File Sharing - currently using Dropbox encrypted l...

Sharpiespad · 07-22-2021 01:09 AM

Google Workspace suggestion on the forum

Hi there, we are Financial Advisers in Leicestershire UK.

We are increasingly concerned about cyber security. We need to send documents to our clients and historically would have always just sent them as an attachment in an email. With cyber crime becoming so sophisticated we need to be doing everything that we can to stop cyber criminals getting access to our clients personal data. With this in mind we are currently reviewing the software that we use. We would like our default operating system for emails, calendars, file storage etc to be our Google Workspace but we have come across a problem when trying to share files with clients that makes it untenable for us.

When sharing a file or multiple files with our clients we currently send them an encrypted link through Dropbox. We will also password protect the link and let them know that the password is something memorable to them but we do not send the actual password to them as an email. We use their Date of Birth or National Insurance Number as an extra layer of authentication

When I compare how I send an encrypted link with a password with Google Workspace, the verification code gets sent to the clients email address, the same one that the link has been sent to. This causes me concern due to the fact that if the clients email account gets hacked for any reason and we are sending files or links that are verified with the same account then the hacker also has access to this.

When I spoke to Victor in the Support Centre (who tried his best and was very helpful) he said that there was a way to do it if our clients also had Gmail accounts, well this isn't possible as many of our clients are older and will not want the hassle of having another email account. The business clients that we have will also not want to have another set of emails. We therefore need to work around this.

As I mentioned to Victor, I cannot believe that other users of Google Workspace are not also wanting to share encrypted links whether that be with their clients or work colleagues, anything that makes its way into the ether is vulnerable and no matter what gmail, iCloud, hotmail etc etc account you have it is penetrable.

We need something that is easy to use but safe.

I am not technical in the slightest and so you may have a really simple answer for me however cyber crime is a real concern and we need to do everything we can to protect personal or sensitive information.

Sharing the verification link in the same account seems to me to be a bit dangerous, I think Google need to have other options available such as the password option.

We are therefore going to have to get more licences for Dropbox as their file sharing works for us and our reliance on Google Workspace will lessen. This isn't good news for Google as we would have preferred to have one system and not two.

I look forward to hearing what the Google Community think about my comments as well as the Workspace developers.

Thank you

icrew

You might want to post this to the Feature Ideas section here (https://www.googlecloudcommunity.com/gc/Feature-Ideas/gh-p/workspace-ideas-group) so that it can be upvoted by others and possibly considered as a future feature enhancement.

Another possibility would be to set a password directly on the files you are sharing, which you can do with Zip files, MS Office Documents, and PDFs. This is arguably even more secure, as the file remains protected even after your client downloads it, regardless of where it happens to get placed later.

Cheers,

Ian

Sharpiespad

Thanks for your comments Ian,

I will have a go at posting the feature as this would still be my preferred option.

Your thoughts around protecting the document is also a good and simple one just means it will take more time putting passwords on and taking them off and this could cause more confusion with my colleagues forgetting etc

Cheers

Steve

stevelarsen

One thing I noticed in your post that was slightly incorrect is that a user does not have to create a new email address to create a Google Account. They can use their existing email they have to register a Google account.

https://accounts.google.com/SignUpWithoutGmail

As you can see here, the user enters their existing email and does not create a new @Former Community Member.com account.

Sharpiespad

Thanks for getting back to me Steve,

I wasn't aware of this and it might be a solution going forward with new clients but the existing ones of which many are older this will take some time to roll out.

My preferred option would still be the password option of an encrypted link

Cheers

Steve

cryptochrome

I think your problem is that you are trying to use systems in a way they were never intended for. You are sending encrypted files as attachments to an email. Email ist about the least secure way to transmit information, even if you attach encrypted files. Adding to this, Email was never really designed to transfer files.

Try thinking of a different approach on how to achieve what you need. Forget email entirely. Use Google Drive to store the encrypted files and then use Google Drive sharing. That way, whenever the other party needs to access those files, they will have to authenticate with their Google account first.

Sharpiespad

Hi,

Thanks for getting back to me, I think my preferred route would still be the password protected link but totally get where you are coming from and that your suggestion would be far easier if all of our clients had a google account, might be something we consider with new clients and then try and get to our existing clients in time.

Cheers

Steve

cryptochrome

I understand, but I think your approach of sending passwords over email is inherently insecure, not matter how you do it. Even if you send the password in a separate email. If someone really wants to get to the information, you are making it very easy for them with this approach. I would seriously consider a different option (whatever that may be) that does not include emails and involved proper authentication.

Someone else here mentioned Gmail Confidential Mode. While still going through email, this would be a first step. It allows you to protect the email with an SMS text pin code that is being sent to the recipients phone. The email can only be opened with that pin. The recipient does not need a Google account for this to work.

bill_pier3

I agree with other replies, in that you're wanting to have guaranteed security over an aspect you don't control - namely that of a customer/client's email account. Though it might be a hassle, perhaps requesting/requiring that customer/clients use 2FA on their email account would be a good step. Secondarily, try using Gmail Confidential mode for more secure email exchange.

Sharpiespad

Hi Bill,

Thank you for getting back to me with some suggestions. I am not aware of Gmail Confidential Mode so will look into that. 2FA would be perfect but not practical with the clients that we look after.

Cheers

Steve

bill_pier3

I'm curious as to why 2FA would not be practical for your clients? I have deployed 2FA for some very challenging communities (naysayers, obstructionists, computer skill-deficient, etc.). Given the plethora of verification options, other than refusal to comply, what would be the obstacle for such persons to using 2FA? Clearly the change to their email security would benefit your service level, but would also be a huge improvement in their personal computing security.

Sharpiespad

Hi Bill

Thank you for you further comments , I will look into the 2FA options. Having never set this up before it is more my lack of knowledge rather than not wanting to do it. I guess we have got used to doing something that works with Dropbox

Out of interest, do you have any recommendations at to who to use for the 2FA or is it a Google option.
Apologies if this is a simple question

Cheers Steve

andmalc

Enhancing account security with 2FA is offered by all major tech companies and several types are available. The most common type, sending text message with a verification code to the user's cell phone, is the least secure but still much better than relying on password alone. A more secure but still fairly simple to use option for users with smartphones is to show a phone prompt when their account is accessed on a new device. This feature is offered by Google and Microsoft and Google/Gmail accounts have this feature turned on by default. I believe Dropbox has a version of this using their app.

bill_pier3

Steve,

No apologies .. we're all learning, if we're doing our job! 🙂

My experience on this matter is using Google's 2FA support, or as they refer to it "two-step verification" (2SV) ... [Google always has to be just a little bit different].

I started with just a few select users, before enabling domain-wide. With those users I was able to better understand their particular concerns and best 2FA use, given the multiple options for second-factor authentication with Google account 2FA. As you may already know, some systems only allow for a text-message authentication for 2FA, but Google provides several different authentication methods, some of which may work better for your users. In one of my recent situations, working with a school Faculty, I found that though most users would at least reluctantly use their phone for a Google app yes/no prompt, there were some who needed to use the text-message method, having only a feature-phone. Still others liked using the cheat-sheet of 2FA codes. I had to help them figure out what worked best for them. Again, I like that Google 2FA supports multiple options for authentication. Google 2FA support also tends to be a bit smarter in that it doesn't prompt at every sign-in, especially on devices that are recognized as normally used by the user. This helps a lot in my opinion, in selling 2FA to users -- they won't be nagged for the second authentication all the time, so this lessened the impact to their sign-in experience. In the end, a survey indicated that most users agreed that 2FA was not a big deal, and appreciated the effort to radically improve their account security ... even if they didn't quite understand how it worked -- and many said that they felt safer using it!

I hope this helps.

Bill Pier

File Sharing - currently using Dropbox encrypted link with password