Endpoint
8/12/2013
04:07 PM
Dark Reading
Dark Reading
Products and Releases
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Cryptzone Reveals The Extent To Which Confidential Content Is Left Unprotected In SharePoint

More than half of those questioned had sent documents to someone without sufficient SharePoint permissions to access a document for themselves

Gothenburg, August 12 2013

Cryptzone, the IT security and threat mitigation specialist, today published the results of its SharePoint Security Survey at SPTechCon in Boston. The survey undertaken amongst SharePoint practitioners at the Microsoft conference in Las Vegas, reveals how many organizations have inadequate security and governance measures in place to help prevent data misuse and loss from their SharePoint environments. Whether this is because managers naively still believe that SharePoint is not a repository for sensitive and confidential information or they have not got to grips with central management of sprawling SharePoint deployments is unclear.

40% of participants admitted that they, or people they know, have accessed information not intended for their consumption. While salary details topped the list for unauthorized access to sensitive content (46%), valuable data assets, such as insider information, M&A details and Intellectual property represented more than one third of contraventions, which should sound alarm bells in many a boardroom. "Data leaks of this nature are not just about non-compliance, but can affect the business results of the whole enterprise" says Einar Lindquist, CEO at Cryptzone.

More than half (55%) of those questioned had sent documents to someone without sufficient SharePoint permissions to access a document for themselves. Whether this behaviour is for legitimate business reasons or not, Cryptzone asserts that organizations should take note of the frequency with which data is being shared beyond the confines of SharePoint both to other employees and external collaborators. People are moving data around, so organizations need to deploy secure mechanisms to achieve this safely and be able to track flows of sensitive content, in order to uphold security and compliance standards.

Although the survey shows that the IT security awareness message is being heard, it is ignored by the majority. 76% of those surveyed know that by copying or sending sensitive content outside of SharePoint, information is more vulnerable to data breaches. Organizations are clearly finding it difficult to stop this kind of activity. With the continued dominance of email communication and the rise of file sharing sites, such as DropBox, Cryptzone considers there is an urgent need to put in place security tools that enable employees to work more responsibly, without hindering their productivity. While many respondents did not consider the documents they were sharing to be of a sensitive nature, over one third admitted that they were "Not bothered if it helps me get the job done". It is therefore imperative that any security measures implemented have to be very easy to use or transparent to users. Perhaps more worryingly 28% did not consider protecting data part of their responsibility. Evidently raising levels of IT security awareness does not necessarily change behaviour and instil a sense of accountability.

"Many of the SharePoint environments our engineers come across have very little security, so people are at liberty to do almost what they please with the content they find," states Einar Lindquist CEO at Cryptzone. "SharePoint sites may have escaped the intense scrutiny of auditors in the past, but that's all changing. The CIOs and CISOs, who I am talking to, recognize that their SharePoint sites are unquestionably being used to store personal and commercially sensitive information that requires effective data protection."

Other Survey Statistics

· IT Administrators continue to wield the power for managing access rights within SharePoint (77%)

· 59% do not trust document authors to control who reads the documents they create in SharePoint.

· 40% of participants admit that they, or people they know, have accessed information not intended for them.

· 58% are opening up access to external collaborators, but nearly 25% still don't give third party access to SharePoint collaboration environments.

Survey Conclusions

· All types of users are circumventing security policies, thereby increasing the risk of security incidents.

· SharePoint professionals do not trust content authors to appropriately manage access rights to SharePoint content.

· SharePoint IT professionals are frequently abusing access privileges to look at sensitive data without the knowledge of their employers.

· People have a genuine need to share information outside of the SharePoint environment for third party collaboration with customers, partners & other stakeholders.

· There is a need for tools that enable workers to take full advantage of the collaboration capabilities of SharePoint, yet enforce corporate policies on data protection and IT security.

SharePoint Security Recommendations

1. Ensure that encryption and access management stays with the document regardless of whether SharePoint content is moved, copied or changed in anyway.

2. Provide an integrated method for secure communication, which allows users to share SharePoint content appropriately within and outside the network, enabling productivity and data protection.

3. Establish rule based access rights management to automate SharePoint security controls, thereby avoiding errors that leave content vulnerable to data misuse.

4. Ensure a separation of duties, so that SharePoint administrators cannot circumvent security policies and cause an accidental or malicious breach.

5. Adopt a thorough approach to reporting all administrative actions and events involving sensitive SharePoint content, in order to spot security threats early and prevent the cover up of administrator abuses.

To download a copy of the survey results please visit: www.cryptzone.com/sharepoint-security-survey-US

Cryptzone is exhibiting on booth 403 at SPTechCon in Boston its Secured eCollaboration for SharePoint solution which provides document encryption, enhanced access control and compliance auditing capabilities.

For more information Einar Lindquist, CEO, Cryptzone Group AB

einar.lindquist@cryptzone.com Tel: +46 704-299 839

Beverley Stonehouse, Head of Marketing & Communications

pr@cryptzone.com

Tel: +44 1252 419990

About the Cryptzone Group The Cryptzone Group is a technology innovator of proactive controls to mitigate IT security risk. Our solutions enable organizations to securely connect, collaborate and comply within the digital workplace, thereby improving document security, access control and compliance auditing capabilities.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-0460
Published: 2014-04-16
The init script in kbd, possibly 1.14.1 and earlier, allows local users to overwrite arbitrary files via a symlink attack on /dev/shm/defkeymap.map.

CVE-2011-0993
Published: 2014-04-16
SUSE Lifecycle Management Server before 1.1 uses world readable postgres credentials, which allows local users to obtain sensitive information via unspecified vectors.

CVE-2011-3180
Published: 2014-04-16
kiwi before 4.98.08, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands via shell metacharacters in the path of an overlay file, related to chown.

CVE-2011-4089
Published: 2014-04-16
The bzexe command in bzip2 1.0.5 and earlier generates compressed executables that do not properly handle temporary files during extraction, which allows local users to execute arbitrary code by precreating a temporary directory.

CVE-2011-4192
Published: 2014-04-16
kiwi before 4.85.1, as used in SUSE Studio Onsite 1.2 before 1.2.1 and SUSE Studio Extension for System z 1.2 before 1.2.1, allows attackers to execute arbitrary commands as demonstrated by "double quotes in kiwi_oemtitle of .profile."

Best of the Web