How To Secure Links In Google Workspace
One of the easiest and fastest ways to share Google Workspace documents is through links.
Just click a button, and boom, suddenly documents can be shared using a link across a variety of tools. It’s become sharing muscle memory.
Links to documents are constantly dropped into tools like Slack, GitHub, Trello, and even publicly on the web using social media, on websites, or in Google’s search engines.
Links are one of the most popular ways of sharing because they are incredibly fast to create and send. No thinking about exactly who needs access, no typing in names and hitting buttons in confirmation modals. In just a few clicks, the person sharing can get a document to the people who need it.
This type of sharing can lead to Access-Risk issues, as links with sensitive information may be made visible to anyone on the internet or anyone in the company.
We’ll go over different types of links and permissions and how to keep your sensitive information safe by securing links in Google Workspace.
Guide to Link Types
When employees create documents in Google Workspace, they are able to select from three different link types: Restricted, Anyone at the company, and Public.
Employees will also be able to further determine if the people who access the documents using the link will be Editors, Viewers, or Commenters.
Restricted: This type of link allows only people or groups whose email addresses have been added as collaborators to access the file, folder, or shared drive, as long as they are logged into their Google account.
Company: This type of link allows anyone at the company to access the file or folder, as long as they are logged into Google with their company email.
Public: This type of link allows anyone on the internet with the link to access the file or folder. They don’t need to be signed in to a Google account to access the file or folder.
Guide to Permission Types
Viewer: The person or account can view the file but cannot make comments or edit it. Viewers cannot share the item with others and cannot see who else has access to the item.
Commenter: The person or account can view the item and make comments on it, but they cannot edit. Commenters are also unable to share the item with others or change sharing permissions.
Editor: The person or account can view, make comments, and edit the item. They can also share it with others and allow them to edit, comment, or view the item. Editors are also able to share the item with others and change sharing permissions.
Owner: The person who creates the item is usually the owner. However, ownership can be transferred from the creator to other parties who then control its access permissions. Owners are able to view, comment, edit, move the item, and set sharing permissions for other users. You can learn more about transferring ownership in chapter 5 of our free ebook.
In the next few sections, we’ll learn more about Company and Public links. This includes security issues, what employees need to know, and how different departments should use these link types.
What Security Risks Come with Links?
Company link Access-Risks
Company links grant access to anyone in your company, and when employees use this link setting, it can have unintended security consequences.
Suddenly, everyone in the company can access salary information or someone’s private performance improvement plan. Even confidential executive-owned files about company strategy can accidentally be shared with everyone in the organization.
And even though documents might start out as accessible to people at your company, if everyone in the company has Editor-level access, they could still share with personal accounts or external accounts. You can learn more about this in our free ebook on document security in Google Workspace.
We’ve learned that Company links are misused more often than people think. It’s common for companies to not realize that confidential documents are accessible by anyone within the company.
So when should Company links be used? Only when documents or folders are meant for consumption by everyone in the entire company. For example, a holiday schedule should have a Company link, as should all compliance policies that employees agree to each year and need to look back on.
When shouldn’t they be used? Whenever the contents of the documents and folders are not meant to be shared with everyone in the entire company. That’s because it’s easier than ever to share document links within collaboration tools like Slack or Teams, and then suddenly, sensitive documents can spread like wildfire.
For example, severance information should not be available to anyone in the company and should be restricted to only those who need to see it. The same goes for customer contracts or employee offer letters. But this doesn’t always happen.
For this reason, departments that tend to create more confidential information such as Finance, Legal, or Human Resources, will need to be extra careful when using Company links.
They may need to share something with the whole company, like vacation policies, but they should grant everyone in the company Viewer or Commenter access rather than Editor access. Other documents, especially those with sensitive information like salaries, should always be restricted and locked down.
For best security practices, finance documents should never have Company links, with the exception of documents that need to be distributed widely.
And if an employee is sharing something like a budget proposal with the rest of their department, it is best to assign Viewer or Commenter access only, so that team members can’t accidentally share with external parties or personal accounts.
However, this method may be unrealistic as Finance departments often need to collaborate cross-functionally.
One way to safely do this is through Groups, where you can limit how sensitive or confidential information is shared (see our free ebook for more).
To sum it up, any departments that primarily work on confidential information should limit their use of Company links.
Here’s What Employees Should Know
- Company links should be used sparingly.
- Confidential documents should never have Company links.
- Company links should only be used when a document needs to be viewable by every employee in the company.
- For documents meant to be shared with specific people in the company, employees should add those people’s emails as collaborators and make sure the document is restricted to only those people.
- When adding Company links to documents, employees should select the least access privileges that people need. For example, only people who need to edit a document should get Editor access. Others should receive Commentor or Viewer access.
Public link Access-Risks
Just like Company links have become muscle memory for sharing documents within a company, Public links are the easiest, fastest way to share documents and folders externally. That’s exactly why they are so risky.
Companies should use Public links sparingly, even when working with vendors.
A Public link on a document means that anyone on the internet can see the document, and they don’t even need to log in to a Google account.
If the Public link allows Editor access, anyone who views it can also make changes to the document or sharing permissions—meaning they can invite other accounts to collaborate on the document.
The best rule is that documents can have Public links if the information in the documents or folders is not confidential and can be made public without any implications for the company.
For example, Lydia from the Content team needs to quickly share a document with a freelance writer that the company has contracted.
She’s been communicating with the writer through the company’s external Slack channel and quickly drops the link in a direct message for the writer to access. The writer messages her asking for editing permissions so they can get to work.
Rather than adding the writer’s email to the document, Lydia changes their access to “Anyone with the link” and sets it to Editor. The company document is now open to anyone on the internet to view, edit, or change sharing permissions as they wish.
If the contents of the document are not confidential and there would be no issues if anyone on the internet saw the document, then this use of Public links would be unnecessary but fine. However, if Lydia was working with the freelancer on a critical future announcement like an acquisition or a secret new feature, then using a Public link would be very risky.
When it comes to departments, some should use Public links sparingly, while others should never use them at all.
For example, most documents created by executive leadership teams should not have Public links, while Marketing might have more reasons to use them.
Meanwhile, departments like Finance, HR, and Legal should not use Public links except under exceptional circumstances or for very specific reasons (like during recruiting).
Here’s What Employees Should Know
- Public links should be the least frequently used type of link.
- Confidential documents should never have Public links.
- Public links should only be used when anyone on the internet should be able to access the document and when there would be no repercussions to the company.
- Always use Public links with caution, even when working with trusted vendors or contractors.
- When adding Public links to documents, do not allow Editor permissions unless anyone on the internet should be able to edit or change the document. It’s better to give Commenter or Viewer access instead.
The ability to quickly restrict access and permissions on all link types can be done through an access control system like Nira. To request your demo or get a free risk assessment, visit here.