The usernames and passwords of nearly 70 million Dropbox users were stolen and posted for sale on the internet, the company disclosed in August, due to a 2012 hack. While a Dropbox company blog post assured its users that their passwords remained safely encrypted and stored data was not exposed, the hack serves as a reminder why cloud storage and file-sharing service should not be used for storing and sharing sensitive board documents.
By taking advantage of the widespread availability of high-speed network connectivity and the declining cost of storage, Dropbox’s proposition led many companies to replace local data storage with cloud storage.
However, some of the very features that make Dropbox so popular—such as easy access to files on mobile devices and easy sharing with anyone—pose a serious security risk when the service is used to store and share boardroom data. So much so that, according to a 2016 report by MobileIron, a developer of enterprise-level secure mobile access management solutions, the Dropbox mobile app remains the most banned app by American employers.
Here’s why Dropbox may not be secure enough for board use:
1. Multiple instances of files. Dropbox, by default, creates a duplicate mirror folder on each user’s computer, containing all of the files uploaded to the cloud. Once the link between the local and the cloud folder is severed—such as when the user is not connected to the internet— the two folders become separate entities.
2. You don’t know where your files are. With Dropbox, users have no way to determine where their “cloud-stored” files are physically stored. Cloud storage services do not disclose this information, nor do they disclose which other companies’ files share the same server or servers. According to InfoWorld, “multi-tenancy”—the practice of storing the files of multiple customers on the same server—poses not only the risk of private data accidentally leaking to other tenants, but also that of data theft due to vulnerabilities in other tenants’ files.
3. Concerns over encryption and file transfer security. Even though, according to Dropbox, file data is stored in discrete file blocks that are fragmented and encrypted, IT administrators have no control over the data security and encryption.
4. Data on a stolen laptop can’t always be remotely wiped. While Dropbox provides the ability to remotely wipe the Dropbox folder from a stolen laptop containing sensitive data , for example, it can only do so if the stolen laptop is connected to the internet. Without internet connection there’d be nothing to prevent an outsider from copying the files from the Dropbox folder.
5. No control over the encryption/decryption key. Dropbox, not the user, holds the encryption/decryption keys for the user’s files. If this key falls into the wrong hands (as, according to Symantec, was the case in the Stuxnet malware attack) a company’s files may be compromised.
Companies can and should do better to protect their sensitive data than rely on one-size-fits-all cloud storage services. Beyond finding the right platform for your company—whether it be a dedicated board data portal or a custom system—the challenge lies in educating employees and executives of the perils of sharing sensitive files using the same cloud storage services they use for their own personal files. There’s simply too much at risk.