“The Dropbox problem” is the term applied to the widespread and problematic use of consumer-focused file sync and share tools that was popularized by Dropbox, the most commonly used tool in this space. In fact, a search for “the Dropbox problem” in Google returns nearly 4,000 results.
To be fair, however, there are a large and growing number of tools similar to Dropbox that are offered by a wide variety of cloud providers. Moreover, most of these tools work as advertised – most provide users with several gigabytes of cloud storage and allow them to synchronize any file across all of their desktop, laptop and mobile platforms automatically.
And therein lies the problem: these tools allow any file to be synchronized across any device by any corporate user without the oversight or control of that user’s IT function. This means that corporate financial information, employee records, customer financial information, embargoed press releases, and any other sensitive or confidential information can be synchronized to any user’s device without first being encrypted, without an audit trail established to track the data, without an ability to prevent critical information from being modified, without any control over who has access to this data, and without any control over where and by whom that data is stored. This creates enormous legal, regulatory, privacy and other risks for an organization that allows these tools to be used.
The good news is that most decision makers and influencers are at least beginning to take the problem seriously. In a survey conducted by Osterman Research in January 2015, five out of six IT decision makers and influencers told us they are at least “somewhat” concerned about the use of consumer-focused file sync and share tools – and nearly one in five are “very concerned”.
We have just published a white paper on this issue that discusses the results of our research and offers some guidance on what organizations can do to address the problem they face from unmanaged file sync and share tools used in their organization. You can download the white paper here.
Targeted email attacks are a serious issue for organizations of all sizes and across every industry. Various industry research has shown that these focused emails are by far the number one initial attack vector for targeted attacks on enterprise data. In fact, they account for more than 95% of initial intrusions that lead to important data breaches. Moreover, Osterman Research found in a survey conducted during September 2014 that 47% of organizations considered targeted email attacks to be a very high priority to address and prevent, while only one in six organizations considers them to be a low priority.
While virtually all organizations have deployed security solutions that will block spam and known malware, most have not implemented solutions that will deal with the much more serious problem of targeted email attacks.
Targeted email attacks are not run-of-the-mill malware incursions. These attacks use sophisticated delivery techniques and advanced malware that will normally not be recognized by standard email and endpoint security solutions. Additionally, these attacks provide an entry point into the larger organization and its sensitive data, wreaking havoc on an organization’s finances, its intellectual property and its other sensitive or confidential data. Organizations of all sizes are the victims of these attacks and those that are successfully breached will experience critical business impacts, inclusive of damage to reputation, unexpected legal, regulatory and response costs and more.
We recently published a white paper about Targeted Email Attacks that discusses five key issues:
- Targeted attacks and advanced threats that result in data breaches are most often initiated by targeted email attacks. While a great deal of press attention focuses on attacks directed against large retailers and other high-profile companies, all types of organizations regardless of size and industry vertical are being subjected to attack.
- A single employee can be an entry point for a full-blown attack on the corporate network, sensitive data assets or financial accounts. Senior staff members like CFOs or CEOs are sometimes targeted in highly specific attacks, but the much larger attack surface is comprised of every employee in an organization.
- Users must be the first line of defense in thwarting targeted attacks; they require thorough and ongoing training to detect the social engineering techniques that these attempted attacks are employing.
- However, because targeted email attacks employ advanced malware, employee training is simply not enough – sophisticated technology to detect these threats is essential to prevent these attacks from achieving the loss of financial or other data for which they are designed. Further, while employees should serve as an important line of defense against threats, in many cases it is unrealistic to expect employees to keep abreast of every changing social engineering tactic.
- Ninety-one percent of organizational decision makers do not wholeheartedly agree that their current email security solution is sufficient to protect them from targeted email attacks. This, despite the fact that security professionals understand the problem.
You can download our white paper on Targeted Email Attacks here.