Dropbox is Not a Remote Access Solution: A COVID-19 Case Study
The Scenario in Brief
During this challenging time, we all have had to scramble to adjust to a new normal, both on a professional and personal level.
Here is an example of a company that was trying to find their own way to work remotely. This particular customer has a case management suite that links to Dropbox in the office. Their case files and templates link to the cloud, their Dropbox. Our client decided to give all their employees access to Dropbox through their personal home computers.
It was easy
The employee can work from their home computer, make their edits on Dropbox, and it updates to their case management suite. When we dug deeper, we learned that the computers they are using are shared with other family members.
If ransomware got on this computer from a clicked email that would then infect the locally-stored Dropbox files. This would then sync up to the cloud because Dropbox would not know that the data is compromised. It just sees data. The original data would not be available and the new data would be encrypted and locked.
From a support side, we had servers being backed up in the office, as well as other important folders. The client thought they had a backup, but they did not realize that Dropbox was not being backed up.
Further, the client was not aware that Dropbox stores a local copy of its files on computers that are synced. This means these confidential case client files were available to other family members in the household. To make matters worse, if the machine got infected, the case studies would be readily available to bad actors.
The Solution
We ended up setting up a VPN solution for this client, which allowed them to remote into their desktops. This is a common and easy solution, which gives employees their work environment at home. They now log in to their work computer that already had Dropbox. We uninstalled Dropbox on the unsecured personal computers.
People have this belief that everything that is going to be out in the cloud is going to be safe. Sometimes it is not clear that this “cloud” is just a server sitting somewhere else. The reality is unless you invest in creating backups, or backing it up yourself, it is as susceptible as your hard drive getting ransomware.
Finally, Dropbox has an additional plan that allows data retention for the 30 days. We implemented this as an extra safety measure.
The Lesson
Companies are going to find quick methods to solve their problems. This case study was an easy solution to remote access and our client had no idea they exposed vulnerabilities and security holes. Nothing had gone wrong, so they thought they were safe.
It’s always wise to engage a consultant in cases like this. We were thankful we could help in this regard and prevent what could have been a bad situation.