Risks to your Corporate Data go far beyond the Patriot Act
Nobody can doubt the value and the power that is afforded to employees with the advent of online file-sharing solutions. Simplifying access, sharing and collaborating of critical information has never been easier creating great leaps in productivity.
The downside … it is now easier for your proprietary information to fall into the wrong hands intentionally or unintentionally.
Adding to the challenge is the increasing demands that employees are placing on IT resources to have mobile access to their data and the ubiquitous need to support Bring Your Own Device (BYOD) policies to allow anywhere, anytime access to corporate data.
With the unrelenting trend of consumer applications appearing in the workplace, it becomes easy for employees to gravitate towards the use of services such as Dropbox. With over 200 million users, Dropbox is the leading vendor for online file-sharing. Dropbox is a great productbut, what works well at home for storing and sharing family pictures, is not the correct solution for your corporate data. Dropbox is easy to install and simple to use however, consumer products can present unmanageable risks in terms of security, legal exposure and, commercial loss within a business environment.
Business owners and IT professionals should consider the following:
Unauthorized loss of data
Dropbox is difficult to monitor across multiple PCs and mobile devices. As a result, business owners and IT staff are not aware of which devices have Dropbox installed and, are not in control of unmonitored devices using Dropbox that are synching critical data with Corporate PCs. As a result, Dropbox can sync, without IT approval, across multiple personal devices. These personal devices, particularly mobile devices, can get lost or stolen, dramatically increasing the chance of your data being shared with the wrong people.
There are three legal exposures to online file-sharing applications, file deletion and file sharing and being offside of compliance requirements. Giving employees the untethered power to permanently delete files will likely put you off side any legal discovery and disclosure requirements. Similarly, giving employees the ability to share confidential information will almost certainly put your business offside of many confidentiality and privacy commitments that you have made to clients and other third parties.
Most companies have digital data protection and retention policies in place. These policies are a key cornerstone in protecting your data. Ensuring that data can only be accessed by approved individuals and, that data retention policies are being complied with is critical to ensure that your business is meeting all of your compliance obligations. File access controls, sharing controls and retention setting are not well defined or are non-existent in consumer products such as Dropbox.
Many companies need to ensure that their data is kept and managed in line with legislative requirements. In Canada, HIPA, Protected B and PIPEDA are examples of how data being stored on a generally available, consumer file-sharing application will be non-compliant.
Accidental Loss of Data
The movement of files across multiple devices and multiple users is not managed well by Dropbox. It is important to realize that copying a file does not necessarily result in a copy having full integrity. The cloud offers great reliability, but files need to be checked for integrity at the time of copying to ensure that all file versions can be retrieved instantly.
File Change History
Consumer file-sharing products do not provide detailed reporting with respect to which users have accessed files, modified them, or copied them onto which machines. This removes any ability to audit processes or assess the risks to your business of data loss.
The Patriot Act
In Canada, there is a growing requirement to ensure that critical data is not stored outside of Sovereign Canada. The vast majority of consumer, cloud storage solutions, such as iCloud, Dropbox, Google Drive etc. have their data repositories in the USA or other foreign jurisdiction. This, under certain circumstances, puts your data at the potential risk of third party discovery actions.
What should you do?
Dropbox is a great product, but is woefully inadequate for use within a business or corporate environment if you care about the use, control and access of your data. Unfettered use of a non-corporate controlled file-sharing application will almost certainly lead to data loss, security breaches and non-compliance.
The management of 3rd party applications and stopping employees from installing these types of services, particularly on their own devices is close to impossible. The demand for this type of application from your employees is undeniable and as a result, businesses should offer these services with a corporate orientated product.
HBizzSync is an example of this type of application. The solution allows IT to control user access and permissions, data, monitor activities and ensure that your data is protected while at the same time, giving employees all of the flexibility they need in terms of access and functionality to help them collaborate more effectively.
Call us to show you a demonstration of how we can protect you better.
Leave a Reply