Have you ever seen a news article talking about a data breach? They're posted here pretty regularly, and most big news outlets discuss the more important ones when they happen.
I only ask because your comment sounds like you don't think security is a concern for businesses. It is, so much so that worldwide, companies who have been breached spend close to $4 million cleaning up after the incident [1]. In the US it's actually more like $8 million to clean up after a breach. And if you read the report, data leaks (like customer info sitting in an unsecured Google account) account for half of all breaches.
I'd like you to understand how Google Docs poses a risk to businesses. Imagine you want to share a customer list with someone else in your company, but you don't want to use Word and OneDrive like IT has approved. So you put it in Google Docs. Now sitting in your personal and unsecured Google account is a list of your company's customers. Maybe some pricing info, maybe the email address of a contact at the company, that kind of stuff. Now your personal Google account is compromised. It happens all the time, but this time the hacker finds your company's info. Maybe they sell it to one of your competitors and your company loses business. Maybe they use it to spear-phish your customers. Maybe your company's customers get breached because you put their information in an unsecured location.
Now lets say this goes on long enough that other people are using Google Docs too. If prepend can get away with it, so can Anne from accounting. And Ben from HR. And now the SSNs and birthdates and home addresses of all of your company's employees are in the hands of some lucky hacker who guessed that Ben's Gmail password was "Benjamin123".
Does that warrant firing? Doxxing everyone at your company, putting your customers out of business, and putting your own company out of business, just because you didn't like the IT approved solutions? I'm sure there are easier ways to destroy your company and put 200k people out of a job, but I can't think of any off the top of my head.
Security is a big concern of mine. Real security, not fake stuff where an employee can initiate a breach by posting something to slack.
If I can screw up and post company financials, ssns, whatever sensitive stuff to Slack, then that is a big security risk. And Slack isn’t my company’s problem. The problem is training, and digital loss prevention, and access controls.
If company IT approved solutions don’t meet business needs, then I think that’s a bit security risk. To prevent people from posting inappropriate material, we need effective tools.
Should the partner not have given his presentation?
The solution, I think, is to identify docs with SSNs wherever they may be on network and major cloud vendors and redact them, or remove the files when they are uploaded.
In the partner’s case there was no sensitive data in the presentation. IT should know that and help users. If the solution is to ban cloud docs in 2009 with no solution then I think that creates more risk because rather than trying to adapt to using google drive and training users how to use it, there’s a lot of shadow functions.
There is risk in these tools, my point isn’t that we must allow everything. I think we have to support common use cases and banning functionality needed by users, and used by competitors, is actually riskier than supporting enough so that users can do their jobs.
>not fake stuff where an employee can initiate a breach by posting something to slack
This alone tells me that your first sentence is not true.
Do you work in IT security? Have you used DLP tools? Have you seen the process to certify technologies for use and secure them when they are being used? Have you seen the cost of those tools, and how much time/manpower it takes to run them?
If Google Docs is not approved for company use, how does the security team identify SSNs in Google Docs? They don't. So the security team approves Google Docs and buys a product to monitor Google Docs. But now people want Dropbox, which means more cost. And Box, which means more cost. And OneDrive which means more cost. And Bobby only uploads his stuff to S3 buckets, which means more cost. All of these services cost money and all of the tools required to monitor them cost money too.
And while the security team is spending tens of millions of dollars per year (probably a low number actually) to monitor all these approved cloud storage services, Maria uploads a thousand W2 tax forms to her personal Gmail account and brings down the company anyway. Or if Gmail is blocked, she puts it on a USB drive and loses it when her car is broken into. Or if the security team locks down USB storage, she prints the documents and accidentally leaves the folder on the bus. Or if there's a DLP tool watching the printers... she shares it in a personal Slack channel so she can work on it at home.
Security is hard, and the mindset of users who say "you can't stop me" makes it almost impossible. The security team needs to be right 100% of the time, but an attacker only needs to be right once. The risky part isn't banning functionality, it's employees who refuse to follow the rules. And in any job, if you refuse to follow the rules, you get fired.
> Or if there's a DLP tool watching the printers... she shares it in a personal Slack channel so she can work on it at home.
And here we are. An idiotically simple use case that is not covered by IT.
If instead of locking the shit out of infrastructure people in IT in your story focused on providing a comfortable solution to work on a document from home, none of that would happen.
It repeat of the story with passwords. Muh security guys establish rules that your password should be a crazy something and you must rotate it every month and then are surprised that those passwords end up to be written on sticky notes beneath the keyboard.
Try to be human-first and address use cases and nobody will need to use third party tool to get on with their work.
>If Google Docs is not approved for company use, how does the security team identify SSNs in Google Docs?
Part of my argument is that Google Docs is popular and widely used by users, so IT should support it.
Then there’s training on how to use unsupported stuff (ie don’t email ssns, don’t upload ssns, etc).
Then there’s DLP as the source file was a PowerPoint on the partner’s laptop. Back then, I don’t know what products existed but today I have implemented DLP that if a file has a social it is flagged for review immediately and will present visual cues to the user for sensitivity and it is blocked from lots of different transfer methods. This helps prevent users who don’t know the file is sensitive (most of the potential breaches I’ve encountered) but users can get around it (screenshot, phone, etc) if they are really determined.
My point is mostly about rules being better rather than rigid. The best rules fit into a mental model and should be easy to follow. The “Just say no” style rules work just as well for security as for drugs and smoking.
Usability is really important, I think, in security.
I only ask because your comment sounds like you don't think security is a concern for businesses. It is, so much so that worldwide, companies who have been breached spend close to $4 million cleaning up after the incident [1]. In the US it's actually more like $8 million to clean up after a breach. And if you read the report, data leaks (like customer info sitting in an unsecured Google account) account for half of all breaches.
[1] https://www.upguard.com/blog/cost-of-data-breach
I'd like you to understand how Google Docs poses a risk to businesses. Imagine you want to share a customer list with someone else in your company, but you don't want to use Word and OneDrive like IT has approved. So you put it in Google Docs. Now sitting in your personal and unsecured Google account is a list of your company's customers. Maybe some pricing info, maybe the email address of a contact at the company, that kind of stuff. Now your personal Google account is compromised. It happens all the time, but this time the hacker finds your company's info. Maybe they sell it to one of your competitors and your company loses business. Maybe they use it to spear-phish your customers. Maybe your company's customers get breached because you put their information in an unsecured location.
Now lets say this goes on long enough that other people are using Google Docs too. If prepend can get away with it, so can Anne from accounting. And Ben from HR. And now the SSNs and birthdates and home addresses of all of your company's employees are in the hands of some lucky hacker who guessed that Ben's Gmail password was "Benjamin123".
Does that warrant firing? Doxxing everyone at your company, putting your customers out of business, and putting your own company out of business, just because you didn't like the IT approved solutions? I'm sure there are easier ways to destroy your company and put 200k people out of a job, but I can't think of any off the top of my head.