If Dropbox is secure, its usage may still pose a risk
Used by more than 9 million businesses worldwide, Dropbox is a prominent player in document sharing. It has demonstrated its secure solutions over the years, employing enterprise-grade encryption methods, for instance (see more here). It has also obtained certifications for the highest compliance standards (see more here). Dropbox is a relatively secure solution for safeguarding your data.
While Dropbox itself is relatively secure, its usage within organizations can pose a threat. Employees are not infaillible, and their day to day usage of Dropbox could lead to security risks, including data loss. But should you blame your teams? No. They are overflooded by their business priorities, and we can’t say Dropbox help them understand how to keep their documents safe. Really can these sharing settings be more opaque?
What are the risks associated to Dropbox usage?
The usage-related risk of Dropbox primarily lies in potential data loss. Let's take a closer look to assess the extent of the risk for your organization that could arise from your team's daily activities.
- Publicly exposed data: Dropbox files shared with a public link allow anyone with access to the link to view, edit, and download the data. This type of sharing is particularly concerning because it's challenging to track who has accessed your data, making it a significant security vulnerability
- Potential PII data: Dropbox allows users to share various types of data, from CSV files to Word documents. These files may contain highly sensitive data, such as Personally Identifiable Information (PII) like email addresses and passport numbers. This could potentially pose a threat to your compliance efforts
- Confidential data: These files could also represent critical assets for your company, where confidentiality is paramount. This might include your customer base, financial projections, feature roadmaps, and other sensitive information crucial to your operations and competitive edge
- Data exfiltration: Unfortunately, insider threats are a reality, and employees could exfiltrate large amounts of confidential data to their personal email addresses, especially when they are about to leave the company
- Inactive assets: As organizations mature, they accumulate externally shared documents that are often forgotten by their owners but remain accessible to external users. This situation poses a potential threat to your company, as these documents could be misused or exploited
Dropbox usage raises concerns not only from a security standpoint but also from a compliance perspective. Compliance certifications recently set higher expectations for data protection. Without delving into a detailed deep dive on all frameworks, it's worth noting that the new ISO 27001:2022 imposes measures on data loss prevention (see A.8.12: Data leakage prevention control).
The challenge: reviewing the volume of assets shared in large organizations
The true problem is the consistent sharing of a large volume of data, which is updated in real time. For all Dropbox users, 100,000 new shared folders and links are created every hour, and every second, 4,000 file edits are made on Dropbox (source: company filings). Our internal findings confirm this data: for organizations with at least 80 users, the total number of files shared externally exceeds 5,000.
Given the vast volume of shared assets, it's challenging for admins to accurately assess the risk of data loss in their Dropbox organization. Dropbox's native security features are limited, and the admin console is not user-friendly. It fails to provide insights into the security posture of the organization.
Even with improved visibility into the shared assets, IT teams would still struggle to conduct a proper review due to a lack of business context from their teams. Was Jessica from Marketing correct in sharing this file with a public link? Well, impossible to know. This issue multiplies with tens of employees and the number of assets they handle.
Tackle Data loss risk at scale on Dropbox
Step 1 - Monitor your assets shared externally
With elba, you can launch a scan on your Dropbox organization in seconds. You'll obtain a comprehensive view of all the assets shared externally by your teams. Elba provides a granular view of all these sharings, some with public links and others with external addresses, etc.
Elba offers real-time monitoring and serves as a source of truth for your Dropbox data. In contrast, the Dropbox admin console is challenging to navigate, providing little to no overview of assets.
Step 2 - Leverage your teams to review your assets at scale
Gaining more visibility into shared assets is essential, but it's not sufficient to address potential security issues. IT teams lack the business context for every document shared and cannot assess whether it was legitimate to share it with those specific individuals.
Elba enables you to involve those who possess this business context, with a frictionless experience : your teams. Elba scales the review of assets shared externally with automated notifications for users, prompting them to review their documents. Not only is this distributed process the most suitable for a proper risk assessment, but it also alleviates a significant burden for IT teams.
Step 3 - Audit review from your teams
And there you have it—watch your data being reviewed in real time. All actions taken by users are consolidated in your admin console, providing a complete audit trail of the process.
This list of security alerts reviewed by your teams will grant you peace of mind regarding potential data loss but it will also serve as substantial proof for all your compliance efforts, which are increasingly stringent in terms of data protection.
Securing your data is crucial for your overall security posture and compliance efforts. As a document storage and sharing platform for your organization, Dropbox is highly likely to host some of your most sensitive data.
Elba steps in to compensate for the lack of native security features on Dropbox, assisting you in managing the risk of data loss at scale through a collaborative approach. This not only saves time for IT teams but also for employees, making the process efficient and effective.