Prepare yourself for more Dropbox-like security disasters

Disillusionment looms for cloud computing. (Gartner Hype Cycle image used with permission.)

With claims that US presidential candidate Mitt Romney's Dropbox account was hacked earlier this month, it's time for a reminder about the security risks of cloud storage.

The Romney hack, if it actually happened, could well be down to he or his team choosing an easy-to-guess answer to the supposedly-secure secret question. But almost exactly a year ago, there was a far more serious security problem with Dropbox.

A failure left all 25 million Dropbox customers' files exposed for four hours. It's exactly the sort of cloud security scare story I reckon we'll be seeing a lot more often.

Business is now sold on the benefits of cloud computing. Cloud migration seems to be an assumed part of most organisations' IT strategies. Why wouldn't it be, given the convenience and cost savings?

But cloud computing is an incredibly competitive arena. Some companies are bound to cut corners. Some won't even know they should've built the corners in to begin with. And as Dean Kingsley, who heads Deloitte's technology risk practice in Sydney, said last year, we've seen too much cloud-washing, which he defined as "people over-selling and over-hyping the benefits of the cloud, or misusing the word 'cloud' to describe anything in IT so you can sell it."

We now have enough cloud vendors with enough customers for the inevitable occasional security glitch to get significant media coverage. And once the media latches onto a theme, well, every new incident is further proof, isn't it!

This is all unfolding along the timeline predicted by Gartner's Hype Cycle for Cloud Computing 2011. Cloud computing as a whole has passed the "peak of inflated expectations and is now plunging into the "trough of disillusionment" as reality bites.

The challenge for cloud providers will be convincing customers that the risks of the cloud don't outweigh the benefits — risks including the exposure of your data through incidents exactly like Dropbox's.

That'll be tough. According to Symantec's 2011 SMB File Sharing Survey, based on data collected in November but released this week, security and data loss were seen as the most significant potential risks with file sharing services.

(Standard caveat for vendor-sponsored surveys that may be inaccurate and self-serving: Symantec's report was based on interviews with 1325 organisations across 3 countries, giving a margin of error of around 3 percentage points — unless you start slicing up the data cubes.)

Files are getting bigger. SMBs are becoming more distributed. Symantec reckons 41 per cent of surveyed organisations said that failing to share a large file quickly would lead to loss of customer consequence and damage their brand's reputation. Cloud-based file sharing looks like a winner.

But it's employees who are influential in adopting these technologies, not IT departments. Only 51 per cent of organisations believed that employees would ask IT for help before setting up file sharing, reports Symantec.

When IT departments choose cloud services, they quite rightly consider security and compliance issues as well as price and convenience. Employees, not so much. You can expect a goodly few employees to put confidential business data onto consumer-grade services, creating a data loss time bomb.

Meanwhile Sophos' new report, The Future of Network Security (N=571 across 5 countries, margin of error 4 percentage points) says that the growing use of cloud services is the most important security challenge for SMBs.

A perfect storm seems to be brewing...

Contact Stilgherrian at Stil@stilgherrian.com or follow him on Twitter at @stilgherrian

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

• Tweet