Research by Cryptzone shows at least 36 percent of SharePoint users are breaching security policies — and another 9 percent admit they have no idea how to prevent sensitive information from being uploaded.
The study, conducted among attendees at Microsoft’s SharePoint Conference in Las Vegas in March, is a warning to organizations that it is essential to develop adequate information security policies. It further underscores how lack of such policies are putting business critical information at risk.
Earlier this month, Cryptzone, a provider of encryption solutions and identity and access management (IAM), was acquired by Medina Capital, an equity investment firm focused on the IT infrastructure sector.
Data, Data Everywhere
The unsettling reality of the research is that access to business information is pretty much a free-for-all, with users accessing what they want, whenever they want it in organizations that have deployed SharePoint.
The survey (registration required) did not speculate where this information might end up. But it’s a safe bet that a significant portion of lands outside corporate firewalls on unregistered laptops or mobile devices, despite the innocent intentions of those using the information.
But before anyone gets too paranoid, let’s put the issue in perspective. Cryptzone concedes the data is based on a small sample of only about 100 conference attendees.
The respondents were SharePoint professionals, primarily those with technical roles in their organizations, from companies of all sizes. Many of them (41 percent) were from companies with more than 5,000 employees,
The survey was conducted anonymously to determine how organizations are controlling access to SharePoint content and identify the steps they are taking to prevent data from being misused or lost, particularly in light of compliance regulations within their industries.
It’s Not SharePoint: It’s Management
Even though the study represents a small survey from a vast user base, it is worth considering. If the percentages here are extrapolated across the entire SharePoint user set, then there is a significant problem here.
That said, the survey does not point to any inherent security weaknesses in SharePoint itself. Rather, the problem is poor management of both IT and information resources. If this is indeed the case, then it is reasonable to draw the same conclusions about all systems being used by organizations to manage their information, not just SharePoint.
What makes this even worse is that this is a known problem. The survey describes information security issues as common knowledge.
About 19 percent of respondents noted that their companies do not allow sensitive information to be stored in SharePoint. However, nearly a quarter of those respondents said people within their organizations are doing it anyway.
In addition, only 18 percent of enterprises use technical controls to prevent access to sensitive information. Most — 73 percent — rely on written policies or informal understandings with their workforce.
Cryptzone also reports that the biggest security offenders appear to be SharePoint administrators, who are unintentionally abusing their access privileges and putting organizational information at risk.
The kind of information that is being accessed is also noteworthy. Interest in salary details has dropped more than 50 percent in the past year, but interest in insider information and intellectual property has climbed.
There are many possible reasons for this, but one of the hypothesis that Cyrptzone offers is that the recent upswing in the economy has prompted people to go job prospecting again.
This year, a larger number of organizations have started preventing third-party connections to SharePoint. We saw recently that this has as much to do with the technical challenges of extending beyond the firewall as it is a lack of willingness to collaborate or share information with outside contacts. On top of that, over half of respondents (56 percent) reported that mobile access to SharePoint applications and data is an issue within their organizations.
Cryptzone argues that enterprises should establish rule-based encryption and access rights management to automate SharePoint security. It also suggests that encryption and access management should be an integral part of data and should stay with the data whether the data is moved, or changed.
Like all issues around information management, this is something that needs to be addressed by members of the C-Suite — and the sooner, the better.
That means this insider information could make a candidate considerably more interesting than he might be otherwise.