Security firms would have you believe it, vendors tell you it in sales pitches, but the fact is the Dropbox problem isn’t anything new. In fact it’s been around since 1996. Of course back then it wasn’t called “dropbox”, no back then it was known as “Hotmail”. We could put files easily in the cloud and access them from multiple different devices anywhere in the world, oh and security wasn’t that great either (in 1999 you could get into any Hotmail account with the password “eh”).
In fact I suppose you could go back further and draw an analogy to the briefcase stuffed with paper files that you took home with you.
So what is new? Why is there all of a sudden a push to solve this problem? Is there a problem to solve technically? Or is in fact the easiest solution the same solution that has always been there? Education.
I remember visiting a law firm on the west side of the Pennines and on exit I saw signs on each exit door reminding the fee earners on what files they should not be taking away with them off premise. These signs were referring to the paper file, but isn’t the same education required for the electronic file? We trusted lawyers with the paper file why not with the electronic file? The IT dept know the risks, so why do we think the lawyers won’t “get it”? The flipside to this is of course that the lawyers take the responsibility and not blame the CIO when things go wrong!
So we don’t need the new “dropbox” tools? Well lets look back again, when we needed to securely transport paper files we came up with the lockable briefcase, when Hotmail came about we created Outlook OWA to provide similar functionality to the corporate email. No I think there is a space for these tools providing the user experience is matched (and that means more than just an iOS client to cover mobility!).
The better the UX and the more secure the product the better it will be for the lawyer, but tech alone won’t crack the “dropbox” problem!
[blog] Education, education, education – solving the dropbox problem – http://t.co/HwwkUaEtJf #LegalIT
RT @planty: [blog] Education, education, education – solving the dropbox problem – http://t.co/HwwkUaEtJf #LegalIT
The historical problem is of course data leakage. As well as the examples you give lets not forget the all time classic of leaving USB drives/CD’s on a train!
I think the ‘Dropbox problem’ is more than just a concern over data leakage though. It alludes to the pressure on IT to enable mobile and cloud tools and that this pressure is coming from the users whether they be managing partners or newly recruited graduates. Educating them not to use these types of tools won’t work. They need educating why instead of using consumer versions they should use the alternatives selected by IT.
We are having this in the NHS at the moment. Even though IT replaced Dopbox with an on-premise Accellion solution, some users ignore it as they don’t like change. The trusts and hospitals have asked us for short video’s explaining the legal implications of placing patient information in consumer cloud platforms.
At some of our law firm customers lawyers are asked to sign policy documents in their contracts about which Mobility/BYOD tools they are permitted to share confidential documents. These are often accompanied with documents explaining the legal risk of going against policy.
The challenge therefore is to:
a) Provide a secure alternative
b) Ban/restrict the consumer version
c) Educate why this has been done
As you point out Jason, the education piece is critical. Without it you risk users find a way of bypassing IT.
Jes Breslaw
Director of Cloud Solutions, EMEA
http://www.accellion.com
@Jes – the NHS’ request makes sense – we’re seeing similar requests coming through in terms of helping with user education.
Without wanting to get too academic about it, I think we need to ask ourselves more questions first:
1. What information are we concerned about and how important is it? How much of it is there? Where is it? What controls are currently in place around it?
2. Who should – and who should not – have access to it, both internally and externally?
3. What’s the worst (realistic) case scenario for the control of this information going wrong? What is therefore an appropriate level of response to this? What level of risk is the firm prepared to “live with” – and what are they not?
4. If it is a big enough potential risk/problem, then you start looking at possible solutions – and Jase has covered a good start point above for a UI/UX which will allow users to easily migrate, without any retraining required, but is locked down behind the scenes…
…@Jase, do you think there is a lack of defined ownership here? Way I see it, IT are beholden to Risk; Risk, the business/users; and the users, ultimately to both their clients and the managing partner.
If users use unsanctioned cloud apps, then who is responsible?
If your answer is IT, then the IT response is: what would you have us do? Lock it down completely? Prevent clients sharing information with us and get in the way of fee earning?
If you answer is the users, then the users response is: the client told me to do it – and it’s difficult to challenge the client! If their answer isn’t the client – then I think the education piece comes into play.
If you say the client is responsible, as they – knowingly, or unknowingly – will start sharing information via insecure tools, then what is the response? I think/hope that in the best interests of the client, they would agree that they should not be sharing valuable information via insecure means and perhaps a senior partner who owns the relationship with the client could bring it up with them. Are you then being obstructive to the business? No – you’re protecting your client’s interests with some good advice…
…that’s the way I see it: education is multi-faceted, and if you want to make it effective, you need to go to the root and educate your clients – nicely – on the risks they are taking.
What do you think?
+1 – Nice post by @planty Education, education, education – solving the dropbox problem http://t.co/Cd46ZwijH5
RT @BenWightwick: +1 – Nice post by @planty Education, education, education – solving the dropbox problem http://t.co/Cd46ZwijH5
RT @planty: [blog] Education, education, education – solving the dropbox problem – http://t.co/HwwkUaEtJf #LegalIT
RT @planty: [blog] Education, education, education – solving the dropbox problem – http://t.co/HwwkUaEtJf #LegalIT
RT @planty: [blog] Education, education, education – solving the dropbox problem – http://t.co/HwwkUaEtJf #LegalIT
Education, education, education – solving the dropbox problem http://t.co/lP5515SSLB via @planty
@Jes – the NHS’ request makes sense – we’re seeing similar requests coming through in te… http://t.co/k3Vkhd5s7Q
RT @WSSimonabw: @Jes – the NHS’ request makes sense – we’re seeing similar requests coming through in te… http://t.co/k3Vkhd5s7Q
RT @WSSimonabw: @Jes – the NHS’ request makes sense – we’re seeing similar requests coming through in te… http://t.co/k3Vkhd5s7Q
@dhedge65 totally agree, in fact blogged about that earlier this week 🙂 http://t.co/Lp621e4wKx