GSuite calendar sharing can lead to the leakage of confidential information. As a G Suite administrator, you can help your employees avoid accidentally disclosing sensitive information by putting some reasonable guardrails on what sharing settings they are (and aren't) allowed to use to share their calendar.
GSuite Calendar Sharing - Examples of Exposure
Before we get deep into G Suite Admin configuration details, let's pause briefly to talk about what sensitive information is often in employee calendars. It's a lot more than most people think. Here are some examples of sensitive information that almost every company has somewhere in an employee's calendar:
- Zoom / Google Meet Links and Passcodes: remember that meeting where you discussed a confidential legal matter that the company is facing? Or strategized on a sensitive PR matter? In a meeting with more than just a few employees, it's easy to end up in a situation where there are some participants joining via dial-in instead of video -- and it's pretty easy to imagine how a malicious actor could join a sensitive call if they had the URL or dial-in information. You don't want that.
- Vacation Timing: would a cyber criminal attempting to penetrate the company's website like to know precisely when the top DevOps person is going to be en route to vacation? You bet they would! Guess what? It's become commonplace for employees to block their calendars during their vacation days -- to avoid someone accidentally booking them for a meeting -- and the title of their calendar block is pretty likely to reveal that they are on vacation.
- Info that Makes Social Engineering Easy: social engineering is when a cyber criminal uses persuasion tactics to cause an employee to take some privileged action that unintentionally gives the hacker some information or access that they desire. Some of the most devious social engineering efforts use contextually-accurate information. For example, a hacker calling the receptionist -- identifying himself as a board member preparing for this afternoon's board meeting -- and asking for access to some confidential financial or accounting information. The knowledge that there is a board meeting this afternoon (or some other correct contextual detail) makes all the difference in this ruse.
These are just a few examples of information exposure via G Suite calendar sharing, but I'm sure if you look at your own calendar you can readily identify additional examples of items that would be problematic if they were accidentally shared publicly.
Putting Guardrails on Sharing
In G Suite Admin, administrators have the ability to easily put some common-sense guardrails on the level of external calendar sharing that is permitted companywide. The way that we typically recommend configuring this is a technique that limits the maximum sharing permission. Notice how we phrased that -- we're not automatically sharing all employee calendars. Rather, we're putting guardrails on the maximum amount of sharing that we allow, for employees that go through the effort to turn on any sharing at all. This is important because many employees have no business reason at all to want to share their calendars externally, but those that do will have certain limitations that prevent them from over-sharing.
The guardrails that we most frequently find ourselves recommending to clients, are shown in the following video where we configure a fictional G Suite company to prevent employees from externally sharing anything beyond free/busy information from their calendar:
[embed]https://youtu.be/aeaG1-hlz_I[/embed]
Following along with the above video should take no more than five minutes, and could save your company from unwelcome data exposure risk.
Wrapping Up
G Suite calendar sharing is an easy information exposure risk to overlook. Many companies focus heavily on security their cloud-based file storage, their email, their financial systems, and their website. However, calendar sharing is a hidden exposure risk that carries substantial risk. The good news? It's easy to take the basic mitigation steps shown in the video in this article, and even easier to get in touch with Havoc Shield to take more nuanced follow-on steps to further protect yourself and your organization.
