If you’re launching the due diligence process for your firm’s next (or first) acquisition you may be thinking to yourself- is using Dropbox for due diligence okay? Have you been tasked with managing your company’s capital-raising initiative and need a way to share sensitive information? If so, then your ‘to-do’ list probably includes finding a solution for managing all the documents involved in these activities.
Dropbox – Easy Sharing, Simple Back-Ups. Secure? Not so much.
Dropbox is one of the oldest and most popular file sharing and storage solutions. Its most basic plan, which includes 2G of storage and access from phone, computer, or tablet, is free. For small deals, the ‘free’ price can be compelling, especially when you’re charged with frugally managing company funds.
If you need additional space, you can purchase a subscription starting at $12.50 monthly per user to get 2T of storage. The advanced plan with monthly charges of $20 per user has unlimited storage with additional security features for sign-on and file management. The enterprise plan, which requires a call to get pricing, puts a few more restrictions in place and provides round-the-clock technical support.
“$20 per user sounds great,” says the money-managing bot on your shoulder, “sign up for that one.”
“But wait, says the security-driven bot on your other shoulder, “Are you sure our data will be fully secure with Dropbox? Will we really have the controls we need to reassure our leadership team about the integrity of the process? And we have a fairly large team. Is Dropbox the best value? I think CapLinked offers a better price for multiple users. And remember, we’re in an acquisition negotiation. Our legal team needs streamlined communication with the bank and Company Zed. Is using Dropbox for due diligence the most efficient and secure solution?”
We recommend you listen to the security guy.
Why Dropbox’s Security Isn’t Enough
In 2016, file hosting site Dropbox was hacked. Millions of people had their login credentials exposed, which prompted the company to reset all passwords going back four years. After learning about a set of emails and passwords that was stolen from their servers in 2012, it wasn’t until 2016 that the true impact of the hack would materialize, and the hack was much, much bigger than the company originally admitted.
When the Vice-owned tech publication Motherboard reported on the incident, they were in possession of the hack’s loot, some 68 million account records. Confirmed by security researchers within days, the hack was the biggest in Dropbox’s history, and it illustrated the danger of hosting sensitive material on the growing platform. Unlike a secure VDR, or virtual data room, which holds your files under multiple layers of security and round-the-clock surveillance that can’t be matched by larger, cloud-based solutions intended for the masses, Dropbox left a dormant hack that they knew about sit unaddressed for years while hackers shared and took their shots at decompiling and manipulating the data.
By September, the hack’s five gigabytes of data that included email addresses and hashed passwords were for sale on the dark web for the cost of two bitcoins, or the equivalent of about $1,200 at the time. Even today, information stolen from Dropbox can be cross-referenced on sites like haveibeenpwned.com, which allows you to enter an email address to see if an account has been compromised in one of the many data breaches from various tech companies over the years.
But what took most people by surprise during the 2016 Dropbox fiasco was that while the company had announced that an attack had occurred in 2012, the scope of it was seemingly kept under wraps for years. If they could stay silent on a hack of this magnitude, the reasoning goes, how could they be trusted to keep your documents and account information safe?
It’s a legitimate concern, and it’s precisely why secure VDRs exist — to enable secure document collaboration and review while strictly controlling user access and data permissions. After all, users are creatures of habit, and reused passwords are common, so the exposure at one platform can mean the risk of a data breach across other platforms, particularly if the same password is used. Ironically, it’s exactly this kind of data breach that led to Dropbox’s 2012 hack, where an employee’s reused password was hacked from another breach and used to gain entry to Dropbox.
But the bigger problem is that Dropbox accounts can be accessed from anywhere using a computer, tablet, or phone. Worse yet, files that have intentionally or inadvertently been switched to ‘public’ can be accessed by anyone with the link, regardless of whether they even have a Dropbox account, which greatly limits the forensic abilities of anyone trying to determine who has accessed a particular file or folder. So even though Dropbox encrypts files with 256-bit AES encryption and utilizes SSL and TLS security protocols, if someone has a login or a public URL to a sensitive file, you won’t be able to prevent their unauthorized access.
Further illustrating their issues with security, Dropbox in their help section provides a link to contact support for users that have been compromised or hacked. For security researchers, they suggest reporting any issues to the third-party service HackerOne, which pays hackers to identify security issues with businesses’ online tools and services. Dropbox asks for “reasonable time” to respond before making any issue public, and also asks the researchers to refrain from accessing or modifying user data they happen to come across. Furthermore, Dropbox admits that they do not provide client-side encryption, nor the creation of private keys, but they do allow users to add their own additional layer of encryption at their own cost.
Nonetheless, Dropbox professes that the “security of your data is our highest priority.”
We say it doesn’t even come close. Dropbox has a history of hacking incidents going back years, and all the encryption in the world won’t help if an account is compromised or if Dropbox complies with a data request to share sensitive information, which they have been known to do. While most people think that hacking is about typing on a keyboard until you magically gain entry, most experienced hackers know that the best way to gain access to a database or file is more social than technical. Compromising and resetting someone’s password is much easier and typically more fruitful than brute forcing your way through a login, which is exactly what led to Dropbox’s 2012 hack.
That said, Dropbox is actually pretty secure as far as digital storage goes, at least for individual use. They use the latest and greatest encryption protocols for storage and data in transit, as well as an optional a two-step verification layer, and they claim to regularly test their infrastructure for security vulnerabilities.
But for sensitive data, there’s really no match for a dedicated secure file management platform. Unfortunately, none of the existing cloud-based file storage solutions fit the bill, and enterprise-level virtual data rooms, also known as secure VDRs, provide a much higher level of security than you’ll get with any consumer-level product. Many VDRs come with secure data management capabilities, which allows you to define timing and availability of any sensitive document or folder. Additional features such as personalized watermarks or tools that block copying, printing, or saving further enhance the security measures of a VDR.
However, the most important piece may well be customer service. With Dropbox, Google Drive and Box.com, as well as other cloud-based solutions, you won’t be able to pick up the phone and talk to anyone about your account. If they have any sort of customer service, it’s likely a lengthy ticket-based system, which could take days or weeks to resolve any issue, and that’s if you get a response at all. On the other hand, a secure VDR often includes live support and a data room project manager, which all help to ensure that your data is appropriately secure and available, and can help teach you how to better use the system to maximize your organization’s security. Compared to Dropbox’s “you figure it out,” it’s a welcome line of assistance that can help you and your team get up to speed in a secure and safe manner. If there are any issues, you’ll also appreciate the 24/7 live support and, for crucial accounts, direct access to local reps and affiliates.
Virtual Data Rooms (VDR’s) – Built for Business, Prioritizing Security
Unlike Dropbox, which was developed for consumers to easily share and store files and retrofitted to appeal to business customers, VDRs originated as business storage solutions for activities like capital raising and due diligence. Physical security and document integrity features are also built into the framework of VDRs.
This business-first perspective takes into account the likelihood of multiple users in the virtual data room. Professional vendors like CapLinked offer a basic VDR that is less expensive than the per-user rate charged by Dropbox, Google Drive or other file sharing sites.
What do we mean by physical security? Top-notch secure VDR suppliers, like CapLinked, use data centers protected by skilled personnel, surveillance, backup generators, and backup servers to ensure data protection and continuous access. Digital security measures are also robust, with multiple firewalls and the latest encryption software available. Smaller ‘cloud’ solutions aren’t currently providing these safeguards.
And what about document integrity? Well, maintaining document integrity in a paper world was straightforward. The original document was typed, altered with easy to see ‘white-out,’ filed, then sent to storage and eventually destroyed. In the digital world, a simple file storage solution can’t deliver the document integrity of a VDR. The process of document sharing and due diligence is now more complicated since it must address the following issues:
- recording who created a document
- capturing all changes
- encrypting the document before sending
- tracking access
- keeping an easy-to-use archive
- controlling printing and destruction
This information must also be accurate, unchanged, and reliable throughout the life cycle of a document. CapLinked VDR features let administrators restrict document roles from viewer-only to authoring. Copying, downloading and printing authority can also be controlled. Watermarks can be used to protect against unauthorized screenshots. There’s no better solution for secure document sharing and collaboration.
Get Organized and Rest Easy with a VDR
Virtual data rooms were designed to support the vast amounts of data handled in corporate environments. Features VDRs offer to make data management more efficient include:
- numbering and indexing of documents when uploaded, helping you navigate through files
- advanced search functions for documents and files
- bulk uploads, drag/drop functionality, and compatibility with more than 25 file formats
This means you and your team can find needed documents much more quickly, giving you more time to focus on making decisions to move the deal forward.
A VDR also provides more protections for information sharing. As an administrator, you determine the following:
- who enters the virtual data room
- the files and documents individuals can access
- how long information can be viewed
- whether information can be printed or downloaded
The exposure of sensitive material is controlled (and limited). And the communication power of VDRs is unparalleled thanks to the detailed reports of VDR access, document alterations, new uploads, comments and questions that are available. These reports are also useful for any audits of your deals.
Moving Forward with VDR – and CapLinked
Your security-driven bot is nodding and smiling about your decision to use a virtual data room instead of Dropbox. The money-manager is also on board. Why? Because for a $99 monthly fee for multiple users, CapLinked’s Virtual Data Room provides strong document management, 1TB of storage, and state-of-the-art security to manage access and encryption. You might be able to make it work, but using Dropbox for due diligence doesn’t make much sense with such a compelling alternative available.
Start your free trial with CapLinked today. Have additional questions? Our team is ready to talk with you about your specific project needs- whether you need a VDR for due diligence, capital raising, or anything your team can dream up.