Dropbox For Your Business? Think Again…
Frequently, while in the field I get asked questions about the use of Dropbox and incorporating it into the business environment. Dropbox is a free cloud based storage tool that is used to share and sync files, photos, videos, and more between multiple devices and other users. By default, Dropbox allows 2 GB of free data storage with options for more storage that require a monthly fee. All that is required by the user is to make sure that the files wanted to be shared are in the Dropbox folder. An attractive feature to users of Dropbox is that it can serve a purpose as a file backup solution at little to no cost.
So how safe is storing company data in a cloud based service such as Dropbox? Recent history has shown that it is not that safe. Dropbox has had several security breaches including user account compromises that have led to data leakage and the proliferation of spreading malware. There is also a real risk to the violation of regulatory compliance laws by storing sensitive data on a public cloud service such as Dropbox. Safeguarding sensitive data should be taken very serious given the possible consequences of a data security breach. A HIPAA violation for neglecting security concerns of sensitive data for example can start at $10,000-$50,000 per violation. Oh, and by the way Dropbox is not certified for HIPAA, PCI-DSS, or ISO 9001 at this time.
Are you concerned with your business using Dropbox? Here are some things you can do or have your service provider help you with.
- Conduct a review of the current control environment and remediate any deficiencies. For businesses that deal with sensitive data subject to compliance laws an IT security audit would identify major areas of deficiency.
- Control access at the firewall level.
- Use a file encrypting service that encrypts data before sharing it into the cloud.
- Use the two-step verification security setting within Dropbox to enhance overall security through multi-factor authentication.
- Put in place formal policies of acceptable use of the Internet and workstation at the workplace.
Posted By: Alfonso Powers, CISSP, CISA