File hosting services - undue risk?


(Todd Scheven) #1

Box, Dropbox, Google Drive, just to name a few. I, for one, love box.com. We’ve used it for years to host files our customers need to update their software. We have links on our website they can use to directly download files or we can send them a link via email or in a support ticket and they don’t need any credentials to obtain the file(s). But is this a good idea?

I read that over 68 million Dropbox passwords were stolen and today I received a phishing email with links to download a Google Docs file. Without question, that linked to something would not end well for the person who clicked on it.

As a result of this increase in these types of email phishing attempts, are you scaling back your use of file sharing services? Have you stopped using them altogether or have you never used them and are gleefully telling everyone, “I told ya so”?

We don’t plan on making changes anytime soon, but I’m certainly keeping an eye on things and will be willing to change, if need be.

Todd.


(Al Warner) #2

Hi Todd. I have some of the same concerns and have users that are going to do whatever they think they need to in order to get the job done. I’'ve used Dropbox for years and change the password frequently. I will often use my account for users that need to share a large file but won’t need it on a regular basis. I then pull the file down after a few days or weeks. For those with frequent needs to transfer large files I set up Dropbox for them and really stress that sensitive data does not belong on that medium. Our web presence is completely separate from the corporate network so web site downloads are not an issue at my end.

As for receiving files sent using one of these services, I’ve told my users that it is just like an email attachment. It could ruin your whole day if you don’t ask the same questions. Were you expecting this file? Does it raise any KnowBe4 “red flags?” If you have a question, call your friendly neighborhood IT guy BEFORE you click.

Your setup doesn’t sound so much like an open door to anything other than your software updates. It sounds like anyone with a link could download it and if that’s OK with you then so be it. That’s one reason I stress that no sensitive info be posted that way. It’s out of sight, but not secure.


(Todd Scheven) #3

Hi Al,

You make some good points. Thanks for the reply and feedback.

Todd.


(Mary Travis, M.A.) #4

I’m in healthcare, so I would never allow this type of functionality for any of our users , because there is no way to assure the document won’t contain patient data.:eyeglasses:


(Dan) #5

Same boat for a financial institution. We don’t allow that type of access.


(Warren White M.S. Cybersecurity) #6

Good topic @Todd. I could see the concern with harboring sensitive information on a file sharing website. You never know if it is safe because you are leaving information in an environment controlled by someone you more than likely never met or even know the location of. I have used Dropbox myself but never saved original documents there or any data that contained sensitive information. It is hard to find a way to securely send information over the internet let alone leave it in a network that is hopefully secure. It is impossible to make anything 100% secure so it is good to be skeptical where you leave your information. I always think of who has access to it, who could potentially get to it, what information does it have, how should it be secured, what are my backup plans in case anything happens. If the potential risk outweighs the gain there is no point in proceeding.

KnowBe4 has great training material on what things to look out for so that you do not become a victim of phishing. With all the securities in place it still typically comes down to you to secure your information. Making the right choices can keep you from making huge blunders.