News

Cautions of Using/Sharing a Personal Dropbox Account for Business Purposes - February 8, 2019

Cautions of Using/Sharing a Personal Dropbox Account for Business Purposes 

 

DropBox provides a convenient way to synchronize files across multiple computers so that they are accessible on each. It also allows those documents to be viewed online or by mobile phone. Free accounts can be created and store up to 2GB of space, before having to purchase a paid tier of service. 

Businesses may be tempted to share an Individual (personal) DropBox account with employees or other associated parties in order to access their documents, but I would like to take a moment to highlight the dangers that may come with doing so. DropBox has a specific service built for business sharing among employees or “team” members that is intended to account for these dangers. This being said, I invite you to learn about the risks involved before choosing which path you would like to utilize when it comes to data sharing. 

Unauthorized Access Prevention 

DropBox includes a commonly utilize method to prevent unauthorized access (that being, people you have not given the username and password). This method is known as Two-Factor Authentication (2FA), also known as Multi-Factor Authentication (MFA). The methodology behind this is that you bind your account to your cellphone number or a supported “Authentication App” such as Google Authenticator. When someone signs in with your username and password to your DropBox account, you will receive a text code that must be entered to proceed (or open the Authenticator App on your mobile phone and view the current code listed for DropBox).
In this manner, if your account password is compromised and someone is trying to access it then you will quickly know as you start receiving text messages for the code. They cannot get in without you giving them that code, and thus your account is protected. 

There is *no* other way of unauthorized account access. Once your username and password is out there on the Internet somewhere, you can only change your password and then hope they can’t figure that out later. It is highly recommended to enable 2FA/MFA on any online system you access that supports the feature, not just DropBox. The only downside, is it makes it hard to share your account if you still intend to do so. 

Accountability 

When you allow multiple users to access your personal DropBox account, all information is logged as your user information as the one that has made changes. DropBox does not track which specific person on which computer modified or deleted a file. The service does not tell you when they copy your data for their own purposes to keep or review later, if their access is revoked. It is akin to giving someone else your housekey and personal security alarm code to your home. As far as your security service is concerned, they had your key and your code, and thus it is logged as you that entered the home to do whatever you will with the contents. 

When you use the DropBox service in a “Team” based scenario (Team Advanced plan only), each user has their own personal DropBox account and is invited to becomes a part of your “Team”. They are then given access to your Team storage area, where you can store and secure your data separate from their personal DropBox storage.
When they modify a file, the modification is recorded in auditing logs so that if something happens it can be pinpointed as to who and when a change was made. You can also assign permissions to team members, allowing you to secure down areas they should not access at all or giving them permission to Read but not Change/Edit/Delete. 

Sharing Files with External Clients/Vendors/Associates 

Sometimes you may need to share data with users who are not a part of your business organization, yet still need to collaborate with external parties. Again, just like the cons that come with giving members in your business access to use the same DropBox account, you cannot control what these external parties will or will not have access to view, change or delete once you give your username and password away. The appropriate way to share data with external sources, whether you are using Personal or Team based DropBox services, is to “share” a folder with the external party. That party will have to create their own free DropBox account (if they do not already have one) and once logged in they will see the files and folders you have designated to share with them.
The Free tier does not include easy methods of managing who you have shared folders with over time. The Individual Professional and both Team plans give you easy methods to determine who you or your team members have shared data with outside of your organization, and can even include time limits on how long that data is allowed to be shared (so you don’t have to remember to revoke the access later). 

For more on how to share files and folders with external parties, please visit  https://www.dropbox.com/help/files-folders/share-file-or-folder for the specific instructions on how to do this. 

Additional Notes 

HIPAA – For medical firms, or other businesses that interact with medical firms and must enforce PHI securities, DropBox supports HIPAA compliancies when storing your data files online. See https://www.dropbox.com/help/security/hipaa-hitech-overview for more information on how to use DropBox for your medical needs.
It is not enforcing policies by default, you must complete the process for enabling HIPAA practices BEFORE transferring any PHI to your account storage. 

Delegated Admin Rights – The Advanced Team plan allows for customization of admin privileges, enabling you to give specific employees only the permissions they need to assist with management of the areas they are responsible for, without giving them full admin access to the Team account. 

View History – With the Individual Pro or Advanced Team plans, you can view when documents had been opened for viewing, let alone modified. This helps you know when employees or external parties have been looking at your data. 

Pricing 

At the time of this writing, Individual Plans are either Free or $16.58/month (if billed annually). Team plans are either $12.50 per user per month for Standard or $20 per user per month for Advanced (also if billed annually). On a team account, this means you would pay $20 per person on your Team each month. For a 5 person team, you would pay $1,200.00 annually to achieve the securities necessary to protect your organization’s data. They do give you a hefty increase in how much data you are allowed to store, at least.
See https://www.dropbox.com/plans?trigger=nr 

Alternative Systems 

Many clients have been investigating Office365’s Sharepoint with Team OneDrive service as an alternative to DropBox. If you are already paying for Email service with Office365, Sharepoint and Team OneDrive are included! Prices start at $5 per user per month including 1TB of storage, which is ¼ the price of DropBox! 

Pros for Office365 is cost and most people have it already, they just may not know it! Cons would be recovery of large quantities of files is difficult to achieve and user security management isn’t as intuitive to manage.
The “Recycle Bin” feature is clunky and does not do well when restoring upwards of 50-100 files at a time, so be careful of accidental deletions! We once had a customer accidentally delete quite a bit of their files, and the restoration feature was failing consistently. It took a week of troubleshooting with Microsoft support before they were able to get an engineer to approve an “internal backup restoration”. Microsoft does not back up their systems for your recovery purposes. It is up to you the end user to ensure your data is backed up regularly. DropBox only retains deleted data for 120 days under the Team plans. It is highly encouraged to have an external backup system for any cloud sync service you may be utilizing, just in case the built-in systems fail.
 

I hope this brief rundown of DropBox and associated security risks has been found useful!