Introduction

Okay, so you’ve banned memory sticks (at least I hope you have), but a threat remains hidden in plain sight, and your staff may be jeopardising your organisation without even realising the risk.

Unless you have positive controls to prevent the use of file sharing applications such as Dropbox, you may be haemorrhaging both personal and sensitive corporate data. In brief, consumer-grade cloud file-share services (CGCFS, such as Dropbox, GoogleDocs, iCloud and similar products) are a huge risk.

Five File Sharing Vulnerabilities

  1. No control leads to data leakage and theft, as the data is synchronised to personal devices which may then be penetrated by lesser security protocols. Without controls, confidential files might accidentally be made visible to the public.

2. Your records management policy is wide-open: with uncontrolled copies of data, location unspecified, the ability of the organisation to uphold the rights of the individual, such as finding, correcting and deletion.

3. In a study by CERN, such services can lead to the corruption of 1 in every 1,500 files. Unlike commercial applications, most CGCFS solutions don't implement data integrity assurance, and nor do they ensure backups.

4. CGFCS systems lack adequate auditing tools to log system access, rendering breach detection impossible.

5.Because the files may be synchronised back to the network, these systems can cause version control conflicts.

A Real World Prosecution

On 16 March 2017, the UK Information Commissioner’s Office (ICO) issued a ‘senior barrister’ with a ‘monetary penalty notice’ (a substantial fine) as a result of using Dropbox.

At issue, the barrister’s chambers were in the process of an IT upgrade, and the barrister elected to copy client files to a personal Dropbox account to ensure access. Unfortunately, the files were placed in a folder which was not restricted, and the files became visible to all and sundry on the internet.

ICO Prosecution of Barrister for File Sharing

Specifically, the ICO cited that the barrister

“knew, or should have known, that there was a risk the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress”

Conclusions

Since file transfers are so important – and the use of portable memory devices is equally fraught with risk – the organisation should select an appropriate business-grade service and maintain total control.

For more mature organisations, or where the data to which staff have access carries particular risk, then you should consider a dedicated Document Management System which provides satisfactory audit trails.

 

Have you read:

File sharing

⏱ 5 Second Summary

Part of our Cyber Security Series

In brief, consumer-grade cloud file-share services (CGCFS, such as Dropbox, GoogleDocs, iCloud and similar products) are a huge cyber security risk to the organisation and should be prohibited

Recent Posts

Subscribe to our Blog

 

Humperdinck Jackman, Author

Humperdinck Jackman

Director of Consulting Services

Humperdinck has a 30-year career spanning Document Management Systems (DMS), data protection, Artificial Intelligence, Data Protection and Robotic Process Automation. With many articles published in print internationally, he believes the advances in office technology are such that we're entering the 4th Industrial Revolution. Now Director of Marketing and Consulting Services at Advanced UK, he's as active with clients as he is in endeavouring to write original blog articles.