How To Protect Company Data From Personal Account Access
It’s a hidden problem for most companies that use cloud collaboration tools like Microsoft OneDrive or Google Drive.
Sharing files is as simple as sending a link, and personal email accounts that shouldn’t have access to confidential documents can be added without IT teams knowing. In fact, over half of employees admit that they or a coworker have accidentally added their personal email accounts to company documents.
These personal email accounts usually have fewer protections than corporate accounts, leading to outsized security risks and headaches for admins. For example, a personal account could have access to a company file for months or years after the employee who owned it has left the organization.
IT and Security teams have zero to little visibility into this access, and fixes take up valuable time and resources.
How can companies solve the problem of access to company data from personal accounts? We broke down exactly how to mitigate risk.
Understand the scope of the problem
Identify risks through full visibility of personal account access
To resolve issues with personal account access, companies must first understand the scope of their risks. With the right process and tooling, this should take almost no time and zero manual effort.
Here are a few of the risk areas to get visibility on:
- The high-level state of personal account access
- How many items are shared with personal accounts?
- How many items are shared inbound to the company by personal accounts?
- Sharing with personal accounts
- Identify every personal account that has access to company documents.
- Understand exactly which company documents these personal accounts have access to.
- Review the personal accounts with the riskiest sharing.
- Sharing by personal accounts
- Identify every personal account that has created company documents using their personal account and shared them with employees at the company.
- Understand exactly which documents these accounts have shared with employees.
- Review the personal accounts that own the most items, and understand their risk.
- Stale access
- Get a sense of how much of the personal account sharing is on documents that haven’t been worked on in years. For example, documents with personal access but not modified in one, three, or five years.
- Confidential access
- Review personal account access to understand if there are any confidential documents affected. Confidential documents are defined as documents with certain keywords in the titles or owned by specific organizational units (like finance or legal).
- Employee access
- Assess whether current or former employees have shared company documents with their personal accounts.
- Understand if current or former employees have created company documents on their personal accounts and shared them with the company.
To solve this problem, use a tool that provides comprehensive visibility into all of the above risk areas.
Create clear policies
Get stakeholder approval and ensure all employees understand security policies
Once a company has visibility into its personal account risk, it can begin creating policies. In our experience, policy creation is a process that requires conversations with key stakeholders, and, depending on a company’s size, a formal approval process.
Once policies have been aligned and approved, it’s important to make sure employees fully understand the policies they’ll be expected to abide by.
One example of a policy might be “Employees should not create company documents with their personal accounts.” Employees should understand that this behavior is not allowed, and should either delete company documents that were accidentally created with their personal accounts or transfer these documents to their work accounts.
Another clear policy is “Personal account access should be removed after documents haven’t been modified in 90 days.” After the 90-day period, personal account access would automatically be removed. This way, personal accounts would not have access for months or even years afterward.
Companies could also set a policy saying “Employees should not share company documents with their personal accounts.” This would help employees understand that this behavior is against policy and risky.
When companies have clear policies, and employees are included in the security process, it helps reduce IT administrative burden and keeps protocols concerning personal accounts transparent and defined.
Educate and empower employees
Train employees and delegate processes to end-users to create a culture of security
Another key step to keeping company information secure is to train employees on risks and issues related to personal accounts. It’s vital to help employees first understand the problems so that they can take part in solutions.
For example, provide training to employees that tells them to use work profiles on browsers like Chrome to avoid password syncing with personal accounts. Make sure they have resources that help them understand the importance of MFA and how to combat phishing attempts.
They should also understand the importance of not sharing with personal accounts and the risks of that type of sharing.
Employees are a key asset when it comes to data security, and with the proper education, they can keep vital company information safe.
In fact, employees want to take security into their own hands and contribute. When asked who is responsible for securing access to the documents they create at work, 55% said that they themselves were.
Providing employees with the visibility to understand their sharing behavior is an essential part of employee security education. We’ve found that once employees see their sharing footprint, they are blown away by the amount of stale vendor access, personal account access, and overblown link usage there is on their documents. Once they see their accidental oversharing, they become much more conscious about cloud permissions.
An ideal solution will provide employees with the visibility and remediation capabilities they need to keep data secure and allow admins to delegate specific tasks to end users. This lets employees quickly remediate issues and creates a culture of security in the organization where everyone can be part of the process.
Remediate problems and automate processes
Quickly fix issues through simple investigations and bulk remediation actions
A key step in the journey is cleaning up personal account access. However, without the right tooling and processes, this often takes lots of time and bandwidth for IT and Security teams.
Organizations can use tools like GAM to help with remediation, but these scripting tools take time and technical experience. And often, the tools are limited in terms of the visibility they provide and their actionability.
Rather than spending hours or days of administrative time to partially fix issues, companies need a tool that will allow them to easily find problems related to personal accounts and then take bulk actions to immediately remediate them.
We’ve found the best method to focus on first during cleanup is easy-to-fix, low-hanging fruit. For example, removing all stale personal account access. Once this first swath of cleanup is complete, organizations can dig in and remediate the tougher problems.
The right set of processes and tools should allow companies to clean up personal account access in a matter of minutes.
Efficiently automate the process to match policies and lower administrative burden
Organizations today are struggling to control risks associated with document access from personal accounts. One of the top reasons is the amount of time it takes to identify and investigate issues and then take remediation steps.
Automating policies is a key step in an organization’s journey to reduce personal account access risk. This will help organizations stay secure and compliant, without wasting precious time on administrative tasks.
Common automations we see include:
- Removing all stale personal account access (i.e. not modified in one year) automatically.
- Instantly removing personal account access from confidential documents.
- Ensuring that employees are not sharing documents with their personal accounts.
- Recurring employee reviews to remove personal account access on the documents they own.
Unauthorized or accidental access by personal accounts is one of the biggest risks companies deal with when keeping their sensitive data safe. And creating a culture of security and protecting company documents from this risk is not a simple task.
At Nira, we’ve created a tool that allows our customers to quickly identify and fix access risks, efficiently automate remediation, and easily educate employees so that security becomes streamlined and simple. To learn about Nira or understand more about personal account access, go here.