A study, conducted amongst attendees at last month’s Microsoft’s SharePoint Conference in Las Vegas (USA), has found that at least 36% of SharePoint users are breaching security policies, and gaining access to sensitive and confidential information to which they are not entitled. It also found that, of the 19% of respondents whose organizations do not allow sensitive information to be stored within SharePoint environments, nearly a quarter of them later confessed they knew of individuals who had accessed content that they were not entitled to, demonstrating that users were ignoring this directive. Most alarmingly of all, the majority of administrators perceive their ‘permission’ to be unrestricted – responding with comments anecdotally that included ‘I am entitled to see everything’ and ‘Administration access is God mode’. This incomprehension is testament that, albeit unintentionally, many SharePoint administrators are in fact abusing their privileged access rights, ultimately putting confidential data at risk.
Sponsored by Cryptzone – the data protection specialists, the study was conducted anonymously to find out how organizations are controlling access to SharePoint content and preventing data misuse or loss given their security and compliance obligations. The results reveal many are struggling, with some even failing completely. Håkan Saxmo, CTO at Cryptzone, clarifies, “Of the people spoken to during our survey, 19% recognize there are risks and try to limit them by banning sensitive information from being stored within SharePoint. I say ‘try’, because it turns out that just 18% actually use technical controls with 73% instead relying on a written policy or an ‘understanding’ with their workforce. And we all know how many people actually ‘do as they’re told’. It’s hardly surprising then that sensitive information is not only finding its way into SharePoint repositories, but that users are discovering and accessing it too. It’s my opinion that the 23% that put their hand up to sensitive information being accessed is conservative and others either didn’t want to confess or, perhaps even worse, are oblivious that it’s even happening.”
The study found that interest in salary details had dropped, by over 50%, in 2014 to just 22%, but there was a marked increase in accessing other types of employee details – from 15 to 22%. Valuable data assets – such as insider information and Intellectual Property, also saw significant rises of around 50%. Håkan Saxmo adds, “While it is unclear why there’s less interest in what others earn, one hypothesis is that the recent economy has encouraged people to consider changing employment, and are therefore looking for information that could prove useful securing a new role.”
With compliance high on many organizations’ agendas, it’s perhaps surprising that 36% of organizations do not audit their system, and therefore can’t be sure if they’re putting sensitive and confidential data at risk or not. Interestingly, a higher percentage of organizations undertake an internal compliance audit of their SharePoint environments (53%) than an external compliance audit (28%) – of which 25% perform both.
Findings this year show that a greater percentage of organizations no longer allow third party access to their SharePoint environment. While it is unclear why this appears to have tightened, it could be related to the high percentage of organizations (79%) storing sensitive and confidential information in their SharePoint environments and the fear of exposing it to others. Over half of respondents (56%) reported that mobile access to SharePoint applications and data is an issue within their organizations.
Håkan Saxmo concludes, “There are three key take-aways from this study – firstly, there needs to be a separation of duties, so that SharePoint administrators are only responsible for performing normal administrative functions in SharePoint: setting up sites, libraries, content types, meta-data columns, access rights and configuring page layouts, etc. They should never have full visibility to all content, as it presents compliance issues and a security risk. Secondly, employing technical controls that enforce information security policies automatically, without changing the user experience, is fundamental to the rules being maintained. Users won’t follow the rules, just because they are there! And finally, with the proliferation of mobile devices (smart phones and tablets), having a secure solution for mobile users who need access to SharePoint and other web-based applications is a critical issue for the majority of organizations today.”
To read the results of this survey in full, visit:
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.