You Can Get Fired for Choosing Dropbox: A True Story
An MSP is contacted by a publicly-traded company looking for help managing its IT. When the MSP goes to the company conference room to explain how it can protect the company’s servers, the decision-maker explains that the company doesn’t need servers, it is using Dropbox (News – Alert).
The MSP is perplexed and explains there could be security issues with the cloud in general, and it is safer to keep the data locally and have encrypted backups. The MSP is mocked – told Dropbox is safe and secure and that her old company had users on it and it works great.
The MSP reiterated the concern and explained that her company, which is under regulatory scrutiny, shouldn’t take the risk. More mocking. Finally, the MSP explained that if a government agency requests their data from the cloud by going directly to the cloud vendor, it is possible they will never know about it.
The MSP was told in response this isn’t important to them – they are using Dropbox.
The MSP wasn’t chosen – the company likely went with an alternative vendor that just took the money and didn’t give the important advice they should have.
Fast-forward some months: Yesterday we learned 68,680,741 Dropbox account records were stolen. It is possible many Dropbox accounts were accessed and the data siphoned off by hackers. At this point it is unknown how much data was stolen.
The compliance ramifications are potentially massive. The average cost of a data breach is $4 million! The company in question could have purchased a single HPE ProLiant DL385p Gen8 Server for about $2,500 and paid about $20,000 for labor and software needed to get it up and running. In other words, it would have saved just under $4 million dollars! And this number doesn’t even take into account the cost of the cloud service.
The cloud is amazing; it allows companies to live beyond their financial computing means as they don’t need to purchase as much hardware – the opex vs. capex argument. But successful cloud vendors are also huge targets and for them, getting hacked is a matter of when not if.
In such a scenario, companies should think twice before going to the cloud. This is why Morgan Stanley blocks Dropbox.
The MSP in question is thinking of reaching back out to the prospect to see if it can sell the company a server, but it’ll most likely be out of business if its data was part of the breached information.
What do you think about this story? Should the decision maker be fired?
Speaking of security, it will be a major are of focus at the upcoming ITEXPO – which is being held Feb. 8-10, 2017, at the Greater Ft. Lauderdale/Broward County Convention Center in Fort Lauderdale, Fla.
Among the security sessions to be featured at ITEXPO (News – Alert) is the Hot Topics in Tech and Communications track panel called Adaptive Security: The Next Layer of Defense. Adaptive security leverages a combination of traditional security and predictive analytics, leveraging cloud computing and APIs to theorize where the next attack will happen to implement a more effective security posture.
The same track features sessions called Applying Critical Thinking to Security, Threat Actors Explored: Grandmothers, Gangsters, Guerrillas and Governments, and They Work for Us, Litigating Away the Innovation in Internet Security.
The Threat Actors Explored session will discuss the various individuals and organizations that are working to take advantage of our increasingly connected world. That includes such threat actors cybercriminals, hacktivists, as insiders, and nation-states. Session speakers will present use cases and personal stories that span two decades, 50 countries, and six continents to help audience members better understand the motivations and methods behind these threat actors – and, thus, protect against their attacks.
Meanwhile, the litigation panel will analyze how, and how effectively, legislators and government agencies are attempting to address internet security. It will look at current and proposed legislature and will offer expert speaker input as to the value of these potential implementations.
Security will also be a component of MSP Expo, one of the events to be co-located with ITEXPO. The session, called Cybersecurity as a Managed Service, will discuss how cybersecurity should not be viewed as simply a hardware or software issue – but rather, a managed service that involves training people, implementing processes, and leveraging technology to keep an organization safe. Attendees will learn how to develop assessments that identify corporate vulnerabilities, discuss best practices for creating policies and training employees to implement them, and discover ways in which organizations can implement response capabilities in the event of a cybersecurity breach.