches. Some have been exploits using email addresses and passwords leaked from other services to access Dropbox accounts. Dropbox have been updating their services to improve their own security but that doesn’t address the leaked data from elsewhere. Dropbox can’t be blamed for people using the same password on numerous services but that’s what users do and probably always will. Dropbox, however, didn’t notice a group of machines systematically trying thousands of email/password combinations to gain access which is where they were criticised in 2014. Dropbox will remain a target and are always going to be attacked in this way as any “hackers” have much to gain.
In addition to these security issues Dropbox has found itself in the spotlight time and time again, as it’s ability to share files so easily has been put to use by cyber-criminals. Dropbox public file links are commonly used to deliver Ransomware, such as CryptoLocker, and other Malware to users. As users see Dropbox as a trusted brand, they are more inclined to click links in random e-mails assuming they are safe and genuinely believing Dropbox have somehow “checked” the files are safe.
It’s a very simple and highly effective piece of social engineering on the part of the attackers, which works time and time again and should really be driving network security administrators to block Dropbox outright in corporate networks
Then there is the question of data ownership. Like Google (and almost all public cloud services) Dropbox has been criticised over its T&Cs at times, which have granted it access to the user data it stores. For personal use this is not such an issue but when it is sensitive corporate information this could be a huge issue for law firms.
So, with many reasons not to use, why are so many people still using it? From our research, we have discovered there are a number of key reasons:
• Users already have personal Dropbox accounts, so it is very easy to use these and “legitimately” share corporate data quickly
• Users needed to share something urgently, but it was too big to email
• Its free
• Network Admins are not or cannot restrict users and struggle to provide a credible easy to use alternative
• They have forgotten or just ignored their IT training which specified not to use Dropbox, Google Drive etc to share data
• They “always have used Dropbox” and so will carry on until change is forced upon them
As there are numerous risks and compliance issues associated with using public cloud storage, what are the options?
• Do nothing. Carry on allowing individuals within the business to use public cloud storage, ie Dropbox, Google Drive, etc in an unregulated manner. Hope the data is not leaked or compromised and there is no financial or reputation damage to the business. For the majority of law firms this is simply not a realistic choice once they are aware of the situation but may choose to ignore it.
• Stop the use of file sharing services. IT usage policies and technical solutions can be used to simply avoid the use of Dropbox and similar, therefore remove the associated risk. File sharing provides very swift means of delivering data but there are traditional alternatives such as e-mail, Encrypted USB / CD for larger files, etc. These are certainly an improvement albeit with drawbacks.
• And my recommended choice – Investigate and review the alternative private file sharing options, providing users with a credible service that meets legal compliance and governance needs. If file sharing services have business benefits, there are number of secure private cloud based offerings available with minimal investment, allowing users to work effectively and mitigate the risks they would otherwise incur.
It may be time to establish if employees within your firm are using public could storage – and if so, who and what are they sharing? Does the information being shared need to remain secure and where will the responsibility lay when or if your data security is breached?