We have successfully completed the SOC 2 Type 2 certification: Read more ⟶
Why Third-Party Risk on Google Drive Should Be a #1 Concern
Sharing Google Workspace files with clients and partners feels like a normal part of doing business – especially as so many companies move to remote work. However, each time you share a file with someone outside of your organization, you increase what’s known as third-party risk.
Third-party risk can open your business up to all types of internet security breaches, including IP theft, phishing attacks, malware, and data exfiltration. In 2019, LabCorp and Quest Diagnostics were the victims of third-party data breaches that exposed more than 19 million records, collectively, including names, birthdates, addresses, and phone numbers. A hacker was able to gain access through American Medical Collection Agency, a partner to both companies.
Google Drive is one of the more vulnerable content service platforms to third-party risks. Here’s what users need to know about third-party risk on Google Drive, as well as some tactics to help you maintain strict governance on this platform.
What is third-party risk?
Third-party risk in cybersecurity describes the potential threat to an organization’s data that increases as a result of sharing documents, financial information, and user access to those outside of the company. An organization’s supply chain partners, for instance, may have authorized access to the company’s customer database or financial records. But, unfortunately, these partners may not have the same security standards, protocols, and tools in place to protect this information.
What does this look like in practice? Take the case of Target: in 2013, Target’s data was breached when the retailer’s HVAC vendor, Fazio Mechanical Services, compromised an employee’s credentials. Through this account, hackers were able to gain access to Target’s web services dedicated to vendors.
Third-party risk exists in myriad forms. Any time you share a document through email or add an outside contractor to your Slack channels, you start to incur some level of third-party risk. Few employees are aware, however, of the risks associated with sharing documents and other files with external parties on Google Drive.
Third-party risk in Google Drive
Google Drive’s popularity is due, in part, to how easy the platform makes it to share and collaborate – as well as how easily it integrates with Gmail and other Google apps. File-sharing is very user-friendly, and as a result, many employees disregard sharing permissions and other settings designed to protect business-critical data and files from leaking outside the organization. Help Net Security reported in February that the easy-sharing features of Google Drive and other cloud-based tools result in many instances of unauthorized access:
- 73% of employees have access to data they didn’t create
- 69% can view data to which they didn’t contribute to
- 59% can see data from other departments
These stats illustrate how data within an organization can be shared with little restriction: but one can infer that the problem is just as pervasive – if not more so – with third-party partners.
“The risks of data leak are highest when users create publicly accessible links with full rights, which allow anyone with the file link to read, modify, copy, print or download the document,” said CompariTech. “One of the security trade-offs that results from the convenience that comes with link sharing is that your supposedly private Google Drive files can be easily discovered and exposed.”
Awareness of third-party risk in Google Drive is the first step to mitigating that threat. Here are some steps you can take to minimize the risk of your data being exposed through a partner or vendor outside of your organization.
How to lower third-party risk in Google Drive
You can’t control how another company decides to implement and enforce their own internal cybersecurity standards. You can, however, take measures on your side to protect user information. Here are some steps you can take to keep your data safe on Google Drive.
Adopt the “principle of least privilege”
The principle of least privilege (PoLP) refers to a policy in which a Google Drive file is only shared on a must-see basis when explicitly instructed by an administrator. Even when a user is authorized to view a file, sharing permissions should only be set to the maximum level of access required to work effectively (e.g., view, comment, or edit). This principle does require some behavior change, as Google Docs, Sheets, Slides and Meet tend to default to a most-privilege policy. Train your employees to restrict permissions to the least privileged option when they share a file outside the organization – comment or view only.
There are two ways to share a Google document: individual sharing and link sharing. The only method your organization should be using is individual sharing. When you turn on link sharing, anyone on the internet with a link to your Google Doc can access that file.
As one expert writes, “Google Docs link sharing is a privacy disaster. Even if you’re careful to only share the link to the document with relevant people, there are several ways that uninvited people can get access to your Google Doc. For instance, when you click on a link in the text of the Google Doc, the analytics system of the website you’re redirected to will register your document’s URL. The owner will then be able to open your Google Doc.”
Individual sharing is a much safer option. Individual sharing requires that you explicitly give access to each user who should have access to the document by adding their email address. This process also gives you an opportunity to set their permission levels – and more effectively implement PoLP.
Protect Google Drive with a cloud-based DLP solution
Nightfall offers a way to scan your entire Google Drive to see file-sharing settings so you can make sensitive data available to only the intended people. This gives security admins an overview of all files in their Google Drive and allows them to easily find and investigate files that violate company policies. Find, flag, and secure data that external users can edit or view within your Google Drive files. Learn how Nightfall can improve the security of your Google Drive by signing up for a demo at the link below.
Subscribe to our newsletter
Receive our latest content and updates
Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack, Google Drive, GitHub, Confluence, Jira, and many more via our Developer Platform. You can schedule a demo with us below to see the Nightfall platform in action.
Schedule a Demo
Select a time that works for you below for 30 minutes. Once confirmed, you’ll receive a calendar invite with a Zoom link. If you don’t see a suitable time, please reach out to us via email at firstname.lastname@example.org.