Introduction

Okay, so you’ve banned memory sticks (at least I hope you have), but a threat remains hidden in plain sight, and your staff may be jeopardising your organisation without even realising the risk.

Unless you have positive controls to prevent the use of file sharing applications such as Dropbox, you may be haemorrhaging both personal and sensitive corporate data. In brief, consumer-grade cloud file-share services (CGCFS, such as Dropbox, GoogleDocs, iCloud and similar products) are a huge risk.

Five File Sharing Vulnerabilities

1. No control leads to data leakage and theft, as the data is synchronised to personal devices which may then be penetrated by lesser security protocols. Without controls, confidential files might accidentally be made visible to the public.

2. Your records management policy is wide-open: with uncontrolled copies of data, location unspecified, the ability of the organisation to uphold the rights of the individual, such as finding, correcting and deletion.

3. In a study by CERN, such services can lead to the corruption of 1 in every 1,500 files. Unlike commercial applications, most CGCFS solutions don't implement data integrity assurance, and nor do they ensure backups.

4. CGFCS systems lack adequate auditing tools to log system access, rendering breach detection impossible.

5.Because the files may be synchronised back to the network, these systems can cause version control conflicts.

A Real World Prosecution

On 16 March 2017, the UK Information Commissioner’s Office (ICO) issued a ‘senior barrister’ with a ‘monetary penalty notice’ (a substantial fine) as a result of using Dropbox.

At issue, the barrister’s chambers were in the process of an IT upgrade, and the barrister elected to copy client files to a personal Dropbox account to ensure access. Unfortunately, the files were placed in a folder which was not restricted, and the files became visible to all and sundry on the internet.

Specifically, the ICO cited that the barrister

“knew, or should have known, that there was a risk the contravention would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress”

Conclusions

Since file transfers are so important – and the use of portable memory devices is equally fraught with risk – the organisation should select an appropriate business-grade service and maintain total control.

For more mature organisations, or where the data to which staff have access carries particular risk, then you should consider a dedicated Document Management System which provides satisfactory audit trails.

Have you read:

• The Relationship Between GDPR and Cyber Security
• The 5 Hidden Risks of File Sharing
• 10 Step Guide to Cyber Security
• Cyber Security vs. Printers and the IoT
• 12 Cyber Security Readiness Tips
• Cyber Security: Integrating Risk and the CIA Triad
• Why Understanding RISK is Central to Cyber Security
• A GDPR Centred Approach to Cyber Security