Law Firms and the Not So Secret World of Dropbox Users
The ongoing security issues around Dropbox may have gone unnoticed by many law firms. For those who didn’t see it, Dropbox has confirmed that the login credentials of 68 million users’ have recently been made available online.
Under the radar, free and convenient file storage services like Dropbox are being used by staff on a regular basis. Whilst Dropbox and other services provide a variety of security features, failure to put these in place opens up businesses to various risks.
The proliferation of easy to use file sharing applications can be attractive for time pressed staff compared to the sometimes cumbersome internal alternatives. There can also be pressure from clients who have their own preferences when it comes to sharing files. Convincing a client to use an alternate, firm endorsed solution can be difficult.
What’s the problem?
So when it comes to ad-hoc file sharing what is it about services like Dropbox that create a risk for firms?
First of all, it’s the lack of control it brings. If your company computer network allows it, Dropbox can be downloaded and installed on any computer. Once in place, staff can then use it to transfer any number of electronic documents from the company network to their Dropbox account.
The reasons for doing this are generally innocuous. Time pressures may demand staff work on documents from home on an evening. Usually, this would involve working late from the office or unplugging the office laptop to cart it home. It can be much simpler to drag and drop a few files into Dropbox and then access them from a home computer later on.
Now imagine you have hundreds of people in your firm and at least 5% of them are using Dropbox regularly. That’s a lot of confidential documents about your clients that are being stored outside of your firm’s perimeter without you knowing.
The second reason is that it leaves a footprint on the machines it is installed on. When Dropbox gets installed it keeps a local copy of each file that is transferred to Dropbox (as well as a copy on its cloud servers although data here is encrypted).
So the person in your firm that uses Dropbox on his/her personal laptop or PC and then decides to sell it to buy a new one. Have they properly wiped the disk before selling it on or have they handed the new owner all that client data stored in Dropbox with it?
Finally, Dropbox itself has been the subject of security breaches. In 2012 68 million user names and passwords of Dropbox users were gathered when hackers used stolen employee login credentials to access the data. In the last few weeks, those details have been made available online.
Even if a Dropbox password has been changed, people have a habit of using the same password across multiple sites. For this reason, it is important individuals ensure passwords have been changed on all websites they use.
Where from here?
The quick, convenient and secure movement of files is critical for firms. However, it is important for every business to identify their chosen solution and implement a uniform approach.
It’s not to say that the use of Dropbox or similar services is wrong. Dropbox has increased its security protection by adding two factor authentication, remote device wipe and granular file permissions for example.
What firms need to do is assess the right solution for them and ensure it has been implemented with all the correct security controls. It is useful to engage with an independent consultant to manage this process, allowing firms to objectively assess the current state against the options available.
Tools such as BoxCryptor can be used to encrypt particularly sensitive files so that even someone with access to your Dropbox username and password cannot view the content of these.
The possibility of electronic file sharing should also be recognised at client engagement stage. Agreements should be made around the technologies being used to facilitate this and the security controls that will be adopted.
As cyber security becomes a priority for firms, electronic file sharing is only a small piece of the jigsaw. Awareness is absolutely key and it’s often the fine line that separates businesses from complete disaster.
If you’d like to learn more about the most suitable and most secure cloud based document storage solutions for your business, get in touch right away.