Eight features that your file sharing application should have to be secure
Read up on the risks of using file sharing apps, how they measure up against compliance, and get tips on tackling shadow IT in your organisation. This is a valuable resource if you are considering sourcing a Dropbox alternative.
The term ‘shadow IT’ refers to applications that haven’t been approved or sanctioned for a company network. Employees install them when they need a quick fix to a problem, bypassing IT processes to get the job done quickly.
Cloud-based file sharing applications are a particularly common form of shadow IT and it is easy to understand their appeal. An employee needs to send a large file; it is too big for email, so they download a consumer grade app and get the job done quickly.
But there are many reasons why this isn’t good practice – especially if the file contains personally identifiable information or company sensitive data.
File sharing apps: The risks
The first question to ask yourself is ‘What am I sharing?’ If it is commercially sensitive information, or the personally identifiable data of your employees, customers or business partners (including images) then you need to be very careful.
Vulnerabilities in shadow IT can expose your data to hackers and malware, which can disrupt infrastructure, cause reputational damage and financial loss. For example, under the new EU legislation to protect personal data (GDPR), you could face a fine of up to €20 million (around £17.5 million).
Ask yourself these questions:
- Does the application use secure protocols to transfer data to and from the cloud? You should be looking out for SFTP, FTPS or HTTPS.
- How does the application authenticate users? For example, is there a password management policy that enforces strong, secure passwords for users (both senders and recipients)? Do passwords expire after a certain time?
- Where does the data physically reside? With cloud-based consumer file sharing apps the servers could be based anywhere in the world. You need permission from the data subject to hold their personal data outside the EU. In addition, there is the risk that the country does not have the same strict data protection regulation as the EU. You are still responsible for making sure it is processed securely though.
- Is the data encrypted at rest using PGP or AES?
- Do you know how long the data is retained before it is removed? Leaving a file in place after its transfer obviously increases the risk of access by unauthorised people. It is your responsibility to know when sensitive data is removed, and that it has been done securely and definitively. Ideally, your system should allow you to set up automated rules for secure wiping of data.
- How is access to the data managed? Can you – for example – set permissions so users (including administrators and recipients) can only access the data they require?
Consumer grade file sharing apps usually only offer single accounts, which is not a cost effective model for your organisation. Costs may be hidden within departments and add up to more than a licence for a properly approved platform with assigned user accounts and administrator access.
Multiple single accounts mean no one at the organisation has administrator access. When a member of staff leaves, the business is unable to access the file sharing application they have been using. You may lose files and contacts, or worse, be unable to evidence what data was sent, in the event of a data breach investigation.
Auditing and reporting
The GDPR requires organisations to ‘maintain a record of processing activities’ (article 30). Organisations should have a log showing all personal data transfers that occur, alongside an impact assessment to show each transfer has been completed securely. With multiple single user accounts, organisations lack this administrator overview.
Do I need a Dropbox alternative?
Dropbox Business and Education customers can be confident that security measures are in place. Details can be found in the Shared Responsibility resource.
There is no clear statement for Dropbox Basic, Plus, and Professional users though. The Dropbox Data Protection White Paper states: “While the scope of our certifications and audit reports typically refers to Dropbox Business and Dropbox Education, the majority of our controls are applicable for Dropbox Basic, Plus, and Professional users as well.”
This is not definitive and there is no indication as to which controls are included and which are not. We contacted Dropbox press office to ask for this information, but we did not get a response.
Pro2col technical consultants have investigated Dropbox Basic, Plus, and Professional and identified the following areas of concern:
- Personal accounts do not have access logs.
- There is no data processing agreement for any individual account.
- There is no clear statement on where the data is stored.
- There is no clear statement on secure data wiping.
- Although Dropbox encourages users to use strong passwords and implement two-factor verification, this is not enforced.
- Once a user has deleted a file, Dropbox will permanently delete it from their servers after a fixed time. If the user does not delete the file though, that data will remain there indefinitely.
Based on this, we do not recommend using Dropbox for transferring company sensitive information or personally identifiable data.
File share apps: Tackling the issue
Unless there is an alternative file-sharing platform for employees to use, they will inevitably resort to shadow IT. You need to build relationships with your users and provide a tool that works for them.
Build relationships with users
With file sharing apps and other shadow IT, it is really important to educate employees about the risks. They are more likely to think twice if they understand the consequences of a data breach. Building relationships with users in different departments allows you to identify their requirements and source a solution that meets their needs.
Provide a Dropbox alternative
There are excellent products on the market that allow employees to share files in a way they have become used to, but securely, and with enhanced governance and visibility of data. Users can easily share files of virtually any kind via any web browser, allowing others to access, upload, and download folders and files.
In fact, you may already be able to do this if you are using an ftp server – contact us to find out how.
If you think you need a new solution, our free bespoke secure file transfer comparison report will save you weeks of research time and identify the right solution for you. It is informed by 15 years’ experience delivering secure file transfer solutions, a deep understanding of user needs and continuous review of the multiple vendors on the market.
You complete a series of questions about your current and future business requirements, and receive a bespoke report from our technical consultants recommending the best solution for your needs and budget.
This information is up to date at the time of publishing – 7th June 2018 – and based on research our technical consultants carried out. The information about Dropbox was research using the feature comparison for Basic, Plus and Professional, Dropbox business: Shared responsibility, Dropbox Data Protection White Paper, Data Retention Policy and password information.