If you’re launching the due diligence process for your firm’s next (or first) acquisition, or are tasked with finding ways to share sensitive information within or outside your company, you may be wondering: Is Dropbox secure?
Chances are, you’ve evaluated multiple file-sharing platforms. Certainly, Dropbox is a well-known platform and a market leader in file storage and sharing. But that doesn’t necessarily mean it’s the best choice for your enterprise-level file-sharing needs, especially when it comes to M&A due diligence reports and other proprietary information requiring maximum security.
Can Dropbox Be Hacked?
Like many websites, Dropbox uses AES 256-bit data encryption for stored data and AES 128-bit encryption for data in transit. But, in its history, Dropbox has been hacked a concerning number of times.
In 2011, an error allowed anyone to access any Dropbox with only the original user’s email address. The error was fixed within four hours.
The next incident occurred in 2012, when a hacked Dropbox leaked emails and passwords of more than 68 million users, Cloudwards.net reported. However, it wasn’t revealed until 2016 that the Dropbox leak also included passwords.
Security notification service Leakbase discovered the leaked passwords and reported the breach to Vice.com. However, passwords with the hashing function bcrypt (a service that leverages encryption ciphers to create ultra-strong passwords) were likely not accessible to hackers and the Dropbox dump was reportedly not listed on any of the dark web sites that share such data.
Dropbox Hacks: Silence Is Not Golden
Dropbox left a dormant hack that they knew about sitting unaddressed for years while hackers manipulated the data. If the company could stay silent on a hack of this magnitude, the reasoning goes, how can they be trusted to keep your documents and account information safe?
It’s a legitimate concern, and it’s precisely why secure Virtual Data Rooms, or VDRs, exist to enable secure document collaboration and review while strictly controlling user access and permissions. A VDR protects your files under layers of military-grade security and round-the-clock surveillance that can’t be matched by larger, cloud-based solutions intended for the masses.
After all, reused passwords are common, so exposure on one platform can mean the risk of a data breach across other platforms. This kind of data breach led to Dropbox’s 2012 hack, where an employee’s reused password was compromised from another breach and used to gain entry to Dropbox.
Dropbox’s Security Flaws
Let’s have a look at some of Dropbox’s features — or lack thereof — that make it a poor choice when security is a concern.
Sharing Via Publicly Accessible Links
Dropbox accounts can be accessed from anywhere using virtually any device connected to the internet. Files that have intentionally or inadvertently been switched to public can be accessed by anyone with the link, regardless of whether they even have a Dropbox account. This feature greatly limits the forensic abilities of anyone trying to determine who has accessed a particular file or folder.
These features open the door for human behavior and simple errors to compromise files — something that even Dropbox’s 256-bit AES encryption, SSL, and TLS security protocols can’t protect against.
No Client-Side Encryption
Furthermore, Dropbox admits that they provide neither client-side encryption nor the creation of private keys; however, the company does allow users to add their own additional layer of encryption if they wish.
Of course, enterprise users of a file-sharing platform would not know how to encrypt their data or communications, so they would need to engage their company’s IT resource in order to do so, incurring additional expenses for the organization.
Not Robust Enough for Enterprise Use
Dropbox is secure for individual use. The company uses the latest encryption protocols for storage and data in transit, offers an optional two-step verification layer, and regularly tests its infrastructure for security vulnerabilities.
However, for sensitive data, there’s really no match for a dedicated secure file management platform. Enterprise-level VDRs provide a much higher level of security than you’ll get with any consumer-level product. Many VDRs come with secure data management capabilities, which allow you to define the timing and availability of any sensitive document or folder.
Lack of Customer Service
Enterprise-level users often have greater customer service demands. If there’s a problem, or even if you just want additional training on a specific feature, you want to speak with an account manager or customer service representative immediately. Most cloud-based, consumer-oriented solutions do not provide an account manager who is available by phone. The best you may find is a chat function on the website. There is, however, a number to reach for sales at Dropbox.
A secure VDR, by comparison, typically includes live support and a data room project manager, both of which will help ensure that your data is appropriately secure and available. These layers of support can also help teach you how to better use the system to maximize your organization’s security (to avoid those pesky human security breaches). If there are any issues, you’ll also appreciate the dedicated support from your customer success manager every step of the way.
Is Dropbox More Secure than Email?
Dropbox’s security does not compare to a VDR for enterprise-level data storage and file-sharing.
But one thing can be said: It is most likely more secure than email for transmitting sensitive data. Even Gmail, one of the largest and most popular email services, does not use client-side encryption. Your data is protected while it is in transit, but not when it is stored. Google’s assertion that Gmail “automatically encrypts your outgoing emails if it can,” seems like a weak statement with no assurances of security.
Highly Secure File Sharing Platform: Virtual Data Room
VDRs originated as a business storage solution — and the same can’t be said for Dropbox, which was developed for individual consumers and then retrofitted for enterprise work. VDRs are robust enough to support due diligence activities carried out in support of a financial transaction, such as a capital raise. Physical security and document integrity features are built into the framework of VDRs.
Because they are built for business, VDR platforms take into account the likelihood of multiple users that may all need unique access requirements and permissions. Professional vendors like Caplinked offer a VDR that is less expensive than the per-user rate charged by Dropbox, Google Drive, or other file sharing and FTP alternative sites.
Physical Security and VDRs
What do we mean by physical security? Top-notch secure VDR suppliers like Caplinked use data centers protected by skilled personnel, surveillance, backup generators, and backup servers to ensure data protection and continuous access. Digital security measures are also robust, with multiple firewalls and the latest encryption software available. Smaller cloud and document hosting solutions aren’t currently providing these safeguards.
And what about document integrity? Maintaining document integrity in a pre-digital world was straightforward. The original document was created, printed, copied, and shared with authorized personnel in one or more controlled locations. Once it was no longer needed, it was filed away or sent to storage and eventually destroyed.
In the digital world, however, a simple file storage or cloud hosting solution can’t deliver the security integrity of a VDR. The process of document sharing and due diligence is now more complicated since it must address the following issues:
- Recording who created a document
- Capturing all changes, by contributor, and with time stamps
- Encrypting the document before sharing or sending
- Tracking access
- Keeping an easy-to-use archive
- Controlling printing and destruction
If any of these considerations are ignored, the document could end up in the wrong hands, compromising the privacy of the information. As such, documents must be properly accessible throughout the life cycle of a transaction.
Caplinked’s VDR features let administrators restrict document roles from viewer-only to authoring. They can also control copying, downloading, and printing authority. Watermarks can be used to protect against unauthorized screenshots. There’s no better solution for secure document sharing and collaboration.
Dropbox vs. Virtual Data Room: Advantages and Disadvantages
Perhaps the biggest advantage to using Dropbox is its ubiquity: Many have heard of it and have perhaps been asked to use it at other companies. It has brand awareness and many people who need document sharing generally understand what Dropbox is and what it is capable of doing.
However, its weak security and lack of features make it a poor choice for investors and others involved in complex financial and legal transactions.
A VDR is a separate platform where documents cannot be comingled as they can be via the Dropbox app. The security of the VDR platform may at first seem like a deterrent to its use, but users will understand that this is a necessary precaution to safeguard the privacy and integrity of the documents.
Benefits of a Virtual Data Room
Virtual data rooms were designed to support the vast amounts of highly sensitive data handled in corporate environments. Features VDRs offer to make data management more efficient include:
- Indexing of documents when uploaded, helping you navigate through files.
- Advanced search functions for documents and files.
- Bulk uploads, drag/drop functionality, and compatibility with most file formats.
A VDR also provides more protection for information sharing. As an administrator, you determine the following:
- Who enters the virtual data room
- The files and documents individuals can access
- How long information can be viewed
- Whether information can be printed or downloaded
All of this means that the exposure of sensitive material is controlled and limited. And the communication power of VDRs is unparalleled, thanks to the detailed reports of VDR access, document alterations, new uploads, comments, and questions that are available. These reports are also useful for any audits of your deals.
Why You Should Use Virtual Data Rooms for Due Diligence
A company usually conducts due diligence before entering into an agreement with another company. Minimizing risk for all parties involved, due diligence for any transaction requires a thorough review of the company or investor’s background and business activities.
For private equity transactions, due diligence can involve two scenarios:
- Due diligence on the part of the private equity fund in evaluating a company in which it seeks to make an investment.
- Due diligence on the part of investors or consultants when screening PE funds in which they plan to make an investment or make a recommendation to clients to make an investment.
As such, the documentation involved can be quite extensive, covering the following areas:
- Business plan
- Legal and capital structure, including equity ownership
- Company financial statements
- Operating expenses and liabilities
- Technology and IP
- Employee information, including salaries and skills
- Descriptions of product or service lines
- Sales, including existing customers and projections
- Marketing plans
- Documents of physical assets owned or leased
Dozens of documents can easily tally up to thousands of pages, all needing to be hosted and accessed by the parties involved in due diligence. The volume and complexity of hosted documents require an enterprise-grade platform purpose-built with the needs of financial and legal professionals in mind.
Moving Forward with a VDR and Caplinked
Your security-driven bot is nodding and smiling about your decision to use a virtual data room instead of Dropbox. The money manager is also on board. Why?
Because for $149 in the first month and only $299 monthly fee for multiple users, Caplinked’s Virtual Data Room provides strong document management, 5GB of storage (while our customizable Enterprise plans can offer 1TB of storage), and state-of-the-art security to manage access and encryption. You might be able to make it work, but using Dropbox for due diligence doesn’t make much sense with such a compelling alternative available.
Start your free trial with Caplinked today. Have additional questions? Our team is ready to talk with you about your specific project needs, whether you need a VDR for due diligence, capital raising, or anything your team can dream up.