SharePoint Online Security Concerns for 2017
In last week’s webinar, New Security and Information Governance Standards for SharePoint, I asked several hundred SharePoint admins, security managers, and other information governance experts about their SharePoint security and information governance concerns and strategies. The results of this informal poll reflect the dynamics we see among many Metalogix clients.
In short: the vast majority of people acknowledge serious security concerns around how SharePoint safeguards sensitive data, but few are taking a proactive approach to SharePoint security management.
Accidental Exposure of Sensitive Data
Over half of respondents (55%) said their highest SharePoint security concern is accidental exposure of sensitive internal information, like personally identifiable information (PII) and intellectual property. This reflects a growing trend, as previous studies confirm that organizations increasingly using SharePoint to share and store confidential corporate data, intellectual property, and employee records. Common employee behavior, such as downloading or sharing content, can inadvertently put sensitive data at risk.
Many SharePoint-specific behaviors can easily leave corporate information vulnerable. End users (especially those without adequate SharePoint training) often share content with internal and external users who simply shouldn’t have access. Ad hoc permissions management at the Farm level can also be a major challenge, as end users are quick to break permissions inheritance by assigning other users direct permissions to documents.
Unfortunately, SharePoint does not provide administrators with tools to easily detect and audit permissions changes that may violate a corporate information governance strategy.
SharePoint Auditing Practices
Despite the fact that most respondents were worried about the security of their SharePoint content, less than one third conduct a routine SharePoint audit on a regular cadence (monthly, quarterly, annually).
In fact, 54% of respondents said that they audit sensitive data only on an as-needed basis. And, 13% NEVER audit sensitive data in SharePoint. This is frightening. How can sensitive information be protected if an organization can’t keep track of where it all is?
Without a proactive plan to set policies for data governance, ensure compliance and flag suspicious behavior, organizations will not know how much sensitive data has been exposed until it is too late.
Plans for the Future
Almost all of the organizations we surveyed do plan to take some action in the new year to improve their SharePoint security. In fact, 82% intend to implement some form of security or information governance changes this year, with 48% planning improvement in the next six months. For some, this means leveraging Microsoft’s Data Loss Prevention (DLP) capabilities within O365 Security and Compliance Center.
Those who prefer a robust approach to monitoring sensitive data and suspicious user behavior, should consider the Metalogix Security and Information Governance solution.
Conventional thinking about corporate information security suggests that only specialized IT security teams should handle an organization’s strategy to safeguard corporate data. SharePoint Administrators and IT teams also play an important part in this process – especially as corporate leaders aim to consolidate ECM and EFSS solutions within SharePoint and O365.
A proactive security approach involves conversations among multiple organizational stakeholders. But getting started is easy! And most importantly: audit your data and users before an incident occurs.
To learn more about Metalogix Security and Information Governance, request a demo.
Jai Dargan is a Senior Director of Product Management at Metalogix, where he directs the strategy Metalogix’s security and compliance solutions. In this capacity, Jai guides the direction of Metalogix products aimed at securing content collaboration, including ControlPoint, Sensitive Content Manager, and Insider Threat Index. Prior to Metalogix, Jai was a co-founder at Pim Labs, LLC, a startup company (acquired by Metalogix) that built solutions for securing social networks and sensitive content. He holds a Masters Degree from Georgetown University and an undergraduate degree from New York University.