With all the email, documents, Slack messages, and other artifacts that come through my purview each day, I think the language gods will forgive me for a few typos. But I would hate to think that a keystroke error could result in an irrecoverable breach of my company’s most private data. Seems a bit dramatic, no? According to a recent Forbes article, Dropbox users face this very issue when sharing sensitive data. A seemingly minor oversight could result in critical files being delivered directly into the inbox of a total stranger, all because of mistyped words. 

Dropbox Vault is billed as “an additional layer of security for your most sensitive files.” Within Vault, a user can simply type the email address of a person with whom she’d like to share certain documents, and with the click of a button, that person now has access. Interestingly, however, there is no failover to ensure the email address is correct. In fact, there isn’t even a confirmation check that forces a user to input the recipient’s address a second time. 

How does this play out? Well, let’s say you’re a small company and you want to share the product plans for your upcoming release with one of your integration partners, Jack Smith at Acme Corp. You know Jack, you email him many times each week, usually with the auto-fill in the “to” field. But in this one case, what happens when you casually type jsmith@acmecorp.com — because, well, that seems like a logical email address and your brain has been conditioned after hundreds of thousands of emails over the years, to think in terms of [first name initial][last name]@[company domain] — but it turns out he’s actually jasmith@acmecorp.com. That’s a big deal because who knows who jsmith@acmecorp is and what that person is going to do with the product plans you’re banking the future of the company on. At least jsmith@acmecorp.com, if she or he exists, is in the same company as Jack. Hopefully, the matter is resolved quickly and you have a good laugh about it like it was 1996 and email was still new and interesting. 

But imagine if your friend Jack told you he was going on vacation and requested you send the files to his personal email address? Well, if you send those to jsmith@freeemailservice.com, but turns out he’s at fortyninerfan@freeemailservice.com, well, those plans are now out in the wild. You have no control over who is seeing them. Best case scenario is that the recipient deletes and the world moves on. But you won’t know that either because there is no validation of who, when, or where the files were accessed, so your chair made of pins and needles will be a sorry substitute for assurance in the coming weeks and months while you sweat it out.

We know — we’ve ALWAYS known — that criminals look for an open window before they take a battering ram to the door. For users who slip up using Dropbox Vault, they’re actually making it even easier for cybercriminals because they’re essentially delivering to them the key and instructions on how to get into the house when no one will be home. That’s not security. 

Let’s consider the context of this issue. Any type of content management requires a happy balance of governance and productivity. If the security rules are too onerous to share a folder or document, it becomes a productivity liability; instead of going through all the right tasks to ensure things are secure, a user might simply choose just to share as an email attachment (or maybe they’d just use Dropbox Vault since security seemingly won’t get in the way). On the other hand, if it’s too easy to access a document, chances are it isn’t bound by very strict security requirements and then it can more easily be breached. 

This is not a dichotomy of opposing principles, nor should it be a debatable proposition. Any tool that deals with content — ANY content — has to balance both security with productivity, and it should guide user behaviors so they don’t need to run through a checklist in order to access and share data. To be effective, a solution has to be able to:

  • Know and understand the content you’re working with. This means that users have insights into not just folder titles and metadata about documents, but they need to also truly know what’s in the content under their domain. With sensitive data identification capabilities, rules can be set up to protect data that is particularly sensitive. But it also means that admins know where that data resides and can apply governance automation to ensure it’s not being inappropriately accessed or used.
  • Share content simply with the users who should have access to it. The key word here is, should. Sure, it’s nice to have a central repository where all employees can store files, but just like Animal Farm, some content is created more equal than others. Some content has to be regulated through highly restricted access, and that means keeping out those who shouldn’t be in
  • Apply preventative measures to protect your content assets. There are a number of ways that ransomware attackers and other cybercriminals can steal your data, but IT admins can use a variety of methods to stop them. An effective tool should not require that you engineer your own security tools, but that you simply use basics like multi-factor authentication, mandate complex password conventions, encryption, and other methods.

Managing content and files shouldn’t be a chore unto itself. No one has time to review every single interaction that impacts how our data is used and shared, so we need to rely on automated systems and processes that will help us use content in a meaningful, safe way. Productivity is critical to that, but ultimately it’s the balance of usability with security that marks our ability to fully take advantage of our critical data and make it a valuable asset for our organization. 

 

Photo by Amador Loureiro on Unsplash

Comments are closed.