Dropbox is making headlines again, but not for the best of reasons. The file sharing service has been compromised - once more.
Earlier this week it was reported that criminals are targeting Dropbox users with a bogus password reset email that, when clicked, infects the victim's machine with a Zeus-family malware.
You might also remember that Dropbox was hacked last July with usernames and passwords stolen from third-party web sites and used to access Dropbox accounts. That drove the company to add encryption and two-factor authentication in a move to ease security concerns of enterprise customers. But that wasn't enough.
Recently, two skilled security researchers have proven that those Dropbox security add-ons can be disabled and enterprises are being urged to be aware of the risks. If you're interested in the technical details of how they hijacked accounts, check out “Looking Inside the (Drop) Box.”
There's a misperception that top-notch security comes with time-consuming, complicated IT management - and that users lose the ease-of-use and convenience that is so often associated with free, public cloud solutions like Dropbox. Not true.
It is totally possible to enable employees to access, create, edit, synchronize and share information from anywhere, all while maximizing data security. Here's how:
1. Be proactive. IBM took a stand last year, banning Dropbox from being used on its corporate network. If you're worried about potential security holes, take action and prohibit use, and offer a managed, easy-to-use alternative.
2. Maintain control. If someone leaves the company or loses a device, you want to know what information needs to be wiped, what access rights need to be blocked and have the power to make it happen. You want to know exactly where your data is stored, so you know who can see it. And you want to be able to instantly report on who has downloaded files, shared files, edited files and accessed files when your managers - or auditors - come a-knockin'.
3. Encrypt, encrypt, encrypt. As Ryan Fahey, a security researcher at InfoSec Institute, "By encrypting sensitive data, one ensures would-be thieves gain a whole lot of nothing." Encryption should be automated, happen behind-the-scenes and take place not just during transit, but also while at rest.
4. Customize security preferences. You should never be forced into a one-size-fits-all usage scenario. Since every organization has unique requirements, you should be able to create storage caps for workspaces, customize file and workspace retention policies, control file sync privileges, enable/disable mobile access and file synchronization and enable LDAP Groups to manage groups of users to your heart's content.
There is no need to gamble on file sharing services with questionable security controls. IT can play a leading role in keeping enterprise data safe and organizations out of security breach headlines.