An interesting thing came to my attention last week when I was using a thumb drive to transport files back and forth between secure environments.  The thumb corrupted.  Fortunately, I only use thumbs for transport (not for primary storage), and I had the files available elsewhere for retrieval.  (For that matter, I was able to repair the thumb and its contents with a utility).

But in relaying my experience to a Fortune 500 IT colleague, and good friend, he recommended something for transport that concerned me – and I believe the concern may apply to a very wide audience.  When he travels for business, he relies on a site called Dropbox.com.  Basic Dropbox services are free:  That is, you can store up to 2 Gb of data for retrieval and swap (larger amounts require a paid account).  However, a quick review of terms reveals this:

You, and not Dropbox, are responsible for maintaining and protecting all of your stuff.  Dropbox will not be liable for any loss or corruption of your stuff, or for any costs or expenses associated with backing up or restoring any of your stuff.

I have no quarrel with Dropbox:  It’s a free service in these regards.  I’ve not heard of major outages or corruptions, and again – these are the free terms.  I don’t know what the terms are for the paid service, but the liability we’re talking about here is the unmonitored use of the free service by employees of organizations.  (It’s easy enough to recognize that in the other case, the organization pays for the service, in which case employee use is sanctioned, and the org “buys into” any liabilities as far as terms go.  Employees are extremely unlikely to purchase the service out of their own pocket, while leaving the org in the dark).

But in the case of my friend, he, like many others employing free sites like this, has not apprised his organization of his method for “transporting” files.  He travels to a city, retrieves critical files, modifies some measure of them, uploads some, and then flies on.  Therefore, his critical content is on Dropbox, thus far readily accessible and ready for use in any city.  But… what if the Dropbox site is down someday?  What if Dropbox corrupts his files… or otherwise suffers a breach?  It would be awfully embarrassing to show up in some city with the expectation by others that you “have the goods” – and you don’t.

Does his Fortune 500 employer know about, or even have a policy to preclude the reliance on, sites such as this?  Particularly for the small-to-medium business (SMB) environment:  Do those organizations have policies in place to define and either:  1)  allow, or 2) deny, use of these sites?  You must recognize that these sites likely don’t adhere to your organization’s standards of data control and security – unless by sheer coincidence:  And no responsible IT or business person/endeavor relies on coincidence.  Further, the organization must take a hard look at itself:  Why would an employee go outside of central servers and data stores that are specific to the organization?  (Is it some measure of convenience?  Is the employee sharing data with entities who don’t have access to the org’s internal resources, by virtue of authenticating login credentials and/or access to authorized areas?)

This is not to belabor a specific criticism of Dropbox (and there are many similar services out there).  The service they provide is a good one – and many an SMB organization is looking to cut costs:  But understand the limitations, the liabilities, and your own organization’s posture for relying on any outside services over which you have no real control – and by which you have no specific agreements regarding service levels, standards, and business recoveries.

If you are using services such as these, either officially or by virtue of “unregulated” users who are employing them, you should make a strong evaluation for business surety and security.  Here, SMB can still save money:  One idea for this specific area:  If you feel you must utilize an outside free service, mirror any files on two free sites, on the theory that if one is down, the other will likely be up.  But yet recognize:  Your “stuff” (to use Dropbox’s vernacular) is still in The Cloud, with a free provider of services, and living within the lack of any real security.

If you are responsible for, or just concerned with, security postures within your organization, you must address situations like this immediately if you have not already.  Survey all practices:  Known sanctioned ones – but also potential unknown and unsanctioned ones.  At the very least, you must make exposures and allowances of services, with full disclosure of potentials and liabilities.

Do it very soon.

By: David Scott is a CIO/Fortune 100 IT professional and author of  I.T. Wars: Managing the Business-Technology Weave in the New Millennium which was selected as an MBA text at the University of Wisconsin.  David is the sole-proprietor of BTW Consulting: Business writing, policies and plans. His comments have appeared in InfoWeek, Capitol Weekly (CA), and on the DC television show Communicating Today.  You can connect with David on LinkedIn or on Twitter by following @davidscott999.