Microsoft SharePoint users are aware of the risks that exposing sensitive data can cause to their organization, yet unbelievably they are using the collaboration tool as an excuse to turn a blind eye.
The Cryptzone study discovered that while 92% of respondents understood that taking data out of SharePoint made it less secure, 30% were willing to take the risk stating they were “Not bothered if it helps me get the job done”.
Thirty four percent confessed they never really thought about the security implications of SharePoint, while incredibly 13% believe protecting company data is not their responsibility. When examining users’ handling of sensitive or confidential information, a defiant 45% of SharePoint users said that they disregard the security within SharePoint and copy sensitive or confidential documents from the collaboration tool to their local hard drive, USB device or even email it to a third party.
The main reasons for copying documents from SharePoint were either to work from home (43%) or share it with third parties who don’t have access to the tool (over 55%).
What this practice demonstrates is that this new technology, while supposedly a business enabler, is recognized by many employees as a barrier and doesn’t live up to its full potential as an inclusive collaboration tool to enhance productivity.
Daniel Nilsson, data loss prevention expert at Cryptzone said, “Organizations recognize that today’s workforce needs to be able to collaborate effectively, but if this new found access to data is introducing lax security practices then the danger could quickly outweigh the benefits. While some might consider it admirable that their employees are so dedicated to getting the job done, the fact remains that they’re circumventing procedures and security put in place for good reason. Ignoring the consequences is a risky strategy – is it any wonder then that we see so many data security breaches as a result. Rather than ignoring what’s happening, steps need to be taken that recognize the increasing porosity of the perimeter and allow the workforce to harness the power SharePoint offers without compromising security.”
The study also found that a third of administrators feel users are capable of controlling access rights, but are not given this responsibility. It is unsurprising then that IT Administrators remain overwhelmingly responsible for managing access rights within SharePoint (69%) however this is likely to be higher as 22% of users simply aren’t aware how access rights are managed.
Yet, with over a third (35%) of SharePoint administrators snooping around and peeking at documents they’re not meant to read, some organizations clearly aren’t getting the balance right. When digging deeper to see what was being viewed, 34% were looking at employee details, 23% salary details and eight percent merger and acquisition details and even redundancy notices!
Nigel Stanley, Practice Leader for Security at Analyst Firm Bloor Research said, “Whilst hackers and cyber criminals get the headlines, it really is the inside threat that poses the biggest security headache. The survey does highlight the fact that employees for the most part just want to get on and do a good job and will try and get around security measures if these are seen to be a barrier to their work. We need to educate these people as well as put in decent security controls”.
He added, “My biggest issue is with snooping administrators. Trusted individuals that behave in such a way should be kicked out of their jobs and never allowed to work in IT again”.
Daniel Nilsson concludes, “Organizations need to come up with even more innovative methods of communicating cause and effect to their users. Perhaps even consider sanctions to wake up the 12% that don’t consider it their role to protect corporate information. In the meantime, technology exists to provide all the encryption and access rights management tools needed for co-workers to share information securely and assign access rights in line with policies; and strong security features ensure regulatory compliance. Organizations should be confident that information is accessible to those who need it, and protected from those who don’t.”