Monthly Archives: January 2019

Secure file sharing & content collaboration for users, IT & security

Larry Ponemon

The ability to securely and easily share files and content in the workplace is essential to employees’ productivity, compliance with the EU’s General Data Protection Regulation (GDPR) and digital transformation. However, a lack of visibility into how users are accessing sensitive data and the file applications they are using is putting organizations at risk for a data breach. In fact, 63 percent of participants in this research believe it is likely that their companies had a data breach in the past two years because of insecure file sharing and content collaboration.

According to the findings, an average of 44 percent of employees in organizations use file sharing and collaboration solutions to store, edit or share content in the normal course of business. As a result of this extensive use, most respondents (72 percent) say that it is very important to ensure that the sensitive information in these solutions is secure.

Despite their awareness of the risks, only 39 percent of respondents rate their ability to keep sensitive contents secure in the file sharing and collaboration environment as very high. Only 34 percent of respondents rate the tools used to support the safe use of sensitive information assets in the file sharing and collaboration environment as very effective.

Sponsored by Axway Syncplicity, the purpose of this research is to understand file sharing and content collaboration practices in organizations and what practices should be taken to secure the data without impeding the flow of information. Ponemon Institute surveyed 1,371 IT and IT security practitioners in North America, United Kingdom, Germany and France. All respondents are familiar with content collaboration solutions and tools. Further, their job function involves the management, production and protection of content stored in files.

This section presents an analysis of the key findings. More details can be found on Axway’s website. Following are key themes in this research.

Data breaches in the file sharing and content collaboration environment are likely. Sixty-three percent of respondents say it was likely that their organizations experienced the loss or theft of sensitive information in the file sharing and collaboration environment in the past two years.

The best ways to avoid a data breach is to have skilled personnel with data security responsibilities (73 percent of respondents), more effective data loss protection technologies in place (65 percent of respondents), more budget (56 percent of respondents) and fewer silos and/or turf issues among IT, IT security and lines of business (49 percent of respondents).

Data breaches are likely because of risky user behavior. About 70 percent of respondents say they have received files and content not intended for them. Other risky events include: accidentally sharing files or contents with individuals not authorized to receive them, not deleting confidential contents or files as required by policies and accidentally sharing files or content with unauthorized individuals outside the organization, according to 67 percent, 62 percent and 59 percent of respondents, respectively.

A lack of visibility into users’ access puts sensitive information at risk. Only 31 percent of respondents are confident in having visibility into users’ access and file sharing applications. Some 65 percent of respondents say not knowing where sensitive data is constitutes a significant security risk. Only 27 percent of respondents say their organization has clear visibility into what file sharing applications are being used by employees at work. A consequence of not having visibility is the inability for IT leadership to know if lines of business are using file sharing applications without informing them (i.e. shadow IT).

Customer PII and confidential contents and files are the types of sensitive information at risk. The most sensitive types of data shared with colleagues and third parties is customer PII and confidential documents and files. Hence, these need to be most protected in the file sharing and collaboration environment.

The plethora of unstructured data makes managing the threats to sensitive information difficult. As defined in the research, unstructured data is information that either does not have a pre-defined data model or is not organized in a pre-defined manner. Unstructured information is typically text-heavy, but may contain data such as dates, numbers, and facts as well. An average of 53 percent of organizations’ sensitive data is unstructured and organizations have an average of almost 3 petabytes of unstructured data.

Most unstructured data is stored in email file sharing solutions. Respondents estimate an average of 20.5 percent is stored in shared network drives and 20 percent is stored in other file sync and share solutions. Almost half (49 percent of respondents) are concerned about storing unstructured data in the cloud. Only about 20 percent of unstructured data is stored in cloud-based services such as Dropbox or Box (20 percent) and Office 365 (17 percent).

On average, almost half of an organization’s sensitive data is stored on-premises.  According to Figure 7, an average of almost half (49 percent) of organizations’ sensitive information is stored on-premises and approximately 30 percent is located in the public cloud. An average of 22 percent of sensitive information is stored in the hybrid cloud. Hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud and third-party, public cloud services with orchestration between the two platforms.

Companies are challenged to keep sensitive content secure in the file sharing and collaboration environment. As mentioned earlier in the report, respondents are aware of the threats to their sensitive information, but admit their governance practices and technologies should be more effective. According to respondents, on average, about one-third of the data in the file sharing and collaboration environment is considered sensitive.

To classify the level of security that is needed, respondents say it is mostly determined by data usage, location of users and sensitivity of data type (62 percent, 61 percent and 60 percent, respectively). Twenty-four percent of respondents say their companies do not determine content and file-level confidentiality.

To read the rest of this report: Click here to visit Axway’s site. 

No, I don’t have Bruce tickets — When Google ‘interprets’ emails, it’s spooky and too clever by half

What is this reservation for???

Bob Sullivan

Google and Facebook often do spooky things, without our informed consent.  Recently, Google seemed to possibly ruin a holiday surprise for me…but ended up breaking my heart instead. Here’s a story about a clever tech going too far, doing things I never asked it to do, and ultimately, making a fool of itself.

During a recent visit to Times Square in Manhattan, I spotted an intriguing and surprising PIN when I pulled up Google maps on my phone. “Reservation. Dec. XX / 8 p.m.” it said (I’m omitting the date).   It looked like a typical hotel notification, the kind that started showing up automagically on G-Maps about two years ago.  They always surprise (spook?) me, pulled as they are from Gmail, but in truth, they are often useful.

Not this time.

A little context. Back in September of 2016, Google told users that it would start integrating calendar events with maps.  When entering a meeting, if you fill out the “where” field, the address appears on your version of G-Maps. This is a pretty logical use of the tool. If you have a meeting, you are likely to pull up Maps and see where you are supposed to be. Given that you’ve explicitly entered the address into Google’s calendar, it seems not much of a leap to use that information on Google Maps.

But the 2016 announcement revealed something else.  To further embed your life in the Google ecosystem, the firm would also scan your emails (remember, Google and other developers can still ‘read’ your Gmail) for events like hotel reservations and enter those as points on maps, too. Naturally, I never read the announcement.  Like most of you, I just started seeing these pins for airports and hotels on maps, and somewhere inside, figured that was Google inferring things from my Gmail. This feels different to me. In this scenario, I didn’t explicitly give Google the right to know where I was going; instead, the firm looked over my shoulder at what I was doing, and put it on a map.  Again, it’s useful. But I never asked for this feature. I could imagine situations where this would be a bad thing. What if I had booked a surprise for someone, and s/he spotted it when I innocently pulled up a map one day? What if my boss saw it?  Also, who else can see it? What other kinds of marketing might I get because Google knows where I’m going?

I hadn’t considered the Bruce scenario, however.

Back to the suspicious “Reservation. Dec. XX / 8 p.m.”  I had no plans for that day, but there it was.  So I clicked on the PIN.  The addresss showed 219 W 48th St. Didn’t mean anything to me. A restaurant?  A hotel? I clicked on the picture, and saw this:

BRUCE!

Ohhhhhhhhh. It’s not a movie. It’s not a dinner. It’s BRUCE! At the Walter Kerr Theatre. I’m from New Jersey, so I love Bruce. And I’ve been dying to see this Broadway show.

One problem: Tickets are really hard to get. And I know I don’t have them. Then it dawned on me: last Christmas season, I discussed going with my brother.   It was more of a joke, given the insane price tag. But maybe…maybe…he managed to score tickets.  Wow!

But then, how did it get into my calendar?  Some happy error? Some new shared family calendar feature? As I contemplated my possible good fortune, I was also deeply troubled.  Sure, ruining a surprise is bad. But this seemed beyond creepy. Did Google somehow know about my conversations with my brother? Or about his credit card purchases? As I went full-on conspiracy theory, I decided to make sure there was nothing in my email that created this situation. I searched for “Walter Kerr Theatre”

And there it was.  No, I don’t have tickets to see Bruce that night.  A friend does.

Many months ago, an old friend who had won the online lottery scored Bruce tickets from Ticketmaster for December. And in her excitement she forwarded me the confirmation email she’d received from Ticketmaster.

That forwarded email was apparently enough to convince Google that *I* was going to the theatre that night. So it took details from the note and auto-populated it into my Google map.

Haha, jokes on me.  No big deal, I’ll see Bruce another time.

But, this is both spooky and weird.  Not only is Google looking over my shoulder and putting things on a map (again, I never asked). Now it’s putting wrong things on that map. With just a little creativity, it’s easy to see how this could go wrong. A wife spotting a “suspicious” resort hotel reservation (is he cheating?).  A boss “finding out” that you are visiting a competitor (“Is she moonlighting?”).  Worse still, let’s say there’s a crime in Times Square on that December night.  When police subpoena Google for everyone who was near the scene of the crime, I’d be in the list.

I have no idea how often G-Maps makes mistakes like this.  Maybe it’s exceedingly rare. But now, I’m not so sure. I’m on the lookout for more. If you know about one, please tell me. Meanwhile, if you don’t want Google to do this, I’m not sure what to tell you. Back in 2016, project manager Zach Maier gave handy instructions for toggling this feature off — on the map app, under settings, then “personal content.'” The option “upcoming events” was apparently listed there at the time.  It’s no longer there, at least on my version of Android. (While you are there, you can toggle off a feature I find annoying, the placement of contracts on Google maps.)  You could sign out of Maps, but that will probably screw with the normal operations of the software.

It’s hard to get right, the balance between creating new features and respecting privacy.