The thought of storing sensitive documents in the cloud can be a daunting one, especially if you are responsible for securing your organization’s data. Compared to a more traditional on-premises solution, Google Drive represents a paradigm shift in both where files reside and how they are accessed.
Why Google Drive Security is Important
Over the past several years, data breaches have been big news. Target, Home Depot, Instagram, and Sony, just to name a few. While it’s true that these kinds of headline-grabbing, coordinated attacks on consumer and employee data pose a big threat, organizations are also at risk from a “slow leak” of content, such as intellectual property and other confidential documents. In fact, according to a Ponemon Institute study, 80% of respondents considered loss of intellectual property a risk of insecure file sharing practices.
Although the total cost of a data breach is hard to estimate, Experian’s Data Breach Industry Forecast estimated that, in 2014, the average cost of a data breach was $3.5 million. The Ponemon Institute study results also point to a wide range of potential consequences, including:
- Loss of intellectual property
- Reputation and brand damage
- Disruptions to productivity
- Increased malware infections
- Regulatory actions
- Lawsuits
Needless to say, the additional time, effort, and money required to a proper Google Drive security protocol is well worth the expense compared to the repercussions of a data breach.
Is Google Drive Inherently Less Secure than On-Premises?
A common misconception among proponents of on-premises solutions is that “the cloud” is inherently less secure. According to Gartner contributor David Mitchell Smith,
Cloud computing is perceived as less secure. To date, there have been very few security breaches in the public cloud — most breaches continue to involve on-premises data center environments.
Smith recommends, however, that cloud vendors should be able to demonstrate that their specific solution meets necessary security requirements. With this advice in mind, you will be hard-pressed to find a solution to stands up to scrutiny better than Google Drive. Google is very open about their data security and compliance practices, which include:
- Encrypting your data both at rest and in transit
- Comprehensive background checks on all employees with access to data centers
- Multiple layers of redundancy
- Hardware tracking
- Comprehensive destruction of retired hard disks
- Regular third-party audits to maintain ISO, SOC, and FISMA certifications
The Human Equation of Google Drive Security
Having established that, due to extensive Google Drive security measures, the risk to data residing on Google servers is negligible, we arrive at the single largest risk factor for Google Drive data loss: the end users themselves.
According to Experian’s Data Breach Industry Forecast, 59% of security incidents in 2014 were attributable to human error or malicious employees. Furthermore, only 54% of organizations reported offering security training for employees with access to confidential information. Clearly then, there is a large gap between what IT leaders perceive as a major threat and the actual source of the majority of data leakage.
The knee-jerk reaction to such statistics is to lock down Google Drive by either drastically restricting the ability of employees to share files externally, or completely disabling it. However, this often proves counterproductive as users will organically reject a platform that is overly restrictive due to the inevitable inconveniences, as well as perceived lack of progress compared to existing on-premises data storage.
Raising employee awareness and providing training will pay large dividends in terms of reducing the amount of data lost due to negligence. Although many IT departments loathe expending precious budget on these services; the more open the sharing platform, the more vital this effort becomes.
Although securing Google Drive data takes planning and foresight, it is far from impossible. In fact, because Google Drive activity can be monitored, external sharing is actually more secure than using the traditional practice of sending email attachments. Your goal should be to take necessary measures to properly implement Google Drive security, while at the same time leveraging the power of cloud-based collaboration. Whether you’re planning to conduct a review of your organization’s Google Drive security, or you’re migrating data to Google Drive and need to plan accordingly, adherence to these three best practices will help secure your organization’s data, without placing restrictions on sharing and collaboration.
Don’t Forget the Human Element
User training and education should be a central aspect of your plan. Money invested in training will return dividends in a more savvy and security-conscious user base. Proper training can also help users avoid phishing scams and better secure their accounts using 2-step verification. End users should also have a clear understanding of what does or does not violate your organization’s Google Drive security policy.
Take Steps to Secure Endpoint Devices
Even the best training and data loss prevention software will not prevent a data breach if an unsecured device falls into the wrong hands. It’s always a best practice to enforce Google Drive security policies on mobile devices, such as a password-protected screen lock and the capability to remote-wipe stolen devices. Your IT team should also have a clearly documented plan for securing any account that might be compromised due to a stolen phone or laptop.
Understand What Data is Being Shared, and to Whom
It is essential to conduct regular data audits to understand how much data is being exposed to external parties. If possible, you should also implement data loss prevention measures, such as scanning Google Drive content for policy violations using an application such as BetterCloud. Knowing the volume and content of files being shared outside the company will provide you with valuable data, and you will be able to proactively adjust your Google Drive security policies accordingly.