Survey sheds light on SharePoint security concerns

Respondents' top SharePoint security concerns include frustrated users who inadvertently or deliberately circumvent security policies.

The results of a recent survey indicate users of Microsoft’s SharePoint collaboration tool frequently bypass security measures in order to share information with people outside the list of approved users, or to access confidential data.

If this new-found access to data is introducing lax security practices, then the danger could quickly outweigh the benefits.

Daniel Nilsson

The survey was conducted last November by Swedish security firm Cryptzone at an event for users of Microsoft’s SharePoint collaboration tool in Nottingham. Cryptzone published the results this week.

In the Cryptzone survey, anonymous responses were provided by 100 people who ranged from basic users to system administrators and developers. Nearly half (44%) worked for organisations with more than 1,000 employees, and 49% were responsible for managing access rights within SharePoint.

When asked if they or a colleague had looked at documents on SharePoint that they were not supposed to read, 34% said they had. Of those, 23% had spied on salary details; 34% had checked on other employees’ details; and 8% had looked for information about mergers and acquisitions.

While 29% of the respondents’ organisations allowed third-party access to their SharePoint environments, either directly or via a VPN, 56% of respondents said their SharePoint environments were closed to third parties. The consequence for organizations with a restrictive SharePoint security policy was that many people found ways of sharing the information with third parties in an unsanctioned manner: 43% said they sometimes or regularly bypassed restrictions by copying information to unsecured removable media, or by emailing the information to a third party.

When asked why they shared information in this manner, 55% said they needed to share the information with someone who didn’t have access to the SharePoint system, and 43% emailed the files so they could work on them at home. Almost all acknowledged they were taking a security risk by doing so, but two-thirds said they either had not seriously considered the security implications, or they just wanted to get the job done regardless of the security risks.

Daniel Nilsson, data loss prevention expert at Cryptzone, said the results show companies were failing to harness the power of SharePoint effectively. “Organisations recognise that today’s workforce needs to be able to collaborate effectively,” he said. “But if this newfound access to data is introducing lax security practices, then the danger could quickly outweigh the benefits.”

Bob Tarzey, an analyst for Windsor-based research company Quocirca, said he was not surprised by the SharePoint security issues revealed in the survey. “Microsoft has achieved dominance for SharePoint through use of an open source tactic. Windows SharePoint Services is free, embedded in the Windows server operating system, so initial use is often ad-hoc,” he said. “It is only when organisations realise how reliant they have become on it that they invest in the full SharePoint Portal.”

Tarzey said companies need to introduce proper controls to avoid problems. “There is no reason why, with the right controls and permissions, the use of data cannot be restricted and audited,” he said. “Of course, employees need access to data to do their jobs, so protecting it beyond that needs others measures, such as DLP and endpoint security.”

Read more on Privacy and data protection