When you ask a security professional about the biggest security threat they think exists, there is a good chance it will be related to people. After all, no matter what security controls you put in place, it really comes down to human nature as to whether they follow such controls or not. It’s like I always say, “If you don’t give your employees some flexibility, then you might as well hire more security people to deal with the increased workload. So when it comes to fostering an environment of awareness, there are several views on what is the best way to deal with high risk applications such as Dropbox.
The real difficulty with dealing with a service like Dropbox is that thanks to pressure from business requirements such as BYOD, these services are becoming a necessity for many employees. The reason BYOD is occurring in the first place is that employees feel that corporate devices contain too much bloatware and causes the equipment to be inefficient. This means that there is less control over the applications loaded on these devices, and so limiting the ability for employees to use such services is almost impossible.
The best way then to deal with such things is through education. Often a discrete discussion and education will convince employees to the importance of the policy as it relates to corporate data. Policy and position is really the key to dealing with corporate data, and until the providers of these types of services put better security controls in place, we need to educate employees about the risks of these applications.
Certain key controls really need to be available for these types of services such as the ability to control the service (through things such as lock-out, remote wipe, and service interruption), and the ability to monitor what happens to the data in these environments. Most importantly, we need the ability to anonymously report usage on when company resources are being used to access these services.
Until we get these things under control through better security controls and by making alternatives available, we will have to focus on awareness through education.