Are you using Dropbox or OneDrive as your client portal? Do you think that your client portal is secure?
Read through the following list of probes in this article, then you can answer that question again. You will be amazed.
Having a Document Management System that is sitting on top of Dropbox or OneDrive as a Client Portal might sound like a good idea and an easy solution to communicate and share files with your clients. If you are a small business, then this may work for you. However, the pitfalls of this could be more costly than what you may realise.
In this 2-part article we will compare and discuss the following aspects:
- Version Control and Retention
- Integration and Automation
Let’s start with Authentication
According to the OIAC’s annual statistics on data breach notifications, since the NDB scheme has been implemented on 22nd Feb 2018, it highlights that 60% of all breaches was attributed to malicious or criminal attack. With the largest number of these breaches coming from phishing and compromised or stolen credentials, mainly due to the unsecure nature of email. Read the full article here on Avoiding Email Attachment Hell with Nimbus.
As a result, whenever a document is shared with your client, the idea is to avoid having the file as an attachment in an email. So, a link is added in the email instead – which, from a security point of view, is one of the reasons why you are using Dropbox or OneDrive – to make your file sharing more secure, right?
But how secure is that link really? And what happens when you click on it?
This is exactly what happens:
Dropbox: You share a file with your client via Dropbox. They click on the link and… the document opens in the browser. Surprised? No, not really. It does what you think it should be doing.
The truth is that it’s just as unsecure as having a file attached in an email… anyone that gets hold of the email can click on the link and open the document!
Because of this, Dropbox Business and Professional now allows you to create a password for a link that is shared. The problem with this is that you need to choose this option every single time you share a link, it is not chosen by default. You also need to create a password manually every time, and then you need to find a way to communicate the password to the recipients.
In both cases this is not ideal for best practice, as you cannot enforce it as a standard across your entire business. People are prone to forget and will forget to switch on the password option. You will also end up with multiple passwords per client that need to be remembered and stored somewhere. And when a client forgets their password, they have no option to reset this themselves, creating additional support for the business.
OneDrive: In OneDrive (Office 365 for Business version), when you share a document with a client and they click on the link, Microsoft prompts you to request a verification code. You click on “Send Code” and you receive a verification code, via the same email address.
As an authentication method, this might be a bit more secure than having no protection at all. However, in a scenario where the first email was intercepted, to intercept the second email will be a piece of cake as it comes through the same channel.
In addition to this, once OneDrive has verified the external user via the verification code, it provides an option to turn OFF the verification code prompt, and the document simply opens when they click on subsequent links sent to them. The problem with this is that it leaves the document link, as well as the document, vulnerable to hackers.
The initial thinking might be that it’s easier to do it this way, but at what cost… a potential data breach? Although OneDrive for Business has the same file sharing permissions as Sharepoint, it is the verification and access security part on the receiving end that is left wanting. As it simply uses the email address as verification method.
If you want your client portal to be truly secure, Email simply cannot be the only method of identification. Not even to mention having NO security at all.
In Nimbus, you are required to log in with a unique username and password before viewing your files. Which includes an option for using a One-Time-Password via an authentication app on your mobile, which is much more secure than Email. Read our article on the Power of having Multi-factor authentication here.
Let’s talk about Synchronisation
Is it possible to have synchronisation conflicts in Dropbox or OneDrive?
The short and sweet answer to this is YES.
In both applications, a conflicted copy of a file will be created in the following circumstances (Coming straight from the Help documentation of these apps):
1. When two users change the same file at the same time,
2. Someone edits a file offline while someone else edits the same file, and
3. When a file is left open on another user’s computer, which is saved as a new edit – this is especially common when using applications with an auto-save feature, like MS Word or Excel.
The advice they give: “The best way to resolve a conflicted copy is to compare both versions and merge them manually.” OUCH!
And: “The next best way to avoid a conflicted copy is to move your file out of its folder while you’re working so that nobody else can access it. Once you’re done editing, you can move the file back into its original location.” Yes, you’ve read that right (LAUGHS).
The problem that springs from the synchronisation process is that whenever a document is synced to another device, another copy of the document gets created. In essence, it is NOT the SAME document anymore, but another version of it. The only true version is the one that lies on the server in the cloud.
Essentially, there are 4 copies of the same document floating around:
1. In your Cloud Document Management (CDM) system, where it originated.
2. In the 3rd party app, e.g. Dropbox or OneDrive.
3. A copy on your local PC.
4. A copy on your client’s PC.
In Nimbus, there is only one fully versioned document (i.e. the original) and thus, one version of the truth. We call this the Common Document principle. Publishing to the Client Portal just exposes this common document. And all changes are managed with an automatic check-out and locking facility, making it virtually impossible to achieve synchronisation conflicts.
Stay tuned for our second article coming soon, where we will be talking about Version Control, Retention, Integration and Automation.
If you would like to upgrade your Client Portal experience and see a product demo of Nimbus, please contact us below.