The Risks of Using Dropbox for Business Data

Security Compliance
Written By Simon Hunt
The Risks of Using Dropbox for Business Data

The rise of online file-sharing solutions, such as Dropbox, means that distributing information is now easier than ever before.This is great news for collaboration and speed of executing business. The down-side of this, of course, it is also easier for information to fall into the wrong hands either intentionally or unintentionally.

At the time of writing, Dropbox has over 200 million personal and business users and is the world’s leading solution for mobile file access. Whilst the benefits are clear, unfortunately, what works for family photos does not necessarily work for business data and this method of storing and sharing data can give rise to a plethora of legal, compliance and commercial risks in a business environment.
Here are some common risks that Dropbox can pose to your business data.

Lack of Control and Data Loss

The majority of the problems with Dropbox come from a lack of oversight. Data owners cannot know on which devices Dropbox is going to be installed and are, therefore, not able to control which employee devices can sync with business data. Because of this, using Dropbox can provide a means for company data to be synced across personal devices without authorisation. These uncontrolled devices, can be taken anywhere their owners go, be it public transport, taxis, coffee shops or friends’ houses. This massively increases the chances of data being stolen, deleted or accidentally shared with unauthorised persons.

Data Corruption

A study by CERN revealed that creeping data corruption was observed in 1 out of every 1500 files. Businesses rely on their cloud solution providers to ensure that stored data maintains its integrity over time. However, most file sync services, including Dropbox, do not implement data integrity assurance processes to ensure that any bit-degradation or corrupted data is replaced with a redundant copy of the original.

Legal and Contractual Compliance

Dropbox employees have the power to access your data. Their privacy policy says that this is only done in exceptional circumstances such as where they are legally obliged. However, this could breach privacy agreements in place with clients and third-parties or be in violation of your countries data protection laws.
Data retention policies usually require that files be held for a specified length of time and should only be accessed by authorised people. Because Dropbox has loose file retention and file access controls, businesses that use Dropbox may find themselves in breach of data retention policies.

Lack of Accountability

Dropbox does not track which users and devices have accessed a file and when it was accessed. This can make things very difficult, if you are trying to determine the events around file creation, modification, or deletion.

One Solution

Dropbox poses several challenges to businesses that care about control and visibility over their data. Allowing employees to use Dropbox can lead to massive data leaks and security breaches and many organisations implement formal policies or discourage employees from using their own file sharing accounts. Enterprising employees will often find way around this or even just ignore the policy, if it cannot be technically enforced.
The best way for a business to tackle this issue is to deploy a company-approved methods of sharing data. It should allow IT to tightly control who can access data and ensure it is only shared on well secured devices, yet gives employees the access and functionality they feel they need to be productive.

Simon Hunt
Previous

Demand for ISO 27001 is Growing - Be Prepared
Next

ISO 27001 Network Security