Comment: File Sharing Opens the Box of Information Security

David Reed discusses the dangers of using free file sharing services in an enterprise setting
David Reed discusses the dangers of using free file sharing services in an enterprise setting
David Reed, Data Governance Forum
David Reed, Data Governance Forum

Do you use Dropbox to share corporate information? If so, you might have dropped the ball on information security. At the end of July 2012, the file sharing service announced that some accounts had been hacked using IDs and passwords stolen from another website. It also revealed that one of its own employees was storing customer data in their Dropbox folder, potentially exposing all of those accounts if that staffer was one of the users targeted in the hack.

While the file sharing company says it has helped affected users protect their accounts, the real recovery process only began when it introduced two-factor authentication (involving the use of a secure code sent to a mobile phone) on August 27. This feature remains optional and requires users to change their security settings. The Dropbox hack is just one example of recent attacks on social network and file sharing/storage sites that shows the culture of sharing does not sit easily with the requirements of information security.

Moving documents and data around is one of the fundamental needs of modern business. What used to be sent by disk two decades ago, and email ten years ago, is increasingly shared via collaboration tools. Many of these sit within the corporate firewall and are subject to the core security procedures that are applied to all systems and servers.

Increasingly, file sharing services outside of this secure environment are being used, not least because they are often built into mobile devices being adopted by business executives. Buy an iPad and you are urged toward the iCloud, whether as an individual user or for professional applications, for example.

Bring your own device (BYOD) has already been recognized by IT as a risk factor, and many organizations are taking steps to secure information on mobile devices through encryption and remote wiping. That works well for the formal, official uses of those devices and the authorized information they may be used to process.

The problem is that business culture has become much more relaxed, distributed and even invisible. Command and control is very difficult to impose on a generation of managers who have grown up connected, with the assumption that the information and applications they need to do their jobs will be available wherever they are based and on whatever device they may use.

Extended working hours – where those mobile devices are rarely (if ever) turned off – have also served to blur the line between official and personal activities. If social networks are used to share private photos with friends, then why not use a free file sharing service to send an urgent file to a colleague? The underlying assumption is of an equivalence of risk, based on presumed built-in security and very few examples of real harm arising.

It is this culture that needs to be addressed as part of a data governance program. Rather than focusing on technical fixes and the introduction of more encryption and monitoring solutions, executives need to be trained, informed, measured and incentivized on their behavior around sensitive and personal information for which they are responsible.

Sharing is a genie that has long escaped its bottle. Instead of trying to stop it back up, attention needs to focus on just what wishes are made – share what is personal, secure what is official, for example.

Making the business case for training and communication around data governance is never easy, because budgets are geared more readily toward hard solutions like technology than to soft ones. That is why The Data Governance Forum has created a whitepaper (available exclusively for its members) that outlines six of the most typical dimensions on which a compelling argument for more investment into data management can be made. They include reducing risk by improving adherence to security policies and data protection.

When it comes to third-party networks and sharing sites, the message should be a simple one: Don’t use them for company assets. If your staff would not think of moving company funds into their own bank account, neither should they move sensitive information into a personal website.


David Reed founded The Data Governance Forum to represent, inform and connect end-user organizations that manage personal information and are looking to maximize its value to their business. He is also the editor of DataIQ, the journal of data management produced by DQM Group, editor of the IDM Journal of Direct, Data and Digital Marketing Practice, and course editor for the IDM Award in Data Management.

What’s Hot on Infosecurity Magazine?