Bartering our Privacy

Many years ago I worked for a brilliant man, an industry analyst who did groundbreaking work in developing models for delivering broadband services to residential customers. I recommend you check out his current company, DEEPfutures.

Last August, he wrote a post on LinkedIn discussing new business models for Internet services. It’s a good read, but I disagreed with a key point that he made about the business model of presenting ads based on personal data:

“That business model is an unequal barter. In old-style, traditional barter, a farmer might trade a sheep and two chickens to have the barn roof repaired: both sides would have calculated the value and benefit. In our unequal barter, we trade all our personal information for…cat videos [and] free-to-us online services: Gmail, Facebook, Whatsapp, Twitter, etc. It’s unequal in that we, the users, have no say over or insights into the value the adtech giant firms abstract from our data. It’s also unequal in that all people’s data, mine, yours, a billionaire banker’s, a poor farmhand’s, are traded for the same “free” service, although our data clearly have different utility and value to the adtech companies and their customers.”

I disagree with this statement in two key areas:

  1. “It’s unequal in that we, the users, have no say over or insights into the value the adtech giant firms abstract from our data.” Yes, it may be unequal, but it’s certainly not unfair. In the old-style barter system, we assume that the farmer traded his sheep or chickens to the roof repairer so that the latter could feed his family. But what if the roof-repairer had discovered a way to make chickens lay golden eggs and he could generate millions of dollars in income going forward? That’s still not an unfair barter, since the farmer received something valuable — a now leakproof roof — in exchange for something he considered valuable. In the same way, companies like Google, Facebook and others who give us cat videos or apps in exchange for our data are providing something of value — we don’t lose in the bargain if they are smart enough to turn our data into something more valuable than we consider it be when we hand it over.
  2. “It’s also unequal in that all people’s data, mine, yours, a billionaire banker’s, a poor farmhand’s, are traded for the same “free” service, although our data clearly have different utility and value to the adtech companies and their customers.” Here again, that doesn’t really make the barter unfair — if adtech companies find more value in a billionaire banker’s data than they do in the data from a farmhand, but are willing to provide the same free services to both, that’s not really unfair to the banker or farmhand. These individuals, as well as the adtech companies, are willing to enter into a barter relationship for something they each perceive to be of value.

This should not be interpreted as any kind of defense of Google, Facebook or others who have clearly demonstrated that they often play fast and loose with others’ data. Nor is it a defense of adtech companies and others that take your data without permission. For example, TechCrunch has found that companies like Air Canada and Hotels.com will record your mobile phone interactions, sometimes without permission. That’s not barter, since something of value has been taken from you without your consent in exchange for nothing in return.

Instead, I believe the fundamental problem is that too many aficionados of cat videos and various types of “free” apps place too little value on their privacy. They are too quick to hand over their data without first considering the consequences of doing so. The transaction is fair, but the adtech companies are thinking critically about what they can do with data owned by people who don’t think critically about entering into a relationship with them.

Any unfairness in the bartering between individuals and adtech companies will be solved only when the former begin to think seriously about the implications of handing over data without first considering the consequences.

Some Ideas, Other than Fines, to Reduce Data Breaches

An idealist might view the European Union’s General Data Protection Regulation (GDPR) as an effective means of reducing the number of data breaches by imposing massive fines on those who lose control over the private data of EU residents. A cynic might view the GDPR simply as a means for the EU to make lots of money from those who violate it, while not having much impact on reducing the total number of data breaches.

The truth might lie somewhere in the middle.

In terms of good news about the efficacy of the GDPR, Cisco recently released a report showing that only 74 percent of GDPR-ready organizations experienced a breach since the GDPR went into effect last May, compared to 89 percent of non-GDPR-ready organizations that suffered a breach during the same period.

The bad news is that 74 percent of GDPR-ready organizations experienced a breach since the GDPR went into effect last May.

Corroborating the fact that data breaches are still running rampant is a DLA Piper report showing that more than 59,000 data breaches occurred in Europe during the eight months since the GDPR went into effect, or roughly 10 breaches per hour. The DLA Piper data shows that data breaches are significantly more common than the 41,502 breaches reported by the European Commission for the same period.

The continuing high rate of data breaches should not be used by corporate decision makers as an excuse for not complying with the GDPR. Every organization should do so for a couple of reasons: first, it’s the law and decision makers should comply with the law. Second, becoming GDPR-compliant will make organizations and the data they process and control safer and less likely to be breached.

Plus, complying with the requirements of the GDPR is a good idea because they make sense: encrypt data, keep it only for as long as you need it, ensure that third parties that have access to data comply with good data governance practices, enable data owners to have control over information about them, and so forth.

What might not be such a good idea is imposing massive fines on companies for data breaches because big fines often don’t work. For example, in 2015 five US banks were fined $5.6 billion for their role in colluding to manipulate interest rate and currency markets, yet some concluded that the fines had little impact on the future behavior of these institutions. In January of this year, Google was fined €50 million (~$57 million) in France for GDPR violations, or about 0.04 percent of the company’s 2018 revenue – a drop in the bucket for a company this large. Even at a personal level, huge fines have little impact: for example, in 2014 the State of Illinois imposed new anti-littering laws that, for a third offense, impose a fine of $25,000 and a felony conviction on the offender. The result in the first three months of the new law was that very few citations were issued.

So, what might be a more effective way to reduce data breaches and increase compliance with privacy regulations like the GDPR? Here are three ideas:

  1. Every time a breach occurs, require offending companies to pay for 1,000 randomly selected victims to be flown first class to an exotic location — perhaps a very nice hotel for a long weekend — where victims can meet in a public forum and air their grievances with executives of the company that lost their data. Also require that the event be recorded and made available on the home page of the offending company’s web site for one year following the event. This would allow executives to meet their victims face-to-face and learn first-hand of the pain their carelessness has caused.
  2. Require the CEOs from offending companies to take a three-month sabbatical following a data breach, not allowing them to participate in the day-to-day activities of running their companies.
  3. Instead of imposing fines on offending companies, instead require that these companies spend the same amount on technologies, processes, training, etc. to ensure that their data processing practices are improved so as to prevent future data breaches. The spending plan and expenses could be monitored by a third-party consulting firm not connected with the offender.

While these ideas certainly won’t prevent all future data breaches, they might be more effective than slapping offenders with big fines that dissipate into a government bureaucracy.

How Secure Can Your Company Be?

Last week, Cisco released an interesting report entitled Maximizing the value of your data privacy investments. Among the various findings from the in-depth, 18-country survey discussed in this report is that organizations that are mostly or completely enabled to satisfy the compliance requirements of the European Union’s General Data Protection Regulation (GDPR) had a significantly smaller number of data breaches during the past year than their counterparts that are least prepared to satisfy the requirements of the GDPR.

One one level, that’s good news: 89 percent of organizations that are not yet ready for GDPR experienced a data breach, while only 74 percent of GDPR-ready organizations experienced a breach. Clearly, GDPR is having a positive impact on data security.

Then again, that’s not particularly good news: even after going to the significant expense and difficulty associated with GDPR compliance, 74 percent of organizations still experienced a data breach! Of course, we would expect that figure to drop in the future given that the GDPR went into force only about eight months ago, but three in four GDPR-ready organizations still experiencing a data breach is very high.

This kind of result prompts a bigger question: just how secure can any organization be in the context of security? Given that we face a well-funded, intelligent, and collaborative set of adversaries in the cybercriminal community that will always have a guaranteed advantage (we need to protect every point of ingress while they need to break into just one), what is the lowest possible number of data breaches, malware infections, account takeovers, successful DDoS attacks, etc. that we can ever hope to achieve? Could a large organization not experience even one data breach in the course of a year? Could it not experience even a single malware infection? Could it prevent every insider threat? Could every CFO recognize every CEO Fraud attempt?

Probably not. So what is the target at which we’re aiming? A senior executive team or board of directors that is asked by the CIO for a 20 percent budget increase to improve security probably should know what they can expect to gain from that kind of investment. A vendor marketing a new technology to combat CEO Fraud or account takeovers would find it beneficial to their sales and marketing efforts if they could provide some concrete metrics about what their prospective customers could hope to gain by implementing their solution. Vendors of security awareness training would be well served by being able to report an X-percent reduction in successful phishing or ransomware incursions after employees were properly trained.

In short, it’s highly unlikely that any organization will ever reduce the success of cybercriminals’ efforts against them to zero. But what can we reasonably expect to achieve?

Inbox Zero? Why Not Inbox Giganticus?

We hear lots about “Inbox Zero” and why it should be the goal of every business professional. The purpose of emptying one’s mailbox, according to the proponents of this approach to mailbox management, is to eliminate clutter, get better at prioritizing tasks, delegate work to others, de-stress, gain more control over one’s information, or some combination of these and other factors.

But is it a good idea?

Yes, if you view email solely as a communications platform. No, if you view email as a combination of communications, file transfer, file storage and business intelligence. I fall into the latter camp — here’s why:

  • Email storage is cheap: from a cost perspective, there’s no advantage of minimizing email storage in an era of 50-gigabyte or larger mailboxes.
  • Keeping old email is useful: you can search years’ worth of email quickly and easily to retrieve old communications with clients, colleagues, prospects and the like. You can see what files you sent others and when they were sent. You can easily resend information that was not received by a recipient. You can follow conversations in email to see how they develop. You can determine how quickly people respond to your emails. Yes, all of these things can be done with a good archiving system, but not all businesses have an archiving platform (even though they should), particularly small businesses.
  • It can make you more efficient: instead of spending time reviewing, filing, deleting or otherwise managing emails on a daily basis, you can simply ignore the less important ones until you have the time or inclination to deal with them. Moreover, you can deal with some types of emails in batch mode on a weekly or monthly basis instead of handling each email individually every day.
  • You have a defensible a record of your conversations: in the event that someone disagrees with your record of what happened with a client or a vendor, for example, an email thread can easily support your position and quickly resolve any disagreements that might occur.
  • It saves you time: even if it takes only three seconds to deal with each email, someone receiving 150 emails each work day will save about 31 hours per year by not clearing his or her inbox each day.

Just my two cents for your consideration.

If Your Job Depended On It, How Would You Prevent a Data Breach?

Data breaches are an almost daily event and the problem is getting worse over time (although 2018 may end up being not quite as bad as 2017). If your job as an IT or security professional was dependent on preventing data breaches for your organization (and it very well could be), what steps would you take to prevent them? Here are a few ideas:

  • Understand where your data lives
    Our research has found that many decision makers really don’t know where all of their data is located. This is partly due to poor management of data, but also by the explosion of “Shadow IT” that enables employees to store data on personal devices, their own cloud accounts and in a variety of other places beyond the control of IT. To correct this problem, IT should conduct a thorough audit of every potential source of corporate data and bring it under the control of IT. That’s much easier said than done, but it’s essential if an organization is to regain control of its valuable data.
  • Analyze your data
    After the location of all corporate data is known and brought back under IT control, it should be analyzed as part of a good information governance protocol to determine what can safely be discarded, what data is subject to various compliance obligations, the duplicate data that is being stored, and so forth. This will reduce the volume of data that must be managed and identify what needs to be better protected, leaving less data available to breach.
  • Implement the appropriate access controls
    Implement robust identity access management to ensure that users have access to data only on a need-to-know basis. Implement risk-based authentication to ensure that more valuable assets require a greater degree of authentication than just username and password, but use multi-factor authentication at a minimum…everywhere. Implement user behavior analytics to ensure that anomalous behavior (e.g., unusually large file downloads or accessing sensitive data resources at odd times) is recognized and access to data is restricted, approved or blocked, as appropriate.
  • Train users
    It’s essential to educate users about how to protect corporate data. That means common sense things like not sending sensitive or confidential data without encryption, not using personal webmail or file-sharing services to send corporate data, not clicking on email links or attachments unless the identity of the sender is known and trusted, not visiting inappropriate web sites, not using personal webmail at work, being skeptical of requests delivered through email, not clicking on links in social media posts without first verifying their validity, not logging into unsecured Wi-Fi networks (e.g., at airports or coffee shops) without using a VPN or appropriate controls, not oversharing on social media, and maintaining robust security software on personal devices and networks if they are going to be used to access corporate networks or data resources.
  • Use air gaps wherever you can
    Not everything should be online. Old databases, older archived data and other data sources that are valuable, but rarely accessed, should be air-gapped to prevent breaches of this data.
  • Encrypt devices
    One of the most common sources of data leaks is the loss of laptops and mobile devices that contain unencrypted data. Every device must be encrypted to ensure that even if a device is lost, the data on it will remain inaccessible. Plus, the loss of encrypted data will, in most cases, not trigger requirements under data breach notification laws.
  • Encrypt data
    All data should be encrypted – at-rest, in-transit and in-use.
  • Evaluate your providers
    The typical large enterprise employee more than 1,000 cloud providers in addition to many non-cloud providers. It’s your responsibility to ensure that each of these providers maintains appropriate security controls for your data under their control. Regulations like the General Data Protection Regulation codify these types of requirements, but it’s good to implement this best practice even in the absence of a specific external requirement to do so.
  • Establish multiple and disconnected communications channels
    One of the most financially damaging types of data breach is CEO Fraud or Business Email Compromise, in which a cybercriminal impersonates a CEO or other high ranking official to someone in the organization like a CFO or HR staffer. The recipient will often trust the message and execute the requested action, which might include initiating a wire transfer or sending W-2 data on employees. By establishing a communications backchannel, such as text messaging on mobile phones, the validity of the request can be confirmed.
  • Implement DLP
    To prevent malicious and inadvertent data breaches, implement a data loss prevention (DLP) capability that will inspect outbound emails, file transfers and other outbound content for sensitive data that is being sent without encryption, information being sent to competitors, emails sent to the wrong party, and so forth.

These are just a few ideas that will help to mitigate, if not prevent, data breaches. Of course, every organization should implement a robust information governance program, but these are some good steps that will help to move an organization in that direction.

Cybersecurity Predictions for 2019

Around this time of year, it seems as though everyone publishes their predictions about what they think will happen during the next 12 months. Being one in that “everyone”, I decided to follow suit:

Boards of directors will be a focus for security education
Boards of directors’ knowledge about business issues is generally quite good, but knowledge about security issues is typically not their strong suit. As a result, CISOs, security managers and others charged with providing security for their organizations often feel overstressed and under supported. However, we believe that 2019 will be a turning point during which boards will get serious about security. This enlightenment will be driven by high profile data breaches (the Marriott data breach of 500 million records figuring prominently in this awakening) and will take the form of making more CISOs board members, discussing security issues at most or all board meetings, and accelerating funding for security in most organizations.

Ransomware will make a comeback, but with low ransom demands
The ransomware problem was terrible in 2016, got worse in 2017, softened a bit in 2018, but will make a comeback in 2019. However, we believe that the focus of ransomware authors in 2019 will be low level ransom demands, perhaps on the order of $20 to $40. The goal of cybercriminals will be to make ransom demands low enough to make paying the ransom an easy decision akin to an impulse buy at a supermarket check stand. Moreover, these ransom demands will come with full instructions about how to pay the ransom using Bitcoin or other cryptocurrencies.

Cryptocurrency mining will become a much more serious threat
Osterman Research believes that the price of Bitcoin will recover significantly from the significant drop it has experienced during 2018. This will motivate more external cybercriminals to infiltrate corporate systems for the purpose of installing cryptocurrency mining malware on various corporate servers, and it will motivate some insiders to do likewise.

Home routers will become a greater focus of corporate security managers
The large number of employees who work some or all of the time from home, coupled with the fact that 83 percent of routers in the US have unpatched vulnerabilities, leads us to believe that a rapidly growing threat focus will be employees working from home. The relatively low use of VPNs, which ranges from 18 percent to 30 percent worldwide, will contribute significantly to this threat and will motivate corporate security managers to address the security of their employees’ home-based security infrastructure in a much more serious way.

Malware will be used to damage the reputations of celebrities and high level government officials
A tool commonly used to tarnish the reputations of celebrities, nominees to high level government positions and others is to reveal information they have posted to social media in the past, sometimes many years past. Osterman Research believes that in a few cases during 2019, some will go one step further and use malware to install compromising content on the computers, social media accounts or cloud accounts of celebrities and others. For example, while malware has been used in the past to install child abuse images on the computers of victims, such as in a 2009 case involving an employee for the Commonwealth of Massachusetts, we believe this approach will be used to discredit a few high-profile individuals in 2019.

The market for security awareness training will grow significantly
Employees are the last line of defense in any security infrastructure. Because technology-based solutions cannot block 100 percent of malicious content 100 percent of the time, employees need to be trained to deal with the phishing, spearphishing and other threats that will inevitably reach them. While the market for security awareness training has been growing at a healthy pace over the past several years, the fairly recent spate of acquisitions in this space by mainstream security solution providers will accelerate the trend at an even faster pace.

The market for web isolation technology will explode
A significant share of malware and other threats enters the corporate network through web browsing, webmail access and the like. To combat this, organizations of all sizes will increase their use of web isolation technology to prevent this avenue of attack from being effective. While these technologies have been available for several years, we believe that 2019 will be the breakout year for them.

A Proposal for Archiving in Government

There are two fundamental problems with electronic content archiving in the US Government:

  1. Government employees, particularly senior staff members, are largely in charge of what gets archived and what doesn’t, and what archived content is retained or deleted.
  2. Many government employees use their personal accounts (or, in some cases, their own servers) to conduct government business.

Here’s a simple proposal to address these problems:

  • Every bit of information in emails, text messages, social media posts, files and all other content sources generated by government-owned devices, servers, cloud services and other platforms should be archived by an independent government entity, such as the National Archives and Record Administration (NARA) or the US Government Accountability Office (GAO). This means that every government server automatically archives everything, without exception, and without advice from the employees whose content is archived.
  • Every government employee should be required to agree to one of the following: a) all of their personal emails, text messages, social media posts, files and all other content they generate on personal devices (or personal servers) will be securely archived by an independent government entity; or b) if they opt not to submit to having personal content archived and are later found to have been using a personal device or personally managed platform to transact government business, they will pay a fine equal to the past five years of their gross income and will relinquish any government pension for which they might have been eligible.
  • The independent entity that archives content will determine, at its sole discretion, what can safely be deleted from the archive. Things like spam, phishing emails, content that has no value as a record, and so forth, can be deleted based on policy established by NARA, the GAO or some other independent entity. However, the government employees whose information is archived cannot provide input or be consulted about the content that is retained or deleted. They should be able to access these records, but not provide input about what is retained or not.
  • All content that is retained must be kept for a minimum of 30 years unless NARA or a court determines that a longer retention period is warranted.

Information Overload is a Myth

A search for the term “information overload” in Google returns 3.68 million results, the second of which is a good definition of the problem: “exposure to or provision of too much information or data.” Wikipedia expands on the issue by defining it as “…a term used to describe the difficulty of understanding an issue and effectively making decisions when one has too much information about that issue. Generally, the term is associated with the excessive quantity of daily information.”

While the definitions are accurate, the fundamental issue with information overload is not really a problem with having too much information. Instead, it’s that we don’t have information curated in such a way as to present a limited set of the right information. For example, when I type “who starred in the movie grand prix” into Google, the first thing that shows up are photos of the cast. Google also provided many pages of additional search results, but curated a limited set of options that were most relevant to my inquiry, and it was the first one that satisfied that query. So, if Google had returned 300,000 other links and images, I would not have been overloaded with information because I could disregard everything but the right answer presented to me at the top of the list.

Similarly, if I need to find an email I sent to a prospect three days ago, does it matter if I have 36,745 emails in my inbox if my search returns just the email I was seeking? Not really.

So, what we’re really talking about with information overload is a lack of good search and good curation, which often begins with inadequate archiving of the right information. In the workplace, that lack of good search, curation and archiving manifests itself in a number of ways, most notably in the amount of time that employees spend searching for information. For example, a Software Advice survey found that some employees spend at least six hours per week searching for paper documents. A McKinsey report discovered that employees spend an average of 9.3 hours per week searching and gathering information. When it comes to information that is even more difficult to find, such as the job and client experience of my fellow employees that I might bring to bear on solving a problem, it may take even longer to find this information, if I can find it at all. Add to this the problem of information held in various silos across the enterprise and the situation becomes untenable, leading to regulatory, legal and employee productivity problems of various types.

Consequently, information overload really is not a thing — but inadequate search, curation and archiving definitely is.

Your Most Important Information Silos

I had the pleasure of attending Igloo Software’s annual ICE conference in San Antonio last week. The conference was very well run and held in a beautiful venue in the Texas hill country, and was something of a cross between a tech conference, a seminar on HR issues, and a symposium on the future of work. Very definitely time well spent and next year’s conference in Las Vegas will be free — Igloo’s president has even invited the company’s competitors to join the conference!

Igloo is in the business of providing a “digital workplace” — a digital destination that allows employees to get information, share information and integrate a growing variety of corporate tools like email and file sharing into a centralized, cohesive experience. One of the fundamental goals of the Igloo platform is to significantly reduce the friction that exists in the traditional employee communication and collaboration experience that relies on email, file-sharing platforms and other less-than-ideal collaboration tools. Using  the Igloo platform, employees can blog, share documents, find people within the company, manage tasks, share calendars, search for information and perform a wide range of other activities.

The ultimate goal is to improve employee engagement, which most all senior managers would acknowledge is valuable, but which too few prioritize with the resources necessary to make it happen. For example, a Towers Perrin study found that only 21 percent of employees are “engaged” on the job, eight percent are fully disengaged, and the rest are, at best, only partially engaged. Yet the more employees are engaged, the less likely they are to leave their employer, the lower their rate of absenteeism, the less likely they are to make mistakes on the job, and the more likely they are to please their customers — all of which results in lower costs and higher revenues.

One of the key benefits of Igloo’s digital workplace and solutions like it is the ability to reduce the negative impact of information silos. We hear lots about information silos in the context of physical repositories like email, CRM, ERP, HR systems and the like, and how these silos are proliferating as more cloud-based solutions are employed. Siloed information results in higher costs and more mistakes for activities like eDiscovery, litigation support, regulatory compliance or even just informal searches for data. Imagine, for example, conducing a Subject Access Request under the GDPR and you had 250 different silos of information to search through to find the requested information.

But what about your most critical information silos — the ones who go down the elevator shaft every night? Your employees are incredibly valuable sources of information that can provide enormous value above and beyond just what they do for your company — what they know that is not directly related to their job is also valuable. For example, what if Bob the salesman is trying to sell your company’s solutions to XYZ company. Would it be useful for Bob to know the decision influencers in XYZ that don’t show up on the organization chart and that might not have been at his introductory meeting? Maybe Alice the purchasing manager, who used to work at XYZ, might be able to provide some insight on who these influencers are. But if Bob and Alice don’t work together or even know each other, how is that going to happen? A digital destination that includes information on employees’ past experience can be the type of tool to bring employees together by breaking down the personal silos of information that we all possess.

Plus, a key value of a digital destination shared by most or all of the employees in a company is that it can bring people together in unexpected ways. For example, maybe Bob and Alice share photos of their pets or details of their river cruise down the Danube on the corporate digital workplace. That might be the catalyst that could start a conversation between the two that might end up providing useful information for Bob as he tries to sell into XYZ. At a minimum, a digital workplace enables a freer flow of information than would otherwise be possible and, hopefully, will make employees more engaged.

An Interesting Approach to Encryption

Encryption is essential for communications and files that contain sensitive or confidential information, and it’s important on a number of levels:

  •  Users and their employers need to protect sensitive content like intellectual property, trade secrets, marketing plans, and even content like embargoed press releases when sent through email or stored in the cloud.
  • They also need to protect content that is subject to privacy regulations like the GDPR in order to avoid running afoul of their regulatory obligations.
  • Cloud providers need their customers to use encryption to prevent governments from successfully accessing confidential files: if customers’ files are encrypted and therefore inaccessible to providers, that effectively lets them off the hook, since they have no access to their customers’ content.

PreVeil has released an interesting technology that is designed to encrypt users’ emails and files. The system offers end-to-end encryption of content using the Curve 25519 and XSalsa20 ciphers, including email subject lines and file names (FIPS-compliant algorithms are also available). Every email and document sent through PreVeil is encrypted with a unique key and no key is ever visible to the server that stores the information. Users each receive a public/private key pair, with the public key stored on the server and the private key stored only on each user’s individual devices. All document creators digitally sign document keys to ensure the authenticity of the content they’re accessing.

A unique feature of PreVeil’s encryption technology is its use of “Shamir Secret Sharing”, a technique that allows the distribution of users’ keys among what PreVeil calls an “Approval Group”. Each user’s key is cryptographically fragmented and distributed among members of the group. While each of these fragments are stored by PreVeil on its servers, the keys used to decrypt each fragment are not stored in a central location. This provides an extra level of security that can help to prevent damage resulting from the takeover of an administrator’s privileged account.

PreVeil is designed to integrate with various email clients, including Microsoft Outlook and Apple Mail, and also offers PreVeil Drive, which the company bills as an alternative to Dropbox, OneDrive, Box and other file-sharing solutions.

Pricing for PreVeil varies from free for individual users that offers one gigabyte of storage, to $10 per user per month for 100 gigabytes of storage, to $20 per user per month for corporate users (five terabytes of pooled storage).

More information on the company is available here.