Company Policy Be Damned: Employees Love Dropbox
According to a survey of 662 IT professionals, 31% of their users frequently use Dropbox and 29% use it very frequently. Fifty percent of respondents believe that the use of Dropbox has likely or very likely resulted in a loss or theft of confidential documents. The 2012 Confidential Documents at Risk Study by Ponemon Institute bares the biggest open secrets in IT: Data in the hands of the users is as good as lost.
White PapersMore >>
And the IT department might be at a loss of what to do because nearly half the respondents in the survey--47%--said their organization uses manual monitoring and controlling to reduce the risk of file sharing tools. Aside from being inefficient, internal monitoring adds to the existing IT security workload of creating spam filters and firewall exceptions, monitoring Web filters, patching, maintaining anti-virus protection, scanning, re-imaging, and so on.
Forty-one percent of respondents said they use employee training and awareness to reduce the risk of file-sharing tools. But when 60% of employees are frequently using browser-based file sharing, education clearly isn't the complete answer.
According to the survey, 31 percent of the sensitive or confidential documents were leaked by unauthorized individuals because of carelessness or internal control issues. In contrast, malicious or criminal insiders--based on an extrapolated average--were cited as leaking 19 percent of these documents.
>"If your industry is highly regulated, you're terrified about Dropbox right now," said Ryan Kalember of WatchDox, which sponsored the survey.
In addition to losing data by careless or malicious employees, 70% of enterprises frequently or very frequently grant contractors and business partners access to sensitive or confidential documents. The result is that the documents end up in too many places with exposure to too many eyes.
The problem of data theft and loss has been around since my family's TRS-80 cassette deck. The difference is it took us five minutes to save a 10K hangman program to a cassette tape. In that same five minutes today I can queue up 100GB and walk away.
Data proliferation is another problem of unmanaged collaboration. When an employee emails a spreadsheet, the document is replicated at every leg of its journey: Postini, the recipient's mail server, a local Outlook folder. And each one of those is backed up to another server for redundancy.
Of course, Dropbox is only one of dozens of cloud storage services. Amazon S3 is another. In fact, Dropbox is hosted on Amazon so you can't really know where your data resides. According to the survey, the average organization uses 13 browser-based file sharing tools and uploads 2GB per month.
Blocking cloud storage access from the enterprise is impractical because it pits IT against the employee and it opposes open collaboration. Preventing the transfer of data from Dropbox is proving to be impossible. Case in point: Ponemon recently learned from one of his clients, a financial services company that maintained a tight lock on its network, that employees were running to a Starbucks down the street to download Dropbox data to a thumb drive and upload it again after making their changes. Employees are downloading documents from clients and customers who use Dropbox, so the financial services company has to look the other way to get business done. Thought the sneakernet was dead? I'm sure a lot of IT departments have similar stories.
What data is most at risk to loss? Fifty percent of respondents said customer and consumer documents might "be attributed to the volume of this information and the access employees and others have to these records."
The survey also found that "the majority of organizations--67%--have a method for classifying the confidentiality of documents as part of their efforts to assign access rights. The more levels an organization uses shows how well it understands the confidential and sensitive information that exists in documents and are most in need of securing."
But large document intensive service organizations such as law firms, ad agencies, and government--whose capital is their ideas--don't really know where all their confidential and sensitive data is. Some is in the CMS, some in a network share, and some is stored locally. Determining who should have rights is impractical.
Because collaboration and mobile has changed the way files are produced and shared, the nature of securing the unstructured data has to change with it. In other words, the enterprise has to come to grips with the fact that it has lost meaningful control over most layers of the stack so it now has to approach data as the main front in the battle to keep things secure. Some organizations are adopting a data centric security (DCS) model. DCS has two components: It maintains encryption, when the file is in motion, at rest, and in use. It also controls what the colleague, business partner, or client can do with the data, such as forwarding, printing, and editing.
Companies such as WatchDox, FileTrek, Fasoo, and NextLabs provide enterprises with a data-centric security solution for using Web- and mobile-based platforms to assign rights, even retroactively.
I did notice that these products require cookies or even flash cookies to be enabled by default, which might be a difficult compromise for organizations that are vigilant on desktop security.
The key to adoption, says Kalember, is ease of use across all platforms. "If you make it as easy to use as Dropbox where employees can access all their data in one place from any device, they'll use it and they won't need Dropbox."