4. Treat Dropbox As A Public Repository

Until Dropbox adds those stronger security measures, and all employees adopt them, businesses that use Dropbox should inform employees that anything they upload to the service will be treated as "public"--that is, as if it was published to a public Google Group, Yahoo mailing list, or the like.

"If there's any information you're worried about, you're better off encrypting those files before you upload them. But that adds another layer of work for users, and users are lazy," said the threat intelligence manager for Trustwave SpiderLabs, who goes by "Space Rogue," speaking by phone. "It annoys me that companies rely on third-party services like [Dropbox], but that's the way that businesses are going."

Other security experts agreed with that assessment. "Anything that is really sensitive or extremely valuable or needs to be kept very secret, I wouldn't store on anybody else's servers," said Marco Arment, the creator of Instapaper, on his blog. "That, to me, seems ridiculous unless I held the encryption keys--like with the online backup service that I use."

5. Insider Theft: Can You Detect It?

One of the biggest information-leakage threats facing businesses, besides external attackers, is malicious insiders. Thus, when weighing if and when employees can use Dropbox, ask whether your business would be able to detect information exfiltration while it's happening or after the fact. "As an old IT guy, having my employees use something like Dropbox--where the files are no longer accessible to the IT department--makes me very, very worried. Because as an IT guy responsible for data, I want ... to know that if someone gets fired, I still have access to all of that information," said Trustwave's Space Rogue.

Accordingly, businesses should consider restricting employees to use only centrally managed file-sharing services. "If I was looking to get a third-party file-storing service like that, I'd want to ensure that I had admin access to all of that data," he said.

The only catch, unfortunately, is that instead of being baked in, decent cloud security can be a costly add-on. Dropbox, for example, now offers Dropbox for Teams, which adds centralized administration, better security, as well as Active Directory integration. But the cost of the service starts at $800 per year, for just five users.

Don't get tripped up by these common payment card data security mistakes: failing to vet the auditor, skipping the pre-audit assessment, losing track of your data, and seven more. Also in the new, all-digital 10 Ways To Fail A PCI Audit issue of Dark Reading: Test data security before the auditor arrives, Tim Wilson recommends. (Free registration required.)