Whether this is because managers naively still believe that SharePoint is not a repository for sensitive and confidential information or they have not got to grips with central management of sprawling SharePoint deployments is unclear.
40% of participants admitted that they, or people they know, have accessed information not intended for their consumption. While salary details topped the list for unauthorized access to sensitive content (46%), valuable data assets, such as insider information, M&A details and Intellectual property represented more than one third of contraventions, which should sound alarm bells in many a boardroom. "Data leaks of this nature are not just about non-compliance, but can affect the business results of the whole enterprise" says Einar Lindquist, CEO at Cryptzone.
More than half (55%) of those questioned had sent documents to someone without sufficient SharePoint permissions to access a document for themselves. Whether this behavior is for legitimate business reasons or not, Cryptzone asserts that organizations should take note of the frequency with which data is being shared beyond the confines of SharePoint both to other employees and external collaborators.
People are moving data around, so organizations need to deploy secure mechanisms to achieve this safely and be able to track flows of sensitive content, in order to uphold security and compliance standards.
Although the survey shows that the IT security awareness message is being heard, it is ignored by the majority. 76% of those surveyed know that by copying or sending sensitive content outside of SharePoint, information is more vulnerable to data breaches. Organizations are clearly finding it difficult to stop this kind of activity.
With the continued dominance of email communication and the rise of file sharing sites, such as DropBox, Cryptzone considers there is an urgent need to put in place security tools that enable employees to work more responsibly, without hindering their productivity. While many respondents did not consider the documents they were sharing to be of a sensitive nature, over one third admitted that they were "Not bothered if it helps me get the job done".
It is therefore imperative that any security measures implemented have to be very easy to use or transparent to users. Perhaps more worryingly 28% did not consider protecting data part of their responsibility. Evidently raising levels of IT security awareness does not necessarily change behaviour and instil a sense of accountability.
"Many of the SharePoint environments our engineers come across have very little security, so people are at liberty to do almost what they please with the content they find," states Einar Lindquist CEO at Cryptzone. "SharePoint sites may have escaped the intense scrutiny of auditors in the past, but that's all changing. The CIOs and CISOs, who I am talking to, recognize that their SharePoint sites are unquestionably being used to store personal and commercially sensitive information that requires effective data protection."
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.