7 Security Risks of Consumer-Grade File Sync Services

Consumer-grade file sync (CGFS) services such as Dropbox, Box, and Google Drive pose many challenges to businesses that care about control and visibility over company data. Below are seven of the biggest risks that these services pose in a business environment.

1. Data theft
   Most of the problems with CGFS services emanate from a lack of oversight. Business owners are not privy to when an instance is installed, and are unable to control which employee devices can or cannot sync with a corporate PC. Use of CFGS services can open the door to company data being synced (without approval) across personal devices and even to remote vendors or contractors. The proliferation of these personal devices, which accompany employees on public transit, at coffee shops, and with friends, exponentially increases the chance of data being stolen or shared with the wrong parties.
2. Lost & orphaned data
   When administrators cannot manage and monitor file sync activities across an organization, they risk losing critical data. If an employee (or group of employees) adopts a CGFS service and starts using it to sync and share sensitive files, administrators won’t have proper oversight to manage data sprawl, initiate remote wipes in the case of lost devices, or to guarantee that files are properly shared with the right people. Furthermore, when employees leave the company, there is no way to ensure corporate data is removed or handed over to a new owner.
3. Corrupted data
   In a study by CERN, silent data corruption was observed in 1 out of every 1,500 files. While many businesses trust their cloud service providers to make sure that stored data maintains its integrity year after year, most CGFS services don’t implement data integrity assurance systems to ensure that any bit-rot or corrupted data is replaced with a redundant copy of the original.
4. Lawsuits
   CGFS products effectively give employees carte blanche power to permanently delete and share files. This can result in the permanent loss of critical business documents as well as the sharing of confidential information, which can break privacy agreements in place with clients and third parties.
5. Compliance violations
   Since CGFS solutions have loose (or non-existent) file retention and file access controls, you could be setting yourself up for a compliance violation. Many compliance policies require that files be held for a specific duration and only be accessed by certain people; in these cases, it is imperative to employ strict controls over how long files are kept and who can access them.
6. Loss of accountability
   Since admins don’t have access to detailed reports and alerts about system-level activity, CGFS services can result in loss of accountability over changes to user accounts, organizations, passwords, and other entities. If a malicious admin gains access to the system, hundreds of hours of configuration time can be undone if no alerting system is in place to notify other admins of these changes.
7. Loss of file access
   CGFS services don’t usually track which users and machines touched a file and at which times. This can be a big problem if you’re trying to determine the events leading up to a file’s creation, modification, or deletion. Additionally, many solutions track and associate a small set of file events which can result in a broken access trail if a file is renamed, for example.

Consumer-grade file sync services pose many challenges to businesses that care about control and visibility over company data. Allowing employees to utilize CFGS solutions can lead to massive data leaks, security breaches, and lost productivity.

Many companies have formal policies in place regarding CGFS use or at least discourage employees from using their own accounts, and may even put in place technical access control measures, such as application-aware firewalls, to prevent their use. But while blacklisting common CFGS services may curtail the security risks in the short term, employees are very creative at finding alternatives that aren’t blocked when the need arises to share data outside the company.

In the end, the best way for business to handle this is to deploy a company-approved, business-grade application like GL CLoudSync that will allow IT to control the data, yet still grants employees the access and functionality they need to be productive wherever they are. This proactive approach prevents employees from circumventing the system, since they already have the sync and share capabilities they need.