I am a Dropbox user like many people. I use Dropbox to share files from one computer to another. I don’t use it for anything sensitive like personal financial information or business data. The reason why I don’t use it for anything sensitive is that I am afraid of what could happen if someone got into my Dropbox account. I think I have good reason to be afraid and it’s not just the known Dropbox security issues.
A user forwarded me an email that was clearly a Dropbox phishing message. The login page for Dropbox looked exactly like a Dropbox login page. Thankfully this user doesn’t use Dropbox. But the prospects of this sort of message should be terrifying to a systems administrator.
What makes Dropbox useful is also what makes it deadly. The Dropbox client allows a user to quickly share files with anyone else that has rights to one or more Dropbox folders. The rights holders may be anywhere inside or outside of the firewall. So if one persons Dropbox account is compromised, the infiltrator potentially has access to many peoples machines. Besides the data theft, or undetectable monitoring the bad guy could do, he could also drop infected files onto the machine.
To me it seems that allowing Dropbox on a corporate machine means accepting many dangerous risks. I don’t think those risks are worth it. Let the users use the web based version of Dropbox if they’d like, but keep that client off of the machines.