Dropbox: What you need to know

Collaboration and client portals are all the rage and the Dropbox online storage service is proving to be a popular choice. Among the service's 50m users are increasing numbers of UK accountancy firms, judging from contributions to a recent Any Answers debate on the pros and cons of Dropbox.

The thread was sparked by a question from jaybee661. Having started practising from home, jaybee wanted a way to make the same files accessible from the firm’s new office: “Is something like Dropbox the answer so I can ‘see’ the files (and, more importantly, make changes to them) wherever I am?”

Nearly 70 comments were posted in response. This article sifts through the evidence presented to throw more light on one of the internet’s most successful recent phenomena.

As one of more than a dozen AccountingWEB members who came forward to discuss their experiences with Dropbox, Hansa descrbed it as a “very useful cloud service for synchronising non-confidential data”. The advantages include ease of use for uploading and retrieving files to the web, compatibility with most mobile devices and built-in synchronisation between PCs, Macs and smartphones that you connect to the service. Once you load up a file, the latest version is available on all your devices.

The big concern raised was around security. After a few recent headlines, some users who delved into the data protection arrangements were less enthusiastic about using it for storing or sharing client files.

“It's great for granny's photos, not for business”, commented Hansa.

But Paul Scholes and other Dropbox enthusiasts don’t see the need for ultimate security and are happy to live with the acknowledged risks: “Once you use it you'll chuck away all your memory sticks and realise how much more confusing life was before it.”

Continued...

» Register now

The full article is available to registered AccountingWEB members only. To read the rest of this article you’ll need to login or register.

Registration is FREE and allows you to view all content, ask questions, comment and much more.

Comments

Embracing Technology    1 thanks

sarah douglas | | Permalink

Hi John 

This was a very useful debate.  Prior to the Any Questions I had read about the  security issues so it was very interesting to hear other accountants points of view. 

Just prior to that I emailed all my clients whom we share Drop box folders with  to make them aware of this issue, and to ask them if they wanted to continue using drop box or change provider .  We made it quite clear that if they continued to use it we would have to put something in writing moving forward. 

Not one client said they wanted to stop using it and they were prepared to take the risk.   On the suggestion of providing another provider,  most of my clients who are also heavily involved in IT said they felt it was the easiest to work with and were prepare to take the risks . 

It is amazing how things have changed.  We as a practice have changed a lot in the last couple of years.  Between using Dropbox and and having a Video Skype call with clients we have found our clients have been a lot happier as they feel they are more in contact with us and have less paper to go through.   If they do not want items kept on Dropbox they download it and we agree to clear it from dropbox once we are finished. 

Some of our clients have notice clinches so  I also include  dropbox in my backup anyway to cover us as a practice.

Technology will always change and we should embrace it .  I now check my Skype for instant messages from clients .  It is a great way for them to just type instant questions and it is very easy to copy the History to OneNote or similar for your clients .  It also  keeps a very easy to use record of when you phoned them and how long for.   I find it useful for billing. 

My clients use texts quite a bit almost as instant thoughts.  They are not expecting a instant answer , their busy running the business and it is almost as if they do not want to forget that question. Of course you charge for the service.  But Copying texts is difficult to your client records but it means it is all there and you can give them a quick call.

Also it a good idea to check that your phone is been backed up as well, just in case . 

Kind Regards Sarah Douglas  Douglas Accountancy and Bookkeeping Services Glasgow 

 

pmtate's picture

always bear in mind    1 thanks

pmtate | | Permalink

BACKUP BACKUP BACKUP (and not on same service)

see @3ammagazine  https://twitter.com/3ammagazine/status/219901886931804160

12 years of online magazine missing in action as host vanished.....

Copying Texts

greybeard | | Permalink

 

One useful trick with iphones is that you can take a "picture" of the text and then email that to yourself. You simply load the text onto the screen and then simultaneously press the top on/off switch with the navigation switch. The iphone effectively does a "print screen" command. The image is stored under "photos" and you are able to email this to yourself or anyone else.

I have found this useful on many occasions.

Copying Texts

Jack | | Permalink

On iPhone, one can also copy the text (press and hold the text box, select copy) and then paste into email to self.  Particularly useful as a reminder / message unread.

Remember Third-Party risk as well    1 thanks

growson | | Permalink

 

A point that may have been missed is that CLIENT records often have sensitive information of others -- especially the personal information of EMPLOYEES in order to process payroll, etc.  

So when a client says "they are prepared to take the risk," I've found that most NEVER CONSIDERED the potential ramification of accidental disclosure of payroll info and the remediations they would have to do to compensate for this.  The clients were only considering the effect of the disclosure of the business' FINANCIAL data.

What's the liability for practitioners?  No idea (and it probably would depend upon which jurisdiction you conduct your practice).

Good to hear that many practitioners are having frank discussions with their clients.  While I do worry about the access/security/potential "unintentional disclosure" issues, if all are willing to accept the risk/consequences, then Dropbox is a fantastic tool.  I know I can't live without it - and I only use it for non-sensitive info.

Other quick observations:

- TrueCrypt works with DropBox (and other such services) but only if the container is small (1Mb-2Mb tops).  Otherwise, the file synchronization time can be considerable (I've noticed the problem just when leaving home computer and trying to open the files once I arrived at work).  Note also if you open up a truecrypt volume within Dropbox, then the volume is exposed (there's notes about this on the TrueCrypt site).

 

- Password protecting Word/Excel/etc.:  no security there - there are hundreds of free tools that can bypass the indigenous password protections on these files.  10 seconds with a Google Search.  So that approach isn't providing ANY diligent protection that would exonerate a practitioner's responsibility in the eyes of IS auditors or the court system.

afairpo's picture

Dropbox security option    3 thanks

afairpo | | Permalink

For a (fairly) easy route to securing data on Dropbox, have a look at SecretSync (http://getsecretsync.com/ss/) - no, I'm not paid by them, or in any way affiliated other than as a user. This software sets up a folder, synchronised via Dropbox: any files put into this folder are automatically encrypted (can explain the voodoo if you want) before they're copied to Dropbox, so that you control the encryption.  The folder can contain sub-folders as well, so you can set up a standard file system under it.

What's stored via SecretSync on Dropbox is encrypted and can't be accessed on an iPad (etc) or from any computer that doesn't have SecretSync on it. As a result, you need to have SecretSync on each computer that you sync through Dropbox, if you want access to the files in each place. The SecretSync software unencrypts the files as they're sync'd from Dropbox.

The advantage over TruCrypt and other similar encryption models is that all this happens on the fly, without user interaction. Yes, I'm just lazy. I want the technology to do it all for me. Your mileage may vary!

Nigel Hughes's picture

Terrific summary John    1 thanks

Nigel Hughes | | Permalink

OK I'm going for a crawler of the year award!

I'm not a dropbox user yet, but have to exchange large files which email can't cope with from time to time.

I've found this really helpful and is a good example of the AW community really coming into its own

jaybee661's picture

@afairpo

jaybee661 | | Permalink

afairpo wrote:

For a (fairly) easy route to securing data on Dropbox, have a look at SecretSync (http://getsecretsync.com/ss/) - no, I'm not paid by them, or in any way affiliated other than as a user. This software sets up a folder, synchronised via Dropbox: any files put into this folder are automatically encrypted (can explain the voodoo if you want) before they're copied to Dropbox, so that you control the encryption.  The folder can contain sub-folders as well, so you can set up a standard file system under it.

What's stored via SecretSync on Dropbox is encrypted and can't be accessed on an iPad (etc) or from any computer that doesn't have SecretSync on it. As a result, you need to have SecretSync on each computer that you sync through Dropbox, if you want access to the files in each place. The SecretSync software unencrypts the files as they're sync'd from Dropbox.

The advantage over TruCrypt and other similar encryption models is that all this happens on the fly, without user interaction. Yes, I'm just lazy. I want the technology to do it all for me. Your mileage may vary!

... so you wouldn't be able to get to your encrypted files via an iPad - could be an issue if you need files 'on the move'?

iPhone / Smart Phone

chatman | | Permalink

greybeard wrote:
iphones is that you can take a "picture" of the text and then email that to yourself.

I would have thought any smart phone could do this. Certainly any Android phone with a camera.

Dropbox,, Google Drive & Sugarsync

TheFSG | | Permalink

I've tried three syncing software solutions before deciding which one to go for.

Dropbox is the market leader but is quite expensive. Sugarsync is slightly different to both Dropbox and Google Drive in that you choose which folders to sync, rather than having a specific folder that needs to be populated with the folder/files you want to sync.

In the end I went for Google Drive quite simply because of price. The software isn't as nice as Dropbox's but at $2.49 per month for 30GB (5+25) against $9.99 for 50GB (100GB is $4.99/m in Google drive). I've been using it for about 2 months now without any issues.

The other benefits are that you always access files on any machine with Internet access,and if you use more than one laptop these files are invisibly made available on all machines with or without Internet.

One reminder though - these are syncing solutions so if you delete or change a file that's synced old versions will be replaced or removed, unlike a backup service where deleted files may still be available.

iPads were never designed for corporate use

growson | | Permalink

Jaybeee661,

 

You're completely right -- i-devices never designed to handle things like generic encryption layers, etc.  It's one of the big problems with that whole ecosystem (from a corporate perspective). Right now, the "best" option is to wait for the Windows 8 Pro Surface tablet (not the RT version) which can/should be able to incorporate TrueCrypt (and I bet SecretSync will work too, once they have code written for the Win8 environment).

Steve Jobs was designing the world's best music/video environment when he dictated the iPad specs.  Corporate use was furthest from his mind at the time.

(btw, I totally love my ipad but, this is one of the glaring areas where it lets me down).

SecretSync - possible issue

growson | | Permalink

 

I just took a look at the SecretSync home page.  Product definitely looks impressive, and I'll definitely check it out in greater depth as a replacement for my current set of TrueCrypt folders/USB keys, which I use for my sensitive information.  Then, Dropbox could do all the heavy lifting.

One possible "death star" snag:  from the SecretSync FAQ page, it sounds like the system automatically does the decryption for you (from the Dropbox "tunnel" folder) and places the non-encrypted file into a folder located on the machine(s) at each end of your Dropbox service.

In my case, my home machine is a laptop - if I were to lose the laptop while on the road, if a thief could get past my Windows 7 password, then they would have access to the sensitive data in the SecretSync folder without any further password protection (though I do have to check out how SecretSync "passphrases" might play into this).  Anyway, this might be a bit of a long-shot as far as security concerns go.  But right now, I have encrypted TrueCrypt containers protecting the data as a second layer of defense.

But if you have excellent net connections and not using in a mobile context, they would be excellent solutions.

 

Might depend on situation

growson | | Permalink

 

Google Drive / Microsoft SkyDrive -- both of these are definitely cheaper than DropBox.  However, I've never been able to get either to work as smoothly as Dropbox (meaning, the dropbox folder is just like any other folder on my computers - local copies of all data that then replicate to the other machines).  Google/Microsoft do not have a local folder - instead, you "map" the network data share so that it appears as a local drive (and file copies will be slower, as it always takes longer to grab a file from across a network compared to a local copy).  At all times, you have to have network access to reach your data - not good if you want to work on files while on a plane, etc.

But if you aren't in "travel mode" and have good high-speed network connections, both of these cloud platforms would be excellent choices as well.   

afairpo's picture

@jaybee661 - yes, that's a problem

afairpo | | Permalink

Yes; if you need to access client files from Dropbox on the move then SecretSync won't be helpful, but neither will any other encryption that you control as far as I know. The iPad has its own encryption but I haven't come across any apps that will unencrypt a file from Dropbox (or other similar storage).

For what it's worth, and the following is probably tl;dr, if I have to take client material on an iPad, I temporarily copy it to Goodreader and password protect it (various times, because I'm paranoid - the iPad is passphrase protected, the Goodreader app requires a password to access it, the files are password protected individually, and they are within password protected folders. Goodreader uses the iPad's encryption system so that password protection encrypts the files, it doesn't just lock them).

Much the same as printing it out, really. It's mildly irritating not to be able to get material from Dropbox on the fly, but I'd really rather not have to worry about the potential for uncomfortable conversations with the Bar Council and the Information Commissioner's Office.

afairpo's picture

true ...

afairpo | | Permalink

growson wrote:

if I were to lose the laptop while on the road, if a thief could get past my Windows 7 password, then they would have access to the sensitive data in the SecretSync folder without any further password protection (though I do have to check out how SecretSync "passphrases" might play into this).  

The passphrase is a secondary layer of protection for your SecretSync files but it doesn't require you to type it in to access the folder.  If a thief can get past your laptop login then they can probably get past passwords to get at data, if they're specifically looking for the data.  For what it's worth, the ICO would rap your knuckles if the laptop wasn't encrypted and password protected, but they don't require folders to be separately encrypted or password protected.

afairpo's picture

and finally (should have combined these in one post)

afairpo | | Permalink

With Google Drive, don't forget that Google has handed over data in a European data centre to the US Government under the Patriot Act before now (as has Microsoft) - http://www.zdnet.com/blog/igeneration/google-admits-patriot-act-requests....

Also note that the EU Article 29 Working Party has just said that safe harbour self-certification alone isn't enough when using US data centres (http://ec.europa.eu/justice/data-protection/article-29/documentation/opi...).

Agreed

growson | | Permalink

afairpo wrote:

For what it's worth, the ICO would rap your knuckles if the laptop wasn't encrypted and password protected, but they don't require folders to be separately encrypted or password protected.

 

Exactly my thoughts.  Laptop is password-protected and right now (via TrueCrypt)  the data is encrypted.

Saw your other post re US Patriot Act as well - this is another aspect, too.  While I don't have any info that would be of interest to them, it's not my place to make that decision on behalf of my clients.

 

 

jndavs's picture

Own cloud server

jndavs | | Permalink

Why not buy yourself a cheap PC, slap on a copy of Linux and some file sharing software (if you are not happy with the stuff built in)?

You may need to have a fixed IP allocated to the PC (ask your ISP) or use a service such as

noip.com  - and hey presto you have your own cloud server which is completely under your own control and without the monthly subscription.

http://www.webupd8.org/2011/10/owncloud-2-your-personal-cloud-server.html

Sure, if you have the technical expertise . . . .

growson | | Permalink

jndavs wrote:

Why not buy yourself a cheap PC, slap on a copy of Linux and some file sharing software (if you are not happy with the stuff built in)?

You may need to have a fixed IP allocated to the PC (ask your ISP) or use a service such as

noip.com  - and hey presto you have your own cloud server which is completely under your own control and without the monthly subscription.

http://www.webupd8.org/2011/10/owncloud-2-your-personal-cloud-server.html

 

This is the most preferred approach; however, only if you have sufficient technical knowledge to properly control/monitor access to the server, protect the data on it, etc.  For example - the review on the page link you provided openly points out that this system lacks indigenous file encryption (which DropBox has, even though it has the weakness of being applied server-side, rather than client-side).

jndavs's picture

Own cloud server

jndavs | | Permalink

Linux has built in encryption software eg encFS which can be utilised for this, or use something like truecrypt.

 

As far as support goes, there is extensive documentation provided with all Linux distros and also most software.

The 'Linux community' is generally very helpful and of course there is paid for support should you wish to take it up.

Follow the links in whatever distribution you choose to try.

 

Since all the software can be freely downloaded (as in unrestricted and without cost) or found bundled in the distro's software repositries, you don't really have anything to loose.

 

You may be interested in this:

http://www.linuxplanet.com/linuxplanet/tutorials/6985/1

Dropbox

gavin1977 | | Permalink

Started to use it as a means being able to transfer Sage files from a client to the office since these can become too large to send via email.  However, Dropboix didnt seem to like Sage files.  However, it was great for up loading PDF and excel files and emailing a link to these specific documents in the public folder.  Now using it to put "to be read later" documents in and accessing them during spare moments using ipad.

 

Good article

chatman | | Permalink

Good article

paulroach's picture

Dropbox security

paulroach | | Permalink

If you invite someone to a Dropbox folder they can then invite others without you necessarily being aware of it.  Has anybody come up with a way round this?

 

afairpo's picture

Doesn't appear to be a way around it, no

afairpo | | Permalink

All I can suggest on the shared folder point is regularly checking the information as to who has is sharing it - it's available on the Dropbox website when logged in, if you check the folder 'shared options' information.

paulroach's picture

Shared folders

paulroach | | Permalink

Thanks for the comment.  That is how we deal with it at present but it does throw a spanner in the works as far as confidentiality of records is concerned.

Private FTP site

growson | | Permalink

paulroach wrote:

Thanks for the comment.  That is how we deal with it at present but it does throw a spanner in the works as far as confidentiality of records is concerned.

 

Borrowing a bit from the concept of your own private cloud server (per the posting re Linux, etc), when I worked at BDO Canada LLP, we had a private FTP (File Transfer Protocol) server to handle client file transmission.  FTP is the process used in web pages whenever you download a file.  An FTP server - besides allowing for file downloads - also allows user to upload files.  In BDO's case, staff could have their clients set up with secure access, and files could then be uploaded/downloaded as the staff person/client needed.

 

Ultimately, this is a better option than Dropbox (as it exists right now) but does require more onus on the accountant to ensure security, access, privacy, etc.

 

Michael Wood's picture

DropBox for temporary sharing, specialists for secure docs?

Michael Wood | | Permalink

At Receipt Bank we have had a DropBox integration since last year. We built it because we were asked for it by so many firms. Their experience of DropBox was that it was an excellent mechanism to share files with clients and they wanted us to connect to it so that documents and data could flow straight from DropBox to FreeAgent, KashFlow, Xero, etc.

From our experience we know that many firms trust DropBox as a mechanism for file sharing. For file storage my impression (from the firms I speak to) opinion seems to be a bit more split with many firms preferring industry specialists such as DocSafe for the sharing and storing of key client docs.

 

 

How about for Cloud Accounting purposes...

RajDhawan | | Permalink

It is just a matter of time that businesses are all going to be managing their entire business cycle, and consequently, all their business transactions, in the Cloud. 

The biggest concern by far for most people is safety and security of the data. Would drop-box be the answer to this safety concern ? Or is the concern really not a valid one, that cloud data storage is secure enough on its own ?

I would appreciate a response from users who have something to add, or simply to respond.

Rgds,

Raj Dhawan, CPA

http://www.RajDhawanCPA.blogpost.com

 

I think we've covered this already

growson | | Permalink

RajDhawan wrote:

The biggest concern by far for most people is safety and security of the data. Would drop-box be the answer to this safety concern ? Or is the concern really not a valid one, that cloud data storage is secure enough on its own ?

 

Raj, I think between John's article and the dialogue to date here in the user comments, you've likely got a good expression of the issues already.  For some (and their clients), dropbox is secure enough - meaning, it's not 100% ideal but it is "sufficiently low risk" in their eyes compared to the advantages of the service (and same with similar other product offerings, like SugarSync, Box, etc.).

 

For others, it isn't secure enough (for example, I love dropbox and use it extensively but, I would not trust it with tax information, payroll information (including such information within accounting software databases), medical information, etc. of others).  In my capacity as an information systems auditor and performing the likes of a SAS70/SSAE 16 etc service audit report, I'd probably have to draw attention to the server-side encryption as being inadequate to satisfy COSO/Cobit internal control objectives for proper access to data (in English, the data owner cannot exercise sufficient control that information could not be disclosed to others outside of the owner's influence - namely staff at DropBox in particular).

 

Bottom line:  it depends entirely upon the practitioner and their client's sensitivity for risk (compared to the nature of the data being stored).  For example, I do have the spreadsheet/books of a service club within my dropbox files -- while it would be undesirable to have the information "accidentally disclosed", there's very little harm to anyone if it actually happened (there's no personal info, such as income, birthdates, social insurance numbers, etc. stored in it).  The convenience in this case is well-worth the risk.

 

Another important distinction:  Dropbox is an excellent file transfer synchronization system between multiple systems.  However, it is *NOT* designed for iterative collaborative work, such as available in Office 365's Sharepoint system or Google's Drive (Docs).  Those environments were built to have multiple people accessing the same files simultaneously (such as word processor spreadsheets, and presentation files) and combining their efforts into a unified whole.  I would strongly suggest that no one locate accounting data sets (such as Sage 50) within *ANY* of these environments (and especially Dropbox and its ilk) without first doing a careful assessment as to the underlying record lock provisions.  I'm not aware that any of these shared environments are built to properly handle multiuser database access, without preparation first (Office 365's sharepoint can likely handle systems built upon MS-SQL/Access but again, only with proper configuration).  I'd doubt that Dropbox can do so without high probability of data corruption.

 

 

 

paulroach's picture

New options for shared folders    1 thanks

paulroach | | Permalink

Dropbox have just added a box that you can uncheck to stop users other than the owner from inviting others. The default is sharing so you will have to go into all shared files if you want to turn this off.

SugarSync

quintodc | | Permalink

What about Sugarsync - a fantastic service, were you can select any files folders anywhere on your PC for auto backup / sync between comps.  $50pa for 30Gb can't be bad and works well for me.

SugarSync

growson | | Permalink

quintodc wrote:

What about Sugarsync - a fantastic service, were you can select any files folders anywhere on your PC for auto backup / sync between comps.  $50pa for 30Gb can't be bad and works well for me.

 

SugarSync -- from a security/privacy/access perspective -- has a major advantage over DropBox:  it does encrypt the data at the client end BEFORE uploading to the sugarsync servers.

But when I was trying it out (months ago), I found that the file transfer process was no where near as seamless as that of DropBox.  I had numerous occasions where I saved a file in a SugarSync-designated folder on one computer and constantly found delay in having it synchronize on others (and I don't mean a few seconds' delay, I'm talking hours - in fact, I'm not sure that some of the files ever did synchronize without manual manual intervention).  Maybe I had something set incorrectly set somewhere but I couldn't find it.  Dropbox was far more seamless and automatic in its operation.

 

If it's working for you, that's great.  While my experience wasn't positive, I've certainly heard from others that it works well.  Same thing with Box.