Enabling Google Drive data loss prevention is a must for firms
Free tools such as Google Drive, and numerous other SaaS apps, help us to collaborate like never before. And this is a good thing for business productivity. However, there is a cautionary side to the tale, as Metomic explains in its recent whitepaper on the risks of storing sensitive data in Google Drive. The big takeaway for firms is that enabling Google Drive data loss prevention is a must.
“It’s scary how easy it is to upload sensitive data to Google Drive and share these files and folders with other people – not just within your company, but potentially beyond that too,” writes Metomic, which has developed a data breach finder to check if Google Drive is leaking sensitive information.
Analysis of more than 600 Google Drives revealed that 40% of the scanned files contained sensitive data, which ranged from confidential employee contracts to spreadsheets with passwords. Hundreds of thousands of these files turned out to be accessible to anyone on the Internet. And a large number of these files (18,000) – which Metomic ranked as ‘critical’ – contained highly sensitive data or had permissions that weren’t applied securely.
Fostering a security culture using Google Drive data loss prevention tools
Over time, Metomic’s Google Drive data loss prevention tool – which also works with other SaaS apps such as Slack, Jira, Github, MS One Drive, Trello, Salesforce, and more – establishes what the company refers to as the human firewall. And there are parallels here with how proactive cybersecurity training firms make a lasting impression on users enrolled in their awareness programs.
On TechHQ we’ve written about how cybersecurity training must be more than a one-off event to provide a robust defense against bad actors. And the same goes for keeping data privacy front of mind as companies do business.
Using AI to detect sensitive data automatically, the Google Drive data loss prevention application can block outbound links, emails, or messages, which violate privacy policies. The tool will also notify the sender to flag that it’s found something potentially sensitive, which helps educate staff and establish the so-called human firewall through ongoing training delivered at memorable moments.
The more that staff resonate with an organization’s security culture, the stronger the defense. At the same time, it’s wise to have a safety net to catch errors and mishaps, given that humans are not machines. Staff get tired and can be preyed upon by bad actors, which is why having data loss prevention tools for Google Drive and other SaaS apps is a must-have.
How to set up Google Drive data loss prevention
If the number of available solutions is a measure of the scale of the issue, companies could be facing considerable risk from oversharing business information stored in the cloud.
Examples of DLP solutions –
- GAT (General Audit Tool) labs
- Nightfall AI
- Voltage by OpenText
Google Workspace users can activate data loss prevention policies from the admin console under Security > Data Protection. However, there are a few details worth noting, such as having to wait up to 24 hours for a data loss protection policy to take effect. Also, larger file sizes may not be scanned in their entirety, with triggers based instead on a portion of the content as well as the title and any labels.
Third-party scanners are able to scour through company assets to look for mentions such as ‘project’, ‘NDA’, and a huge number of other tell-tale signs that information is sensitive in nature. Labels can then be added to documents (and other file types) to help Google Drive and other data loss prevention tools keep business details in the right hands.
Four steps that firms can take to secure their SaaS data
Metomic’s advice to companies, based on the contents of its whitepaper, is as follows:
- Tighten access controls.
- Implement multi-factor authentication (so that even if staff are duped by phishing scam, losing a password doesn’t give adversaries keys to the kingdom).
- Build the human firewall by fostering a security culture through training delivered at the most memorable moments.
- Include a DLP tool in the data privacy and security workflow.
Done right, locking down data doesn’t have to get in the way of employees being able to do their jobs. For example, picking up on the human firewall theme, security reminders can help staff to make a habit of not sharing public links and switch to adding email-based read permissions instead.
As good data privacy practice becomes second nature, and with the right tools in place, tasks shouldn’t take any longer to complete. And if they do, it might be worth shopping around for a different security solution.
Richard Vibert, CEO and co-founder of Metomic is a panellist in ‘The SaaS Security Paradox: Balancing Productivity with Data Security’ – one of the upcoming afternoon sessions at BlackHat Europe 2023. And for those unable to attend, he’s shared his top five data security predictions for the year ahead.
“It’s a difficult balance to maintain and manage a large-scale SaaS ecosystem,” Vibert points out. “On one hand, you want to make sure your employees have the technology tools they need to be as productive as possible, but you also must monitor these platforms to make sure sensitive data—things like personally identifiable information (PII), login credentials or confidential company information—are not flooding into collaborative work tools, or being stored there for too long, putting company data at risk.”
— Aware (@Aware_HQ) November 17, 2023
He predicts that CISO’s will demand better visibility over where sensitive data is being shared and stored in SaaS applications. Also, as data security becomes ever more important in an organization’s overall security strategy, Vibert sees data security posture management adoption rates climbing.
Tools will increasingly help businesses visualize high-level risk behavior as well as educate teams on safer ways of sharing data. Plus, approaches will encompass generative AI platforms so that proprietary data remains within the guardrails and companies don’t inadvertently overshare their business intentions.
22 February 2024
22 February 2024
21 February 2024