How dangerous is file sharing:
Scenario #1: An employee decides to leave the organization and they want to take company materials with them. They setup a personal file sharing account – often a free account with one of the big suppliers (Drop Box, Google Drive, Box and Microsoft) and then they:
- Copy all the info they have any interest in to the personal file sharing account
- Go to a new company (often a competitor) and use that info at will
Scenario #2: A hacker will use a File Sharing service to upload your data files to a cloud account for download at their leisure. The way this works, someone in your organization picks up some malware that starts copying all the data they have rights to access up to a File Sharing service account that has either been stolen on setup anonymously, and then they download the data to their network later – that way if you realize what happened, you can’t trace where your data went. (In the “old days” they used to copy directly to their network – but a bunch of them got caught because the victim (or Law Enforcement) was smart enough to figure out where the data was going.
Some additional info:
- Over 7 MILLION Dropbox accounts have been hacked
- Companies often store financial, medical or other sensitive data on file sharing services – which significantly compounds the risks
- Using file-sharing applications like these are a clear and direct violation of data breach and compliance laws
So, there are two questions that need to be addressed:
- How do I stop this?
- If I need a service like this (for in-house use or to share (often large) files with outsiders), what do I do?
The answer to question #1 is fairly simple – access to these services need to be blocked. The two easiest ways to do this are at a global level for the entire organization – one at the Firewall level and one at the DNS level (which is how things are looked up on the Internet…if you can’t look it up, you can’t access it).
For question #2, the answer is to select a service that supports management and quick access removal – which means a business (not consumer) based service. But one of the challenges can be cost and another is selecting a solution that will work. We have reviewed the available services and selected our favorite, Sync (https://www.sync.com/business/) based on a number of technical, security and cost parameters. If you decide to use a service like this, you should seriously consider using two-factor authentication (as you should do with ALL the sites that store any data about you or your organization) and you should decide on the best solution for your business. Most of the services have trials – which we encourage you to use.