An article released by Dropbox Sign on 1 May 2024 revealed that unauthorised access was gained to customer data on their production environment. According to the article, “A threat actor had accessed data including Dropbox Sign customer information such as email addresses, usernames, phone numbers, and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.”
Furthermore, in this article, Dropbox Sign informed customers that those who received or signed a document through Dropbox Sign also had their email addresses and names exposed, even if they did not create an account.
The importance of a heightened security posture for Electronic Signature vendors
The saying, “It’s not whether you are going to get hacked, it’s when you get hacked,” comes to mind. eSignature Applications not only store a magnitude of sensitive personal data about the signers but also the content of sensitive contracts, together with identifiable personal information.
It is, therefore, imperative to ensure that an eSignature vendor has a strong security posture when choosing one. Sending documents for signature, using open email links that can be easily spoofed or forwarded to others, is still common practice among some electronic signature vendors and should raise red flags. Applying multi-factor authentication should be the first step towards protecting customer data.
Prioritising ease of use over security is often the leading cause of major security breaches. A strong security posture means that the vendor prioritises security and then looks at intelligent front-end designs to ensure a good user experience.
Security beyond the Application layer
Encrypting communications between the customer and the application layer is critical, but it is simply not enough. Data should be encrypted in transit and at rest (database layers) to ensure that personal data is not in a readable format, should a breach take place.
A strong security posture does not end with good encryption and strong firewalls. It includes a holistic view of networks, information security, network security, data security, and Internet security across all attack surfaces.
Regular penetration testing, vendor risk management policy, vulnerability management policy, and security awareness training for all employees have become vitally important when implementing and upholding good security controls and a strong security posture.
Cyber Security Considerations when Choosing an Electronic Signature Vendor
When choosing an electronic signature vendor, attention to their security posture is as important as a probe into their approach to managing risk. Three major areas address risk mitigation and should be considered an absolute minimum when choosing a vendor. Make sure your Electronic Signature vendor offers these as standard:
- Managed XDR
- SOC (System and Organisation Controls) 2 Level Protection Managed WAF
- Uptime Monitoring and Reporting
Read more on these: Strong security for Electronic Signature applications.