Blog

Is Dropbox Secure Enough? (And How to Improve It)

Marie ProkopetsMarie Prokopets,Co-founder of Nira

Criminals don’t need to carry out a heist akin to Ocean’s 8 to get their hands on valuable stuff these days.

Cloud storage is, of course, a target for hackers. It’s where you keep your important data, documents and files, be they personal, for your business or (eek!) related to your customers.

It’s easy to think that breaches only happen on a large scale, against big corporations. But, the truth is, nobody is exempt from a cyberattack. For example, 43% of cyberattacks target small businesses.

So, you need to be comfortable in the knowledge that your files are secure. Let’s take a look at how Dropbox fares on the security front.

How Secure Is Dropbox?

Dropbox offers a number of security features to keep your files protected. However, it’s not entirely problem-free and some users may have privacy concerns.

Dropbox Security Features

Your files are protected in storage and in transit by enterprise-grade encryption and multiple layers of security. More specifically, Dropbox offers:

  • 256-bit Advanced Encryption Standard (AES) for files at rest
  • Sockets Layer (SSL)/Transport Layer Security (TLS) protected by 128-bit or higher Advanced Encryption Standard (AES) encryption for files in transit

Here’s a look at how Dropbox’s security infrastructure works:

(Image Source)

If you’re not familiar with the more complex cybersecurity terms, here’s a simpler explanation…

Whenever your files are in storage, they’re saved as blocks or chunks that have undergone the highest level of encryption. When you upload, download or share files they’re encrypted and they move through a secure tunnel so hackers can’t get to them over an Internet connection.

Dropbox Business members get access to further security features. Admins can monitor and control Dropbox activity.

Firstly, you have the ability to link and unlink devices, as well as limit the number of devices a team member can connect. This is good because the more devices that are connected to your Dropbox account, the greater the chance of somebody gaining access to your account.

(Image Source)

Furthermore, if a device is compromised, you can wipe Dropbox folders from that device remotely.

As an admin, you also have a high level of control over individual files and documents. There’s the option to password-protect links and files. You also have the ability to grant temporary access or set expiration dates on files and links.

This is sensible as it’s a best practice in cybersecurity to limit access to those who absolutely need it when they need it. And you’d be surprised by how many businesses don’t follow this best practice.

A Varonis study found that 53% of companies had 1,000 sensitive files open to all employees and 15% had one million folders open to all employees.

All Dropbox membership types also have the option to set up two-step verification. Finally, Dropbox claims that they regularly check for security vulnerabilities and harden their defenses.

Dropbox Security Issues

Dropbox’s encryption is strong but actually presents one of the service’s main security issues. The reason being, Dropbox does not use zero-knowledge encryption which means that they store your encryption key.

With your encryption key, they could conceivably decrypt and access your personal files. For example, they would be able to provide law enforcement access to your account. There’s also the possibility that a cybercriminal or rogue employee could get their hands on your key.

There has indeed been a high-profile data breach at Dropbox in which cybercriminals grabbed millions of users’ account details via a Dropbox employee’s weak password. Though this has since been resolved and security was upgraded.

A further privacy concern is what Dropbox does with your data. The service is at liberty to collect and share a ton of data with “trusted third parties” including the likes of Amazon and Google. The types of data include personal identifying information, your contacts, how you use your account, purchase behavior and, even, as they say, “what you decide to store in your Dropbox account.”

This doesn’t sound good at all. However, this isn’t just a Dropbox problem. Other major players in cloud storage, e.g. Google Drive and Microsoft OneDrive, also share your information with third parties.

So, what’s the conclusion? Is Dropbox secure enough?

Dropbox has high-grade encryption and lots of fantastic security measures. Hence, it’s secured against external threats and it’s much safer to use Dropbox than simply storing files on your device and sharing them via email.

However, the level of data privacy is a problem where Dropbox and many other providers are concerned. Thus, you may want to look into alternatives. Perhaps, seek out zero-knowledge cloud storage providers. And you should certainly read and consider the privacy policies of other providers carefully.

Ways to Make Dropbox More Secure

We’ve touched on the fact that many cyber incidents occur on accident or due to human error, e.g. because of weak passwords or giving too many users access to sensitive files.

But, there are precautionary measures you can put in place to reduce the likelihood of these and other cybersecurity threats.

1. Use a Strong Password

This is Cybersecurity 101 and you’d expect that most people would opt for strong passwords nowadays. However, this complacency in the idea that “It won’t happen to me” sometimes means people forego creating strong passwords.

People still reuse passwords across multiple accounts and that’s just not good practice. If a hacker gets ahold of the password to one account, they’ll be able to access multiple accounts. 13% of people reuse the same password across all of their accounts, and 52% use the same password for multiple accounts (but not all):

The point is you and your team if you have a Business membership should all create unique, strong passwords for Dropbox. You may wish to consider using a password manager, such as LastPass or 1Password to generate and store your secure passwords.

To be extra secure, you should also turn on two-step verification. This means that every time you log into Dropbox, you’ll receive a unique code that will grant you access to your account. Go to Settings then Security and toggle Two-step verification to On:

2. Use Third-Party Encryption Software

You can encrypt files before uploading them to Dropbox using third-party software. If you choose a zero-knowledge encryption tool, you get to hold onto your encryption keys.

Here are a few of the best encryption tools to use with Dropbox:

  • Cryptomator – The software is open-source and available on Windows, macOS, iOS, Android and Linux. You use passwords for folders so don’t have to worry about dealing with keys.
  • Boxcryptor – This tool has a solid free version that you can use on two devices and cost-effective options for commercial use. It integrates with top cloud providers, including Dropbox, OneDrive, Google Drive and more.
  • CryFS – This is another free, open-source encryption tool that works with the major cloud services. It’s available for macOS and Linux but doesn’t yet work on Windows.

3. Limit Devices

If you use Dropbox Business, you can install the service on an unlimited number of devices. In many ways, this is a good thing, of course. One of the main benefits of cloud storage is the ability to access your files anywhere.

However, this could cause security issues. Let’s say you have multiple teams that use Dropbox and each member of each team installs Dropbox on several devices. This significantly increases the chance of a device with your sensitive files on being compromised.

There are multiple options for admins to reduce this risk. Firstly, you can set up device approvals so that nobody can install Dropbox on a device without your confirmation. You can also limit the number of connected devices in the Admin Console. Or manually unlink devices that haven’t been active in a while.

4. Monitor Activity

Dropbox users on any type of plan can check if unknowns are logged into their account. In Settings, head to the Security tab and under Web browsers, you’ll see who’s currently logged in, their location and recent activity.

Admins on Dropbox Business can also keep a close eye on account activity. On the Admin Console, head to the Insights dashboard. Here you’ll be able to see reports on team activities. This includes links created and shared as well as active members and shared folders.

Naturally, you’ll want to monitor these reports for any suspicious activity. And create password-protection or grant temporary access to some folders if you feel security is lax.

You can also view team activity by heading to Activity on the Admin Console. Here you can filter activities by member, content or date range. So, if you do suspect something’s up with say a specific folder or staff member, you can look more closely at related activities.

5. Utilize Selective Sync

Selective Sync is a Dropbox feature that lets you decide which folders or files to sync to your hard drive. The purpose of this is to free up hard drive space but we can also use it for security purposes.

It’s good practice to only have the folders you need when you need them on your hard drive. This will limit the amount outsiders can see if they gain access to your device.

On the desktop app, go to Settings and select Preferences. Choose the Sync tab and under Selective Sync click Selective Sync… on Windows or Choose folders on Mac. Here, you’ll be able to check and uncheck folders to choose what gets stored on your hard drive. Don’t forget to click Update to save your changes.

6. Remove Unnecessary Apps or Integrations

Generally, it’s a good idea to delete accounts and uninstall apps from your phone or device if you haven’t used them in a while. The thing is, if one of these apps or accounts is compromised, cybercriminals could gain access to everything on your device.

So, if you’re not using an app, why have that potential entryway to your device? Deleting stuff minimizes the risk. And the same goes for apps or integrations connected to Dropbox.

Furthermore, as mentioned above, Dropbox is able to share your personal information with certain third-party apps. Essentially, you need to be careful which apps or integrations you give permissions to via Dropbox.

And if you have no need for the integration anymore, simply disconnect it from your Dropbox account. In Settings, go to the Connected apps tab, click the arrow next to the app you wish to disconnect and select Disconnect.

7. Explore Dropbox Alternatives

As mentioned above, you may wish to use a different file-sharing or cloud storage service. The following have a zero-knowledge policy:

  • pCloud – This is a secure, high-speed solution that’s particularly great for working with media files. pCloud has monthly and lifetime plans available.
  • Sync – This service was built with data privacy in mind and offers end-to-end encryption. All Sync packages come with unlimited data transfer so it’s a good choice if you work with large files.
  • Tresorit – Your folders are placed in secure vaults called Tresors for extra protection. The service offers secure collaboration and sharing.
  • CertainSafe – This is perhaps the most secure cloud storage service on the market. Along with their zero-knowledge policy, they offer military-grade security for your files, which also go through their proprietary MicroEncryption process.

Summing Up

Dropbox is a secure way to store and share your files. Its security infrastructure and encryption are strong. Its additional security features, such as the ability to monitor and manage activity also beef up security.

However, it’s not the most secure file-sharing service and there are some data privacy concerns you must keep in mind. According to Dropbox’s privacy policy, they have the right to share your personal information and activity with third parties.

In the end, you have two options. The first is to do everything in your power to make Dropbox secure for you and your business, for example, by limiting the number of devices connected to the account or the number of files synced to your hard drive.

The second option is to find a more secure alternative to Dropbox. CertainSafe is the top choice for security. But, you’ll still have to weigh your options to see if it fits in with your budget, has the features you need for your company’s work and so on.

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira