Why Insecure File-Sharing Apps Are Not Worth the Risk for Your Board

The allure of public file-sharing apps is nearly irresistible. They keep the board from sending documents as entirely unprotected attachments to emails. They cost very little, if they cost anything at all. They store data where anybody on a non-local team can access it. They keep confidential information off the district network, which typically has low firewalls and amateur users who might make mistakes toggling between important documents and internet sites. But there's a catch: Your sensitive board information becomes a soft target for cybercriminals. No school board can afford the risk to which file-sharing apps expose their confidential information. Are file-sharing apps really dangerous? After all, some of these apps encrypt data, and most require multi-factor authentication (MFA), certainly high standards of security. Alas, all that glitters is not gold. While some apps offer full 256-bit encryption, others offer only lackluster 128-bit encryption. While MFA beats a single password, it does no good when the verifying credentials are stored unprotected in the same place as the data itself. And no amount of encryption or password protection can come to the rescue as data makes multiple stops on its way to the cloud, where file-sharing apps store data. Nor can it make the cloud itself a safe place to stay. As a result, data on file-sharing apps can fall prey to any of the following disasters:

1. Loss of Data Control. Data Insider warns that lower privacy standards are a possibility once data is stored on the cloud. 'When using third-party file sharing services,' data security consultant Mauricio Prinzlau writes, 'the data is typically taken outside the company's IT environment, and that means that the data's privacy settings are beyond the control of the enterprise.'
2. Loss of Control of Data en Route to the Cloud. Data stored on a file-sharing app makes numerous stops on its way to the cloud. At any of these data depots, cybercriminals can steal or corrupt data, charging a hefty ransom for its restoration.
3. Phishing and Hacking Attacks. 'If attackers gain access to a user's credentials,' Prinzlau cautions, 'they can eavesdrop on activities and transactions, manipulate data, return falsified information and redirect clients to illegitimate sites.' Such attacks are relatively easy to pull off because file-sharing apps store identification credentials on the cloud, where even an amateur can break into them. According to computer expert Matt Smith, getting data off the cloud is the only solution: 'Phishing attacks, hacked servers and compromised WiFi aren't a concern for people who don't host their data in the cloud.'
4. Data Leakage. When organizations decide not to store data on the cloud, it is usually because they're rightly afraid of data leaked. According to a Netskope survey, a full 15% of businesses using cloud storage had experienced a data leak.
5. Denial-of-Service Attacks. With information lifted from the cloud, a hacker can launch a high volume of traffic to the school board's system. As a result, stored documents can become entirely inaccessible.
6. Data Loss. Cloud service providers can accidentally delete data. A physical catastrophe like a fire can also eradicate data permanently, as file-sharing apps do not provide redundant storage in multiple locations.
7. Deliberate Privacy Violations. File-sharing app companies have full access to the data they store for you, and your board is not their only paying customer. That conflict of interest can result in your data's being sold to vendors behind closed doors. In that case, the betrayed client does not have a leg to stand on legally, as the file-sharing arrangement brings with it ambiguous ownership of your own data.

With Google Docs, for instance, there's no guarantee that data will not be sold. Though their FAQ page says that clients retain all ownership rights, Sec. 11.1 of their Terms of Service says otherwise: 'You give Google a worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post, or display on or through the Service for the sole purpose of enabling Google to provide you with the Service in accordance with its Privacy Policy.'

8. Shared Technology Vulnerabilities. Documents stored on the cloud may be commingled with other files, so that bugs in one client's documents may infect those of its neighbors. Smith explains that 'underlying components that comprise the infrastructure supporting cloud services deployment may not have been designed to offer strong isolation properties for a multi-tenant architecture or multi-customer applications.' For attackers seeking bugs to exploit, multi-tenancy in the cloud means that 'systems from various organizations are placed close to each other and given access to shared memory and resources, creating a new attack surface.'

Neighboring data is not the only source of contagious vulnerabilities. Every user who accesses data on the cloud introduces that data to any bugs in the computer used to gain access.

9. Loss of Control of Access Management. CSO Online warns: 'Bad actors masquerading as legitimate users, operators, or developers can read, modify and delete data; or release malicious software that appears to originate from a legitimate source.'

While safer than storing data onsite or attaching it to emails, using file-sharing apps creates security risks that are intolerable for school boards handling confidential information as a routine part of doing business. The smart money seeks out the only way to keep precious data secure: storing it on a secure board portal with full 256-bit encryption, with storage on a private, cloud-based server ' not on the cloud itself. If file-sharing apps seem too good to be true, it's because they are.