As work and home life have increasingly merged, many employees have found it convenient to share corporate data residing in SaaS applications to their personal email accounts. But this “personal sharing” can create vulnerabilities that are difficult for an organization’s SecOps people to be aware of, let alone manage. In addition, the “Great Resignation” (nearly 20 million this spring and summer according to the Wall St. Journal) of workers due in part to the pandemic means that employees may flee a company with that access to corporate data staying in their personal accounts. Let’s look at the issue and what steps organizations can take to protect themselves.
Personal sharing: Why it’s a security threat
SaaS applications can be an entry point to company data through a variety of external and internal means. While threats come in a variety of forms, we focused on seven fundamental exposure threats in our original research report, “Quantifying the Immense Risk of Unmanaged SaaS Data Access.” They are:
Personal sharing is first among them. Personal sharing occurs when employees give themselves access to organizational assets and data through their personal email accounts. This opens the doors to exfiltration during and even after their employment. That’s a significant risk for the company, but the risk goes beyond simply what the employee might do with the access; that access might be shared with a third party – a vendor, a colleague, a friend, or even a competitor.
Further still, personal email platforms as a rule do not require multi-factor authentication (MFA), which makes them the weak link in any chain of enterprise security solutions. A company’s investment in zero trust or least privilege access or other security measures can be completely undermined by the simple sequence of sharing a SaaS asset with a personal email address, having that email address compromised by a bad actor, and then the bad actor using those credentials to infiltrate a corporate network. It happens.
One of the more notable security violations of late occurred when a Boeing employee decided to share a company spreadsheet with his spouse to get help with formatting the document. Visible columns within the spreadsheet displayed information about 36,000 Boeing employees, including their names, place of birth, employee IDs and accounting department codes. Hidden columns also contained each employee’s date of birth and Social Security number. Once that spreadsheet was shared to a private email address, the chain of custody for that data set was broken.
While such blatant breaches may get media coverage, an untold number of other incidents potentially are occurring daily without anyone noticing. According to our research, among companies that allow external sharing of SaaS assets, more than 8% of employees, on average, share assets to personal email addresses. Each of those individuals shares an average of 28 assets. At a company with 1,000 employees, that would result in roughly 2,250 assets shared to private accounts.
The potential for even more exposure due to the ‘Great Resignation’
For reasons that may take a while to clearly understand, Americans are quitting their jobs in record numbers. August 2021 saw more than 4.3 million workers resign – an historical high representing nearly 3% of the total U.S. workforce, according to the Department of Labor.
To be fair, many of those were positions that could not be done remotely and may not have involved employee access to SaaS applications, such as people working in healthcare, retail or warehouses. But notably, resignations in the IT sector were up more than most other fields, followed by employees in financial services deciding to quit.
A report in the Harvard Business Review said that workers ages 30-45 were the most likely to move on to another employer. We can only surmise how they wrapped things up with their organizations, but it’s not a stretch to imagine that they didn’t shut off whatever personal sharing they had done through the multiple SaaS applications they may have accessed during their job tenures. More frightening, they may have intentionally downloaded sensitive data to their private accounts – or shared them with their new employers.
How your organization can manage the risk
The cost of high employee turnover goes well beyond security risks, of course. The knowledge lost when seasoned workers walk out the door, the expense of hiring replacements who may or may not be suitable for the work, and the demoralizing effect on employees who remain are all significant. As the Harvard Business Review article suggests, your organization might want to gather data on what’s driving employees to leave and take steps to remedy what you can.
At the same time, you’ll want visibility into all those vulnerabilities created by personal sharing – both by exiting employees and those who are still on the job.
This is what DoControl provides – a centralized view of all SaaS application sharing of your company data and assets, a granular look at who is doing so, through which applications and where else that data may have been shared, and – most importantly – the ability to shut down those openings immediately without disrupting other business functions. DoControl guards the dangers of personal sharing and myriad other threat types as well.
The best way to see how effectively DoControl can help you get a hold on these security threats is through a demonstration. Just complete a simple form and we’ll be in touch to show you the power and simplicity that DoControl offers.