Okay, so you’ve banned memory sticks (at least I hope you have), but a threat remains hidden in plain sight, and your staff may be jeopardising your organisation without even realising the risk.
Unless you have positive controls to prevent the use of file sharing applications such as Dropbox, you may be haemorrhaging both personal and sensitive corporate data. In brief, consumer-grade cloud file-share services (CGCFS, such as Dropbox, GoogleDocs, iCloud and similar products) are a huge risk.
Five File Sharing Vulnerabilities
- No control leads to data leakage and theft, as the data is synchronised to personal devices which may then be penetrated by lesser security protocols. Without controls, confidential files might accidentally be made visible to the public.
2. Your records management policy is wide-open: with uncontrolled copies of data, location unspecified, the ability of the organisation to uphold the rights of the individual, such as finding, correcting and deletion.
3. In a study by CERN, such services can lead to the corruption of 1 in every 1,500 files. Unlike commercial applications, most CGCFS solutions don't implement data integrity assurance, and nor do they ensure backups.
4. CGFCS systems lack adequate auditing tools to log system access, rendering breach detection impossible.
5.Because the files may be synchronised back to the network, these systems can cause version control conflicts.
A Real World Prosecution
At issue, the barrister’s chambers were in the process of an IT upgrade, and the barrister elected to copy client files to a personal Dropbox account to ensure access. Unfortunately, the files were placed in a folder which was not restricted, and the files became visible to all and sundry on the internet.
Specifically, the ICO cited that the barrister
“knew, or should have known, that there was a risk the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress”
Since file transfers are so important – and the use of portable memory devices is equally fraught with risk – the organisation should select an appropriate business-grade service and maintain total control.
For more mature organisations, or where the data to which staff have access carries particular risk, then you should consider a dedicated Document Management System which provides satisfactory audit trails.
Have you read:
- The Relationship Between GDPR and Cyber Security
- The 5 Hidden Risks of File Sharing
- 10 Step Guide to Cyber Security
- Cyber Security vs. Printers and the IoT
- 12 Cyber Security Readiness Tips
- Cyber Security: Integrating Risk and the CIA Triad
- Why Understanding RISK is Central to Cyber Security
- A GDPR Centred Approach to Cyber Security
⏱ 5 Second Summary
In brief, consumer-grade cloud file-share services (CGCFS, such as Dropbox, GoogleDocs, iCloud and similar products) are a huge cyber security risk to the organisation and should be prohibited
Director of Consulting Services
Humperdinck has a 30-year career spanning Document Management Systems (DMS), data protection, Artificial Intelligence, Data Protection and Robotic Process Automation. With many articles published in print internationally, he believes the advances in office technology are such that we're entering the 4th Industrial Revolution. Now Director of Marketing and Consulting Services at Advanced UK, he's as active with clients as he is in endeavouring to write original blog articles.