NEWS AND EVENTS

Press Releases

Cryptzone survey reveals SharePoint users are breaching security policies

April 15, 2014

With administrators the worst perpetrators - perceiving their 'permission' as unrestricted

A study, conducted amongst attendees at last month's Microsoft's SharePoint Conference in Las Vegas (USA), has found that at least 36% of SharePoint users are breaching security policies, and gaining access to sensitive and confidential information, to which they are not entitled. It also found that, of the 19% of respondents whose organizations do not allow sensitive information to be stored within SharePoint environments, nearly a quarter of them later confessed they knew of individuals who had accessed content that they were not entitled to, demonstrating that users were ignoring this directive. Most alarmingly of all, the majority of administrators perceive their 'permission' to be unrestricted - responding with comments anecdotally that included 'I am entitled to see everything' and 'Administration access is God mode'. This incomprehension is testament that, albeit unintentionally, many SharePoint administrators are in fact abusing their privileged access rights, ultimately putting confidential data at risk.

Sponsored by Cryptzone - the data protection specialists, the study was conducted anonymously to find out how organizations are controlling access to SharePoint content and preventing data misuse or loss given their security and compliance obligations. The results reveal many are struggling, with some even failing completely. Håkan Saxmo, CTO at Cryptzone, clarifies, "Of the people spoken to during our survey, 19% recognize there are risks and try to limit them by banning sensitive information from being stored within SharePoint. I say 'try', because it turns out that just 18% actually use technical controls with 73% instead relying on a written policy or an 'understanding' with their workforce. And we all know how many people actually 'do as they're told'. It's hardly surprising then that sensitive information is not only finding its way into SharePoint repositories, but that users are discovering and accessing it too. It's my opinion that the 23% that put their hand up to sensitive information being accessed is conservative and others either didn't want to confess or, perhaps even worse, are oblivious that it's even happening."

The study found that interest in salary details had dropped, by over 50%, in 2014 to just 22%, but there was a marked increase in other types of employee details - from 15 to 22%. Valuable data assets - such as insider information and Intellectual Property, also saw significant rises of around 50%. Håkan Saxmo adds, "While it is unclear why there's less interest in what others earn, one hypothesis is that the recent economy has encouraged people to consider changing employment, and are therefore looking for information that could prove useful securing a new role."

With compliance high on many organizations' agendas, it's perhaps surprising that 36% of organizations do not audit their system, and therefore can't be sure if they're putting sensitive and confidential data at risk or not. Interestingly, a higher percentage of organizations undertake an internal compliance audit of their SharePoint environments (53%) than an external compliance audit (28%) - of which 25% perform both.

Findings this year show that a greater percentage of organizations no longer allow 3rd party access to their SharePoint environment. While it is unclear why this appears to have tightened, it could be related to the high percentage of organizations (79%) storing sensitive and confidential information in their SharePoint environments and the fear of exposing it to others. Over half of respondents (56%) reported that mobile access to SharePoint applications and data is an issue within their organizations.

Håkan Saxmo concludes, "There are three key take-aways from this study - firstly, there needs to be a separation of duties, so that SharePoint administrators are only responsible for performing normal administrative functions in SharePoint: setting up sites, libraries, content types, meta-data columns, access rights and configuring page layouts, etc. They should never have full visibility to all content, as it presents compliance issues and a security risk. Secondly, employing technical controls that enforce information security policies automatically, without changing the user experience, is fundamental to the rules being maintained. Users won't follow the rules, just because they are there! And finally, with the proliferation of mobile devices (smart phones and tablets), having a secure solution for mobile users who need access to SharePoint and other web-based applications is a critical issue for the majority of organizations today."

To download the results of this survey in full, visit: http://www.cryptzone.com/forms/survey-sharepoint-security-spc2014

ENDS

Notes to Editors:

  • The survey was conducted amongst more than 100 attendees at the Microsoft SharePoint Conference held in Las Vegas, USA in March 2014.
  • Respondents were Microsoft® SharePoint practitioners, principally comprising of those with a technical role from organizations of all sizes.
  • It was conducted anonymously to find out how organizations are controlling access to SharePoint content and preventing data misuse or loss given their security and compliance obligations.
  • A similar survey was conducted in 2012 with results compared where appropriate.
  • To receive a pdf of the results, please send an email to Dulcie@uniquecommunications.co.uk.

For more information

Beverley Stonehouse, Head of Marketing & Communications, Cryptzone AB
beverley.stonehouse@cryptzone.com
Tel: +44 (0) 7884 263302

Press Contact:

Dulcie McLerie
Unique Communications
dulcie@uniquecommunications.co.uk
Tel: +44 (0) 2071 838 039 / +44 (0) 7971 458 230

About the Cryptzone Group

The Cryptzone Group is a technology innovator of proactive controls to mitigate IT security risk. Our solutions enable organizations to securely connect, collaborate and comply within the digital workplace, thereby improving document security, access control and compliance auditing capabilities.

Specializing in encryption content security and secure access technologies, Cryptzone designs solutions that are barely visible to users, yet afford powerful security that protects enterprise information assets, corporate applications, and other network resources, including Microsoft SharePoint environments.

Headquartered in Sweden, the company has offices in the USA, UK and mainland Europe, as well as an extensive global partner network. For more information about the company and its solutions, visit www.cryptzone.com.
Cryptzone's share is listed on First North, Sweden, the Nordic alternative market operated by NASDAQ OMX. Certified Adviser is Thenberg & Kinde Fondkommission AB.