Top 5 Security Risks of Document Sharing & Collaboration Tools

Document sharing and collaboration can expose your organization to a range of data security risks. From the accidental release of information through sharing with the wrong person to problems created by incorrect lifecycle management – for example, not closing access to former employees, the risks are very real. Here are the top five risk vectors for document sharing and collaboration:

1. Employee error due to lack of training: A recent post on the Compare the Cloud blog pointed out that a new study from cybersecurity company Avast showed only 23% of remote workers had any specific training regarding security on collaboration platforms. Humans are always the weakest link in any security system, but appropriate training can help mitigate that risk.

2. Over-privileging: This sometimes refers to the tendency to give users a higher level of access privileges than they need, usually out of expediency, For example, a partner asks three times in one week for access to documents in the Partner folder and you decide to just give them access to the entire folder so that they stop bugging you. Another example is setting a user as an Admin or even Superadmin, to save support time. Over-privileging is just human nature, but it exposes your organization to serious risks. You can read more about Overprivileged Identities here.

3. Downloading to non-secure devices: Once documents leave your system, they are at risk. When employees and partners store documents on their personal devices, they can be shared inappropriately, resulting in an accidental release of sensitive data like PII (personal identifiable information) or, even worse, a malware infection that might return to infect your system. 

4. Improper lifecycle management: There are two main types of document lifecycle risk. The first is keeping too many documents for too long, which increases storage costs and increases your attack surface. The second is getting rid of documents that might later be important for knowledge management, compliance, or even legal discovery. To learn more about the larger topic of information lifecycle management, you can start here.

5. Vendor access: If you don’t have control over access to your systems, then someone else has access to your infrastructure. If you use a SaaS-based system or non-private cloud infrastructure, your security is only as good as the policies and procedures implemented by your vendor. People assume that SaaS and cloud-based systems all provide the highest levels of protection. Some do and some don’t, and in some cases, security is actually your responsibility – so caveat emptor. Do your homework and ask lots of questions about how your vendor handles security. You can read up on minimum security standards for SaaS and Paas here.