How to Audit Sensitive Documents for Access Risks

How to Audit Sensitive Documents for Access Risks

Who has access to your company’s confidential files? This question is becoming more and more relevant as companies turn to cloud collaboration tools like Google Workspace, Microsoft OneDrive, and SharePoint. 

Data breaches caused by unauthorized access, what we call access risks, have risen at alarming rates as companies use collaboration tools to share files within and outside their organizations. 

In a matter of weeks, hundreds of thousands—even millions—of company documents could be shared with multiple collaborators. 

According to a report by Quadrant Strategies, the average number of collaborators per Google Workspace document is 13.4. This means that for each document an employee creates, 13 different accounts can access the information within the file. Microsoft 365 isn’t much better, coming in at 7.2 collaborators per document.

These shared documents can contain innocuous data like marketing ideas that could be safely viewed by anyone. Or, they might have sensitive data, like personally identifiable information (PII), that can have legal and compliance repercussions if accessed by outside parties or the wrong internal parties. 

No matter what kind of information your company shares, it typically falls on IT and Security teams to perform periodic reviews to ensure sensitive data does not get into the wrong hands.

In this post, we’ll go over how to audit individual and small groups of documents for access risks. 

We’ll highlight the risks you should look out for, how to reduce them, and the limitations when it comes to doing this quickly and efficiently. 

To streamline this process and use it for all files in your cloud collaboration environment, reach out here.

How to audit sensitive files for access risks

When auditing sensitive documents, it’s vital to answer the following questions:

Download: Auditing Cloud-based Documents Checklist

1. Does the document contain sensitive information? 

The first step to securing your company’s documents is to identify and classify files with sensitive data. This information includes personally identifiable information (PII) and personal health information (PHI) as well as employee and customer data. You’ll also want to check for things like financial information, strategic information, and intellectual property (IP).

You can do this in several ways; for example, by looking at the file itself, by asking the file owner to review the file, or by creating naming conventions and incorporating labels. Google Workspace even has options that let you do this under Google’s Data Loss Prevention (DLP) features. 

However, it’s important to be aware that with any DLP tool, you run the chance of having false positives. DLP alerts can be inaccurate and take enormous amounts of time to sift through. 

Once you know if your document contains sensitive information, you can have a better idea of how strict its permissions should be.

2. Who owns the document?

Next, you want to understand who created or owns the document. For example, is the document owned by an executive or someone from the legal department? Did an employee from Human Resources or Finance create the document? 

It’s crucial to know who owns the file to determine how sensitive it might be. In the case of documents created by executives or departments that handle confidential information, the contents are more likely to be confidential than not. It’s also helpful to know the file’s owner in case you need to transfer ownership to another employee, especially in the case of offboarding procedures. 

3. What accounts has the document been shared with?

Documents can be shared with a large number of accounts, and it’s critical to understand which collaborators have access to the file. 

You’ll want to know which team members have access to the file as well as any external accounts or domains. These can include personal email accounts and third-party vendors which we’ll go over below. 

Personal email account access is a hidden problem that affects most companies that use cloud collaboration tools. More than half (52%) of surveyed employees said they or a coworker had accidentally added their personal email to company documents. 

These accounts have fewer protections than corporate accounts, and access can last for years after an employee has left the company.

You should also be aware of any documents that are shared inbound into your company that are owned by personal email accounts. To learn more about protecting documents from personal email access, visit here.

Vendors are another area of potential concern, as they may have access to company files long after they stop working with a company. It’s essential to identify all vendors and third parties with access to the document, assess their risk, and remove unnecessary access as soon as possible. 

Teams should also find and remove any Public links and unauthorized access to confidential documents owned by vendors. 

4. What permissions do collaborators have?

After understanding who has access, you need to know what permissions they have.

For example, can they edit the document or share it with others? Can they change the permissions on the file? Do they have the ability to download the document? 

When it comes to permissions, there are three main options in Google Drive: Editor, Commenter, and Viewer. In Microsoft OneDrive and SharePoint, these options are: Can edit, Can view, and Can review.

These permissions are key because if a collaborator has Editor or Can edit access, they could change the file’s settings to be shared with anyone on the internet. 

They might also share the file with someone else and give them edit permissions, allowing the third party to change the file’s permissions whenever and however they please.  

With sensitive company data, you never want these scenarios to happen. It’s important to understand who the document is shared with and what level of permissions each collaborator has. 

5. What kind of links are on the document?

In cloud collaboration tools, there are several types of links. For example, in Google Drive, one type is Restricted, where the document is only shared with specific collaborators who have been added using their email addresses. This could include a group or target audience, such as the Sales team.  Another link type is Company, which grants access to anyone in the entire company with the link. 

The least protected type of link is Public. These links are particularly risky as they can be accessed by anyone on the internet with the link. Adding a Public link to a document is not recommended unless necessary and the file has zero sensitive information. 

Other tools like Microsoft OneDrive also utilize links. Microsoft has “Anyone with the link,” which are Public links, and “People in your organization” links, which are similar to Company links. 

Microsoft also has “Specific people” links which are Restricted links and “People with existing access” links, which can be used by people who already have access to a document or folder.

It’s paramount to understand what types of links your document has and where they are shared. 

6. Is the document in a shared drive or a folder?

Shared drive access can be tricky. Many employees and external collaborators may not realize that once they add a collaborator to a Google shared drive or a Microsoft SharePoint site, that collaborator can access all files and folders within the shared drive. 

It’s important to know if a document is in a shared drive or SharePoint site, and understand who else has access to that drive including any personal email accounts.

Folders are another issue. In Google, while shared drives cannot have Company or Public links, folders still can. That means that files within these folders could be shared with everyone at the company, or even made public to anyone on the internet. 

7. Does the document follow company data retention policies?

Documents become stale when their contents haven’t been changed in months or even years. Several risks are associated with older documents, including accounts having access that is no longer needed. If a document hasn’t been modified in a year or two’s time, there is typically no reason for external parties to have access as collaborators or through Public links. Similarly, stale documents with Company links that are accessible by all employees should be locked down.

One of the biggest reasons to be aware of stale documents is data retention policies. Many companies must have a solid data retention plan in place, especially if they are in charge of sensitive information. 

You’ll want to know if the document is older than a year, three years, or even more, depending on your company’s data retention policies and industry requirements. 

Download: Security Audit Checklist for Google Drive and Microsoft Sharepoint

What are the limitations of document audits?

The main issues with auditing documents are administrators can only secure files for a few employees at a time; the process doesn’t scale quickly or efficiently.  

To secure all files in a cloud collaboration environment, IT and Security teams need a more robust approach. They should understand their overarching access risk landscape and then work to secure every single file. 

Limitations of this process when using manual efforts, audit logs, or scripting: 

  1. There’s a lack of visibility into who documents are shared with. 
  2. The process doesn’t scale past a few employees. 
  3. Remediation is time-consuming and nearly impossible.  
  4. Methods are tedious and can distract teams from more urgent initiatives. 
  5. Alerts are constant, ineffective, and often full of false positives. 
  6. Teams don’t have extra time to dig around in audit logs or spend time scripting. 

What are the access risks? 

Although images of shadowy hackers are everywhere online, we’ve found that 80% of access-risk incidents are from non-malicious employee mistakes. These accidents can happen to anyone, and only 17% of IT and Security leaders believe their employees understand the importance of securing access to their files in the cloud “really well.”

We’ll give an overview of the access risks and then dive into what you can do to protect your company. 

Access Risk 1: Oversharing and liberal permissions 

Hundreds to thousands of documents are created by employees every day. Strapped for time, employees share these company files with a multitude of collaborators: their managers, other employees, and third-party vendors. At times, they’ll share files with the entire company or even anyone on the internet who has the link. 

The problem with this hinges on the security principle of “least privilege.” When it comes to documents, employees aren’t usually thinking about least privilege or liberal permissions. They want to quickly share their work with the right person and get back to their jobs as painlessly as possible. 

For example, imagine Margot shares a document with her coworker Roland and gives him Editor permissions. Then, Roland shares the document with a contract worker Leo, and grants him Editor permissions, too. 

Leo then shares the document with his manager outside the company and makes the link public with Editor permissions. 

Margot doesn’t realize that her original document is now available and editable by anyone on the internet. The document that has information that should only be seen by certain employees can now be accessed by anyone with the link. 

Access Risk 2: Suspicious downloading, printing, and copying 

Although most access risk incidents are due to employee mistakes and accidental misconfigurations, malicious activity does happen. IT and Security teams should be aware of unusual file sharing, including increases in file downloads or copying of documents. 

To help, administrators and users can utilize settings in the collaboration tools, like Google Drive access permissions for safeguarding sensitive content. This includes restricting actions such as re-sharing, downloading, printing, or copying the file, or modifying its permissions. 

Access Risk 3: Personal email account access

Personal email accounts are risky by nature. They’re designed for personal use, without any IT oversight, and often with weaker passwords and protections. Poor protections lead to big problems, as more than 80% of security breaches are due to weak or stolen passwords. 

Accidental sharing with personal accounts can happen at any company and may cause legal and compliance issues. Not to mention the headaches for IT teams who must spend valuable time finding and cleaning up all personal account access. 

Blocking access when an employee leaves doesn’t solve the problem, either. Companies don’t realize that even after cutting off access to work accounts, access to sensitive information in cloud collaboration platforms may persist through employees’ personal email accounts. 

Access Risk 4: Inbound documents and vendor risks

Inbound documents are files that are owned externally and shared with company accounts. These documents can contain confidential company information, but they are not protected by the companies that create them. 

The biggest problem with inbound documents is that IT and Security teams do not have complete visibility and control over them. 

However, these documents could still have Public and Company links, or be shared with personal email accounts or other vendors. 

Vendors being given access to company information is the event that IT and Security leaders we surveyed said poses the greatest information security threat for their teams. 

Lack of visibility and risk of data leakage are common concerns. Often, people in a vendor organization have more access to company data than is required for their jobs. 

This access can remain for months and years, even after work on projects is complete, creating risks of oversharing or data theft. 

Access Risk 5: Companywide and public access through links

Links are one of the most popular ways of sharing because they are incredibly fast to create and send. In a few clicks, the employee can get a document to the people who need it.

However, this type of sharing can lead to oversharing risks as links with sensitive data may be made visible to anyone on the internet or anyone in the company. 

Sometimes, an entire external company can gain access to a file through a link. Or a group or target audience (like the Sales team) may gain access to information that they should not see.  

For example, everyone in the company could access salary information or someone’s private performance improvement plan. Even executive-owned files about company strategy can accidentally be shared with everyone in the organization.

Confidential documents should never have Public links, and permissions should be immediately restricted. 

Access Risk 6: Shared drives and folder access

IT and Security teams face challenges in knowing the exact contents of shared drives, including the files and folders within them. 

An account can be granted access to thousands of documents sitting inside of a shared drive, in minutes. It can be difficult to understand which accounts have access to these sensitive files. 

Often, shared drives contain data that should not be accessed by just anyone. They can be used to organize sensitive information like customer data, contracts, or Human Resources documents. 

Also, in the case of Google Drive, folders may have Public or Company links added to them. This means that any files inside the shared folders could be seen by anyone in the Company or anyone on the internet who has access to the link. 

Access Risk 7: Stale document access

Stale documents come with risks including unintended access to confidential data. For example, 70% of all sensitive data in financial services firms is stale, according to a 2021 data risk report

Often, access risks from stale documents persist for years and can result in legal damages, security breaches, and compliance issues. 

Several US federal laws and regulations deal with data retention, including HIPAA, the Fair Labor Standards Act, and the Employee Retirement and Income Security Act. 

To stay compliant, companies must be aware of how their data is being handled and deleted after certain periods. 

How do you reduce access risks?

  • Identify and classify documents with sensitive data

Find a way to classify confidential information in your company’s cloud collaboration environment. This could be through employing Google or Microsoft labels or having employees use naming conventions for files with sensitive data. 

  • Set the right access permissions

Apply the idea of least privilege to access permissions. For example, do not grant Editor permissions to a file unless truly necessary. Use Viewer or Commentor permissions instead.

  • Investigate any abnormal behavior

You can look through audit logs, or if you’re using Google Workspace, the Security Investigation Tool, to investigate abnormal behavior including unusual copying, printing, or downloading of files. For Microsoft, the SharePoint admin center or Purview can help.

  • Remove all unnecessary personal email accounts from company files

Find and restrict all documents that have been created or shared with personal email accounts. Review any personal email accounts that have been added to shared drives or folders. 

  • Review all external access and permissions

Be aware of all files and folders with external access. This could include outside domains, third-party vendors, and personal email accounts as we mentioned above. Make sure permissions follow the least privilege principles.

  • Review Company links

Make sure files and folders with sensitive information do not have Company links unless absolutely necessary. It’s also advisable to downgrade their permissions to Commentor or Viewer, rather than Editor. 

  • Shut down Public link exposure

Public links on company documents and folders should never be used unless the information can be safely seen by anyone on the internet. If the document or folder has to have a Public link, do not give it Editor permissions. Viewer permissions are the safest option. 

  • Check shared drive and folder access

Know who exactly has access to a company shared drive, including external accounts and collaborators using personal emails. 

Do not put overly sensitive information into shared drives that can be accessed by external users, unless necessary. Do not use Public links on shared folders and use Company-wide links on folders sparingly. 

  • Handle stale files according to your company’s data retention policies

Use your company’s data retention policies to guide how long documents stay in your cloud collaboration environment, or how long external access is allowed. This can be done by following industry regulations and government standards. 

When a document becomes stale, archive them based on your company’s rules. 

Auditing sensitive documents takes unnecessary time and effort. For the best results, the process should be automated so IT and Security teams can focus on their most urgent initiatives. 

A Data Access Governance system streamlines this process and expands it to every single employee while covering all documents in the company’s cloud collaboration environment. 

To learn how to simplify and automate Data Access Governance for your company, visit here

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira