If you’re launching the due diligence process for your firm’s next (or first) acquisition, you may be wondering if using Dropbox for due diligence is okay. Have you been tasked with managing your company’s capital-raising initiative and need a way to share sensitive information? If so, then your “to-do” list probably includes finding a solution for managing all the documents involved in these activities.
Is Dropbox Secure? History Says No
In 2016, file hosting site Dropbox was hacked. Millions of people had their login credentials exposed, which prompted the company to reset all passwords going back four years. After learning about a set of emails and passwords that was stolen from their servers in 2012, it wasn’t until 2016 that the true impact of the hack would materialize, and the hack was much, much bigger than the company originally admitted.
When the Vice-owned tech publication Motherboard reported on the incident, they were in possession of the hack’s loot, some 68 million account records. Confirmed by security researchers within days, the hack was the biggest in Dropbox’s history, and it illustrated the danger of hosting sensitive material on the growing platform.
Unlike a secure VDR, or virtual data room, which holds your files under multiple layers of security and round-the-clock surveillance that can’t be matched by larger, cloud-based solutions intended for the masses, Dropbox left a dormant hack that they knew about sit unaddressed for years while hackers manipulated the data.
By September, the hack’s five gigabytes of data that included email addresses and hashed passwords were for sale on the dark web for the cost of two bitcoins, or the equivalent of about $1,200 at the time. Even today, information stolen from Dropbox can be cross-referenced on sites like haveibeenpwned.com, which allows you to enter an email address to see if an account has been compromised in one of the many data breaches from various tech companies over the years.
But what took most people by surprise during the 2016 Dropbox fiasco was that while the company had announced that an attack had occurred in 2012, the scope of it was seemingly kept under wraps for years. If they could stay silent on a hack of this magnitude, the reasoning goes, how can they be trusted to keep your documents and account information safe?
It’s a legitimate concern, and it’s precisely why secure VDRs exist — to enable secure document collaboration and review while strictly controlling user access and permissions. After all, users are creatures of habit, and reused passwords are common, so the exposure at one platform can mean the risk of a data breach across other platforms, particularly if the same password is used. Ironically, it’s exactly this kind of data breach that led to Dropbox’s 2012 hack, where an employee’s reused password was hacked from another breach and used to gain entry to Dropbox.
Dropbox explains that the “security of your data is our highest priority,” but we say it doesn’t even come close. Dropbox has a history of hacking incidents going back years, and all the encryption in the world won’t help if an account is compromised or if Dropbox complies with a data request to share sensitive information, which they have been known to do. While most people think that hacking is about typing on a keyboard until you magically gain entry, most experienced hackers know that the best way to gain access to a database or file is more social than technical. Compromising and resetting someone’s password is much easier and typically more fruitful than brute-forcing your way through a login, which is exactly what led to Dropbox’s 2012 hack.
Further illustrating their issues with security, Dropbox in their help section provides a link to contact support for users that have been compromised or hacked. For security researchers, Dropbox suggests reporting any issues to the third-party service HackerOne, which pays hackers to identify security issues with businesses’ online tools and services. Dropbox asks for “reasonable time” to respond before making any issue public, and also asks the researchers to refrain from accessing or modifying user data they happen to come across.
Dropbox’s Security Flaws
Let’s have a look at some of Dropbox’s features — or lack thereof — that make it a poor choice when security is a concern.
Sharing Via Publicly Accessible Links
Dropbox accounts can be accessed from anywhere using a computer, tablet, or phone. Worse yet, files that have intentionally or inadvertently been switched to “public” can be accessed by anyone with the link, regardless of whether they even have a Dropbox account, which greatly limits the forensic abilities of anyone trying to determine who has accessed a particular file or folder.
So even though Dropbox encrypts files with 256-bit AES encryption and utilizes SSL and TLS security protocols, if someone has a login or a public URL to a sensitive file, you won’t be able to prevent their unauthorized access.
No Client-Side Encryption
Furthermore, Dropbox admits that they provide neither client-side encryption nor the creation of private keys; however, the company does allow users to add their own additional layer of encryption if they wish.
Of course, enterprise users of a file-sharing platform would not know how to encrypt their data or communications, so they would need to engage their company’s IT resource in order to do so, incurring additional expenses for the organization.
Not Robust Enough for Enterprise Use
Dropbox is secure for individual use. The company uses the latest encryption protocols for storage and data in transit, offers an optional two-step verification layer, and regularly tests its infrastructure for security vulnerabilities.
However, for sensitive data, there’s really no match for a dedicated secure file management platform. Enterprise-level VDRs provide a much higher level of security than you’ll get with any consumer-level product. Many VDRs come with secure data management capabilities, which allow you to define the timing and availability of any sensitive document or folder.
Additional features, such as personalized watermarks or tools that allow for redaction, block copying, printing, or saving, further enhance the security measures of a VDR. These features are not available through Dropbox.
Lack of Customer Service
The most important piece may well be customer service. With Dropbox, Google Drive and Box.com, as well as other cloud-based solutions, you won’t be able to pick up the phone and talk to anyone about your account. If they have any sort of customer service, it’s likely a lengthy ticket-based system, which could take days or weeks to resolve any issue, and that’s if you get a response at all.
On the other hand, a secure VDR often includes live support and a data room project manager, which all help to ensure that your data is appropriately secure and available, and can help teach you how to better use the system to maximize your organization’s security. Compared to Dropbox’s “you figure it out,” it’s a welcome line of assistance that can help you and your team get up to speed in a secure and safe manner. If there are any issues, you’ll also appreciate the 24/7 live support and, for crucial accounts, direct access to local reps and affiliates.
Highly Secure File Sharing Platform: Virtual Data Room
Unlike Dropbox, which was developed for consumers to easily share and store files and then retrofitted to appeal to business customers, VDRs originated as business storage solutions. VDRs are robust enough to support due diligence activities carried out in support of a financial transaction, such as a capital raise. Physical security and document integrity features are built into the framework of VDRs.
This business-first perspective takes into account the likelihood of multiple users — with unique access requirements — in the virtual data room. Professional vendors like Caplinked offer a VDR that is less expensive than the per-user rate charged by Dropbox, Google Drive or other file sharing sites.
What do we mean by physical security? Top-notch secure VDR suppliers like Caplinked use data centers protected by skilled personnel, surveillance, backup generators and backup servers to ensure data protection and continuous access. Digital security measures are also robust, with multiple firewalls and the latest encryption software available. Smaller cloud and document hosting solutions aren’t currently providing these safeguards.
And what about document integrity? Maintaining document integrity in a paper world was straightforward. The original document was created, printed, copied and shared with authorized personnel in one or more controlled locations. Once it was no longer needed, it was filed away or sent to storage and eventually destroyed.
In the digital world, a simple file storage or cloud hosting solution can’t deliver the document integrity of a VDR. The process of document sharing and due diligence is now more complicated, since it must address the following issues:
- recording who created a document
- capturing all changes, by contributor and with time stamps
- encrypting the document before sharing or sending
- tracking access
- keeping an easy-to-use archive
- controlling printing and destruction
If any of these considerations is ignored, the document could end up in the wrong hands, compromising the privacy of the information. As such, documents must be properly accessible throughout the life cycle of a transaction. Caplinked VDR features let administrators restrict document roles from viewer-only to authoring. Copying, downloading and printing authority can also be controlled. Watermarks can be used to protect against unauthorized screenshots. There’s no better solution for secure document sharing and collaboration.
Dropbox vs. Virtual Data Room: Advantages and Disadvantages
Perhaps the biggest advantage to using Dropbox is its ubiquity: Many have heard of it and have perhaps been asked to use it at other companies. It has brand awareness and many people who need document sharing generally understand what Dropbox is and what it is capable of doing.
However, its weak security and lack of features make it a poor choice for investors and others involved in complex financial and legal transactions.
A VDR is a separate platform where documents cannot be commingled as they can be via the Dropbox app. The security of the VDR platform may at first seem like a deterrent to its use, but users will understand that this is a necessary precaution to safeguard the privacy and integrity of the documents.
Benefits of a Virtual Data Room
Virtual data rooms were designed to support the vast amounts of data handled in corporate environments. Features VDRs offer to make data management more efficient include:
- Numbering and indexing of documents when uploaded, helping you navigate through files
- Advanced search functions for documents and files
- Bulk uploads, drag/drop functionality, and compatibility with more than 25 file formats
This means you and your team can find needed documents much more quickly, giving you more time to focus on making decisions to move the deal forward.
A VDR also provides more protections for information sharing. As an administrator, you determine the following:
- Who enters the virtual data room
- The files and documents individuals can access
- How long information can be viewed
- Whether information can be printed or downloaded
The exposure of sensitive material is controlled (and limited). And the communication power of VDRs is unparalleled, thanks to the detailed reports of VDR access, document alterations, new uploads, comments and questions that are available. These reports are also useful for any audits of your deals.
Why You Should Use Virtual Data Rooms for Due Diligence
A company usually conducts due diligence before entering into an agreement with another company. Minimizing risk for all parties involved, due diligence for any transaction requires a thorough review of the company or investor’s background and business activities.
For private equity transactions, due diligence can involve two scenarios:
- Due diligence on the part of the private equity fund in evaluating a company in which it seeks to make an investment.
- Due diligence on the part of investors or consultants when screening PE funds in which they plan to make an investment or make a recommendation to clients to make an investment.
As such, the documentation involved can be quite extensive, covering the following areas:
- Business plan
- Legal and capital structure, including equity ownership
- Company financial statements
- Operating expenses and liabilities
- Technology and IP
- Employee information, including salaries and skills
- Descriptions of product or service lines
- Sales, including existing customers and projections
- Marketing plans
- Documents of physical assets owned or leased
Dozens of documents can easily tally up to thousands of pages, all needing to be hosted and accessed by the parties involved in due diligence. The volume and complexity of hosted documents require an enterprise-grade platform purpose-built with the needs of financial and legal professionals in mind.
Moving Forward with VDR – and Caplinked
Your security-driven bot is nodding and smiling about your decision to use a virtual data room instead of Dropbox. The money-manager is also on board. Why? Because for a $99 monthly fee for multiple users, Caplinked’s Virtual Data Room provides strong document management, 1TB of storage, and state-of-the-art security to manage access and encryption. You might be able to make it work, but using Dropbox for due diligence doesn’t make much sense with such a compelling alternative available.
Start your free trial with Caplinked today. Have additional questions? Our team is ready to talk with you about your specific project needs, whether you need a VDR for due diligence, capital raising, or anything your team can dream up.
Jake Wengroff writes about technology and financial services. A former technology reporter for CBS Radio, Jake covers such topics as security, mobility, e-commerce and IoT.