Addressing the externally-shared sensitive information email Google sent Workspace administrators

Addressing the email Google sent Workspace administrators

What Does it Mean?

Google recently sent an automated email to Workspace Administrators outlining potentially sensitive information being shared by your users with people outside of their organization. 

Google sends this “Data protection insights for your organization” report quarterly based on scan of files for patterns that look like sensitive information. For example, it will look for social security numbers in files by looking for three numbers separated by a hyphen followed by two numbers, another hyphen, and then four numbers - the pattern for a social security number. The same mechanism is used to search for other information types capable of being derived from knowing the pattern of that information.

The report contains very helpful information and we suggest paying attention to its findings. We  recommend a number of ways to address the findings below, but first a disclaimer:

Report Accuracy

The accuracy of the findings in these types of reports can only reach a certain level given the pattern-based approach mentioned above. If your organization regularly shared files with what looks like sensitive information, that could get caught up in this report as what we’d call a “false positive”. For example, your account numbers, equipment serial numbers, various technical information, etc. could take on the same  ###-##-#### pattern as a social security number. While Google attempts to minimize the volume of false positives using other techniques, the count of potentially sensitive shared information is likely inflated, especially for organizations with lots of files.

How to Address The Findings

Reducing the likelihood of sensitive information being shared insecurely can be accomplished in many ways. Broadly speaking, this is a practice called Data Loss Prevention or “DLP” for short. We’ll contain suggestions to Google Workspace only given the report’s audience.

Disable external sharing or limit who can share externally

First, if your organization doesn’t have a need to share files externally with clients, vendors, etc. then the easiest way to prevent external sharing is to completely disable it. You can do that by following these instructions. We suggest surveying your team before taking this action, as you may not know the catalog of reasons why sharing through Google Drive is important across your team. Knowing that can help you make the right decision, including one of the other options below.

You can also customize which groups inside your organization are allowed to share externally, and if files can be shared via a link or if they are required to be shared with specific people or shared to accounts on whitelisted domains only. Using those customization settings can often accommodate the external sharing needs of your team while greatly reducing the chances sensitive information will find its way into the hands of someone it was not meant for.

Use shared drives

A relatively new and underutilized feature of Google Drive are their “shared drives”. This allows the capability to create different sharing rules at, basically, a folder-level and manages the sharing of files inside that drive according to its rules, separately from the other drives or your overarching Google Drive account.

Using shared drives might look like creating one for each department and managing the external sharing settings per department, or perhaps creating a few for very specific use cases where files need to be shared externally. Sharing with users outside your organization can be turned off at the “parent” level of your Google Drive account, but enabled for those shared drives where it’s needed.

This approach takes a little reorganization of files and processes as well as a little user training but cleans up a lot of both internal access control and data loss concerns. More on Google’s shared drives can be found here.

Enable enterprise-level DLP features

The Google Workspace Enterprise plan contains DLP features that allow administrators to scan each file for the patterns used in this report as well as customize your own sensitive data patterns or keywords to scan for. Rules can then be created which prevent external sharing of files that contain data with those patterns and/or submit them to an approval queue before sharing is allowed. While the enterprise plan is pricey, the additional security features can certainly be worth the peace of mind and additional control. More on the DLP features in the enterprise plan can be found here.

Havoc Shield Help

If you need help determining the best approach, or implementing one of the above approaches, Havoc Shield’s managed plan can certainly help. We can work with you to identify the best path forward, test, and roll out a DLP strategy, supported by our cybersecurity as a service platform.