Yesterday, Intralinks, a competitor to Dropbox and Box in the file sync and share market, informed BBC News and Graham Cluley about a potential risk to sensitive information stored in Dropbox and Box. Intralinks had apparently notified Dropbox of this issue in November 2013, but Dropbox did not take action until the news broke yesterday. Box has not yet responded.
From our point of view, there is a lot to say about this.
First, the basics: Dropbox and Box allow users to create share links, which are unique links to their stored information. Users are losing these links in two ways: First, users are accidentally putting them into search bars (rather than URL bars). The links are then appearing in search-word data. Secondly, when a user has a link to an external website in a document in their storage and they click on that link, the owner of the external website can see the share link for that document when he or she checks the referring traffic for his or her page.
Keeping your users in mind
Dropbox has announced that it has fixed the first of these issues. Both products have warnings informing users of what it means to share something publicly. And yet Intralinks now has mortgage documents, tax returns, business plans and blue prints that users never meant to share with the company. Intralinks’ own blog post has an excellent explanation of how this happened and how users can protect themselves.
In the BBC article, Cluley noted that this is not a security flaw but an unexpected consequence of user behavior. Maybe those companies should have considered user behavior more carefully. We know drivers are imperfect, so we’ve added seat belts and airbags to cars. In a file sharing product, maybe the default should not allow any unauthenticated user to use a share link. With our product, Novell Filr, your IT department can control default settings to ensure higher security.
User-proofing your environment
Users will always make mistakes. No file sharing system (probably no software in the world) is immune to user error. That fact points to another advantage of a solution like Filr. When a user does break policy and share a sensitive document, administrators are much more likely to know about it. Filr allows your IT team to monitor sharing.
Working with your users
As Intralinks said in its post, “The bottom line is that it’s really up to employers to train, supervise and enforce appropriate workplace policies to prevent company data from finding its way into these products where sharing is unsecured.” We agree. Training and enforcing can be expensive, which is why we recommend organizations make it easier on themselves. Get a product like Novell Filr that gives users a safer alternative.