We talked with Andrea Pfundmeier, Co-Founder and CEO at Boxcryptor about cloud storage encrypted solutions and why online privacy should become a top priority.
1. Tell us a bit the story behind Boxcryptor.
We founded Boxcryptor because we had our own need for an encryption solution. Originally, we wanted to start a different startup that would store data on Dropbox. But from our background, I studied Law Economics, my co-founder is a computer scientist, we said: ‘we can use Dropbox, but we need to secure that data additionally. So, we researched what kind of security solutions are out there to encrypt Dropbox without losing special features, like accessing data on different devices, sharing, collaborating, etc. And there was no good solution ten years ago.
We developed our own prototype for such a solution, and this was when Boxcryptor was born. So, Boxcryptor, in the beginning, was made to encrypt data before it’s stored in Dropbox.
Then, we got a lot of positive feedback regarding it; we put a very early Alpha version online, and within a week, more than 1,000 users downloaded it. For us, this was enough information to know that we’ve found a product where there’s actual need. People need encryption software. And this was how we started Boxcryptor.
2. Describe in a few words how your security solution works.
Boxcryptor is software that every user can install on his/her device. We have a basic version with limited features which everybody can use for free. What we do is encrypt the data on your device (computer, tablet, iPhone, etc.) before it’s then uploaded to your chosen cloud storage.
As I mentioned, we started with Dropbox, but now we support more than 30 different cloud storages like OneDrive, SharePoint, Google Drive, Microsoft Teams, and other regional platforms and providers.
The data is encrypted on your device, stored, encrypted in the cloud service of your choice, and when you want to share it with others, the other person can download the file, encrypt it, and access it.
Boxcryptor for companies has a fully-featured management system behind, so you can give rights to certain groups, or individual users. You can also limit who has access to your files. This allows you to take control of your files into your own hands.
3. Can you name something different that sets you apart from your competition?
Boxcryptor is end-to-end encryption software, and we also cover the zero-knowledge principle, which means that only the user has access to the keys and can decrypt the files. Even we, as the provider, cannot access the files; we don’t have access to the keys, and therefore, the user can be 100% sure that his/her data is really protected.
What’s also very important is that Boxcryptor is available in six languages, so we have users in more than 100 countries worldwide. We have single users who encrypt their photos and personal data. But also, a lot of companies and enterprises choose to encrypt customer data, HR data, etc. All of these are possible with Boxcryptor.
4. Do you also have an alert for unauthorized access, for example?
Yes, there are multi-controlled features. For example, you can limit from which IP addresses users log in. Or you can choose to limit access to your home or office IP address, but you can also put a limit and not allow access from a certain country.
5. When did you first become aware of the importance of data privacy and encryption?
During the last ten years, since we have been in this industry, we have heard a lot about potential threats and security issues in various companies. And we became aware that encryption and security are decisions you have to make actively. It’s not something that drops on your table, and you have to react. It’s something really important to think about that requires an active decision.
For example, one decision is to define: ‘what are my sensitive files or my sensitive data?’ This can be completely different from company to company and from user to user. There are some private users who say, ‘I encrypt all pictures of my children before they go in the cloud storage.’ Others say ‘I don’t encrypt pictures, but I have other important data that I want to encrypt’. It’s the same for companies.
For instance, not 100% of our company’s data is really important and needs to be secured in a special way. But there is some data that every company has and that shouldn’t fall into the wrong hands. It might be the management briefings and information, HR information – whatever you define, you can protect it.
It’s not the right way to do nothing, and when there’s an incident, you worry and feel sad about lost data or privacy issues; you have to make a decision to protect your data actively.
For example, Boxcryptor allows you to secure certain parts of your data; it’s not an all or nothing decision. You can go to the core of your data, start to encrypt what you want and define it for yourself.
6. Name two or three of the most pressing cloud security challenges today. And, of course, why they are such a big challenge?
I think that one challenge that very often appears is that security software is very complicated to use. So, when I’m the owner of a company and make the decision to implement a certain security software, it’s often very complicated for the end-users. As a result, people aren’t happy they need to use security software, and sometimes, they find ways to work around it.
For example, when there’s a very secure way to store data, but users think it’s too complicated, they’ll start to share Dropbox links or put Dropbox files somewhere else where they can share it more easily. Of course, companies don’t want that.
When users select a shadow IT, as a result of difficult and complex security solutions, it’s always bad. In my opinion, it’s always very important that security solutions are easy to use for the end-users because then, the users will actually use them.
The second challenge is that very often, you don’t have control over who has access to your data. In a company, there are certain administrators who can access everything, although maybe they shouldn’t from a legal perspective. Sometimes, you don’t know who has access to all this data. Companies have to think about how they can solve this and protect their data.
Another very up-to-date topic is, of course, ransomware. A lot of companies deal with this threat and find that their data is encrypted by attackers, and they cannot access it anymore.
What’s even more worrying is that attackers often don’t just encrypt the data, but they also have access to the data. This means that the company itself has no access to its data that they might need, the attackers know what’s inside the data, and when things go worse, they even publish the company’s sensitive or personal data.
So, this on top, should be an interest for the companies to encrypt their data on servers to make sure that even if a ransomware incident happens, the attacker doesn’t get the data in plain text.
7. How do you see the future of cloud storage in terms of both privacy and security?
In general, I’m convinced that cloud storage or the use of cloud is the future. Considering the current pandemic situation, when people are working from home, they need access to office data, so this is definitely the future. From a privacy and security perspective, the legal aspect is very important for the future.
The GDPR (General Data Protection Regulation), for example, was a very good approach where privacy was put as a number one priority for a lot of companies. They had to think about how to secure personal data and what they needed to do to comply with GDPR. There are similar regulations in different industries, for instance, special legislation for health data, another special one for the automotive area, etc. All these industries and companies have to secure and protect data. And this will definitely be the future as well.
I’m sure we’ll continue to use cloud storage and cloud services, but privacy should be most important. We have to make sure that although we use cloud storage, that data belongs to the user and only that user can access his/her plain text files.
8. What are your company’s plans for the future regarding security and encryption?
Very recently, we launched an encrypted messages feature for Microsoft Teams. We will also focus our future development on the whole Microsoft 365 collaboration area. This is where we want to add our privacy and encryption knowledge and make sure that users can use these services without giving up privacy and comfort.
9. What cybersecurity habits would you advise a casual user to enforce in everyday tasks?
One very important thing is to have the privacy idea in mind; it doesn’t mean they should stop using cloud services, it means when they use these services, they should ask themselves ‘where is this data stored and who could potentially have access to it?’ Bringing this to your mind in general is very important.
People often use tools and products without thinking about privacy, and they don’t make an active decision. It’s one thing to know that a product or service is not 100% secure, but willing to use it because you need the extra comfort or whatever reason. It’s another to use tools without even thinking about privacy.
I would also recommend a password manager because passwords can be easy to break because people use bad passwords. And, of course, Boxcryptor, to protect sensitive private or business critical data.