Is Dropbox a Security Risk for Businesses?

Is Dropbox a Security Risk for Businesses?


Dropbox is used by an estimated 70% of businesses, according to Osterman Research. These companies presumably access, sychronise, and share information stored on the Dropbox cloud servers. And thanks to the rise of mobile communication such as smartphones, this information can now be accessed anytime and anywhere.

However, industry experts have pointed out that Dropbox has security limitations and risk factors that make it an unsuitable application, especially for enterprise organisations.

Bloomberg Business Week was severe enough to ban Dropbox because of serious issues with security risks with its file sharing features.

Here are some of the common identified vulnerabilities:

  • IT administrators or users cannot control who can sync files, a feature that exposes data to unauthorised access and modification. This inability to set granular read/write permission to directories and files is a severe limitation for businesses, which is made worse by limited encryption features.
  • There is no way to specifically set access permission to sub-folders. This is a common business requirement and, with Dropbox, this can only be achieved by rebuilding the file structure.
  • Companies share data differently to individuals. Project collaboration should be limited to specific people sharing specific files. The previously stated limitations compromise this requirement.
  • It is not possible to share password-protected files. Once sent via Dropbox, this protection is removed.
  • Data theft is a serious issue. If a group member’s laptop is stolen, Dropbox has no facility to delete data remotely.
  • Users cannot lock a file while editing or modifying data. It is easy to imagine the problems that may result if users are editing files simultaneously.
  • Dropbox does not provide a log file to track by whom and under what circumstances files have been deleted or modified.

Despite these vulnerabilities, Dropbox remains very popular because of its ease of use. However, this is not a valid reason for companies to risk their data integrity. Apart from data losses caused by system failures, the biggest risk to data integrity is information-leakage and malicious attacks, originating from either internal or external sources.

The security flaws do not end here. Many cloud servers enable users to share links with others for the purpose of collaboration and file sharing, but Dropbox allows anybody who discovers this link to access the data. People who find the link need not be registered users.

The file-sharing company Intralink analysed their Google Analytics and Adwords accounts, and discovered that a substantial amount of links were unauthorised. They simply used a search phrase like “Dropbox secure file sharing” and found clickable URLs to highly sensitive reports like tax returns and mortgage reports. The problem is that Dropbox users do not need to authenticate themselves to access a clickable URL.

Some recent findings on data fraud

  • KPMG reported that 70% of frauds now involve cyber crime.
  • The research firm Friedland consulted over 2,000 users in the U.S., and found that more than 51% use their personal smartphone for work related activities and treat company data fairly recklessly.

Precautions to take

Only “public” files should be stored on a cloud server that does not have adequate security features. These are files that you would be prepared to publish on an email client, on your website, or share on sites like Google+.

If you allow employees to use Dropbox, you also need to regularly monitor what data is stored there.

Dropbox improvements

Dropbox now offers Dropbox for Teams, which provides centralised admin and improved security. This version has a security setting to prevent unauthorised access to shared links. However, it comes at a considerable cost of around $US 800 per year, and this version is limited to only five users.

The combination of hand-held smartphones, file collaboration and sharing using cloud computing has given a huge boost to data processing. However, it is clear that companies should plan their implementation strategy carefully and be fully aware of the risks inherent in combining these technologies.