A long time ago, in a life far away—November 2012—I wrote a Dropbox 101 post for Attorney at Work. Commenter Jeffrey Brandt suggested a “Dropbox 102” version to address security issues when sharing data in the cloud. It was a good suggestion, so here it is.
Now, I tend to be in the camp that takes the position that the only way to fully maximize security is not to use the Internet. At all. For anything. In the past few weeks, we’ve all seen how many of the biggest players have suffered security breaches: Microsoft, Facebook, the New York Times and Washington Post, Tumblr and more. If you are connected to the Internet (and at this point, it’s impossible not to be) you’re vulnerable.
The best you can do is take all necessary steps to reduce vulnerability as much as possible. Fortunately, there are some ways to work with Dropbox and other cloud services that will increase security and reduce the vulnerability of your cloud-based data.
Set a Secure Password
Dropbox is not the place to use a weak password. Don’t make it easy for a snooper to guess by using a dictionary word, your name or any other information associated with you. Yes, it’s a pain to remember yet another password, but think of the negative consequences of confidential client information making it out into the wild. That thought should be enough to convince you to use a strong password—one that’s not used to log into any other online account. Eight-character passwords no longer cut it—instead, go for a password with the following:
- A minimum of 16 characters
- A combination of numbers, symbols, uppercase letters, lowercase letters and spaces
- No repeated words, no dictionary words (alone), no names (including spouses, kids or pets)
So how do you remember such a password? The easiest way is to use a phrase memorable to you. For example, “I can’t wait to retire and weed and garden all the day long!” becomes “Icw2r&w&gatdl!” if you use the first letter of each word and swap in a few symbols where appropriate to the meaning.
Enable Two-Factor Authentication
Two-factor authentication increases login security because it requires you to use something more than just your login credentials (your account name and password). That means if someone else obtains your login credentials, that person still won’t be able to access your Dropbox account. For Dropbox users, two-factor authentication requires both your login credentials and your mobile phone for receiving a text message with a six-digit code that you’ll also use as part of the sign-in process. So unless someone grabs both your login credentials and your phone (which also is password-protected, right?), they won’t be able to access your account.
For instructions, see Dropbox’s help article, “How do I enable two-step verification on my account?” And take this advice: Once you’ve enabled two-factor authentication on your desktop computer, be sure to check the “Trust this Computer” option, so you don’t have to use the second factor (six-digit code) every time you log into Dropbox from your own desk!
You should be using two-factor authentication everywhere it’s available. Here’s a list from Lifehacker with helpful info: “Here’s Everywhere You Should Enable Two-Factor Authentication Right Now.”
Password-Protect Microsoft Office and Adobe Acrobat Files
Microsoft Office and Adobe Acrobat will let you password-protect files created with their software. (Other programs will as well, so if you are working with something besides Office and Acrobat, investigate the software’s ability to password-protect a file.) Plus, their password-protection actually provides encryption with protected Office 2010 files.
So if you aren’t encrypting your Dropbox, you can at least password-protect the sensitive files stored there. All too often, people overlook their software’s ability to password-protect files on a one-off basis. If a file is password-protected and unauthorized persons gain access to Dropbox, they won’t be able to open the file unless they also crack that password. Share the password with your client verbally prior to sharing files using Dropbox.
- To password-protect an MS Office 2010 file, read How to Password Protect and Encrypt Microsoft Office 2010 Documents.
- To password-protect an Adobe Acrobat file, read Securing Documents with Passwords.
As an aside, this is also a good practice for emailed files. Lawyers freely exchange documents as email attachments, essentially making a “postcard” of those documents. In general, people seem pretty lax about their email—a password-protected document will provide some protection.
This is where everyone’s eyes either glaze over or widen in terror, but encryption is a necessary fact of life when dealing with sensitive data. At its simplest, encryption is the encoding of data so that the data looks like gibberish to anyone who doesn’t have the secret decrypting key. In other words, even if a bad guy gets your file and opens it, no useful data can be retrieved from it unless the bad guy also has the secret key.
It’s important to understand that Dropbox does now encrypt data at its end, but there are additional ways to ensure that your files are encrypted before they head from your computer to the Dropbox website and sync with other connected computers. Some alternatives are:
- Secret Sync
A couple of caveats here: Unless you are very technically inclined, it’s best to grab your techie to help you through setting up and using the encryption process. Dropbox does not officially support third-party encryption and its discussion forums attest to this. Also, if you attempt to open the encrypted container on more than one computer at the same time, you risk losing all the contained data. So you need to know what you’re doing, and you’ll also need to help your clients understand the encryption process if you share data with them using Dropbox.
“Power User” columnist Vivian Manning is the IT Manager at Barriston Law LLP in Barrie, Bracebridge and Cookstown, Ontario. Prior to moving into IT, Vivian practiced law at Barriston (formerly Burgar Rowe PC) primarily in the area of Municipal Land Development, with 17 years in private practice before switching to the IT side of the law office. She currently indulges her love of teaching tech through her blog Small City Law Firm Tech, where she provides “tips of the day.” Follow her on Twitter @vivianmanning.
More Tech Tips from Vivian Manning
- Adobe Reader XI: A Worthwhile Download for Lawyers
- Don’t Touch That Typo!
- A Better Way to Start Your Outlook Email Day
- A Few of My Favorite Things
- Silencing Email Read Receipts