Pub. 8 2013-2014 Issue 2

www.nebankers.org 18 Extraordinary Service for Extraordinary Members. T he number of banks providing iPads to their boards of direc- tors for use duringmeetings has significantly increased over the last two years. Compared to printing and mailing board packets, using an iPad to access electronic documents is a great timesaver, and it reduces paper waste. Since iPads do not have large- scale document storage capability, the risks related to losing an iPad or having it stolen and exposing confidential cus- tomer or organizational information are pretty low. Thus, providing iPads to board members seems like a nice solution. I recently began using an iPad inmy business and discovered that services likeDropbox canmake a huge improve- ment in efficiency. I was already using Dropbox to efficiently share video tes- timonials withmy marketing resource, but nothing much beyond that. How- ever, when I began to realize the full power of the service and the capability to store and share information with colleagues, I was deeply disturbed by the lack of security in Dropbox. Dropbox and services like it are a type of cloud storage. When informa- tion is placed into Dropbox, the orga- nization loses control over the security of that document. If an organization is using Dropbox as the storage location for the board packet, allowing access to that location with iPads, and providing any sensitive customer or client infor- mation in the packet, the security of that information is at risk. Dropbox was created with a con- sumer focus so that individuals can easily share and create backups of information. It was not designed with security as the main feature nor was it intended to be used by organizations to store and manage sensitive infor- mation. In the last couple years, Dropbox has had multiple security issues, in- cluding an authentication problem that allowed anyone to log into any account with any password for a pe- riod of four hours. The potential for cross-zone scripting also exists, which would allow malicious JavaScript to redirect users to a malicious website without the user knowing it. While several security patches have fixed Dropbox vulnerabilities in 2013, other security features such as multifactor authentication—which were promised in response to the security issues last year—were not available at the time this article was written. So while I love efficiency as much as the next person and clearly understand the value of using Dropbox, putting sensitive customer information into the cloud is extremely risky. If iPads are being used to share board packets, I strongly recommend that the infor- mation is scrubbed of any sensitive customer information before sending it to Dropbox. In the event it is not possible to scrub documents of sensitive informa- tion, some additional protection such as encryption should be put in place. It is important to note that IT security experts know that extra protections can and will be circumvented at some point, so the only way to really keep Do You Store Confidential Customer Information in Dropbox? Denise Mainquist , ITPAC Consulting