Collaboration is at the heart of SaaS applications. It’s an essential feature that makes it easier than ever for individuals and teams to work together. By sitting on the cloud, content within SaaS applications is immediately shareable, which facilitates communication and teamwork. However, as convenient as it is to share links, it also poses a high risk of data leakage and breaches.
Sharing files and documents within SaaS applications can be done in two ways: sharing with specific users or sharing with anyone with a link. Sharing with specific users can be tedious and time-consuming, requiring the file owner to add every user individually. On the other hand, sharing with anyone with a link is much simpler and quicker, but it poses a significant risk of data leakage. The problem with sharing a link freely is that there is no control over who accesses the file and how it is used. This lack of control can expose the file to unintended parties, including competitors, whistleblowers, and hackers.
Several high-profile data leaks have happened because of unsecured document-sharing settings. For instance, in 2021, New York City school officials confirmed a data leak that contained sensitive information of over 3,000 students and 100 staff members in the NYC public school system. The data was exposed when a student gained access to a Google Drive. Similarly, a Microsoft SharePoint breach led to a student stumbling onto a draft document discussing when schools would reopen during COVID-19. The letter included details of testing policies, quarantine policies, and other information that the school system was not ready to release. This data was exposed due to unsecured document-sharing settings.
It isn’t just school officials who need to be careful with their shared links. In 2021, an armed forces unit asked soldiers to fill in a Google form relating to their COVID-19 vaccines. Each soldier entered their name and ID number and answered questions relating to coronavirus. However, the author of the Google Form allowed respondents to review the results. Anyone with the link had access to the soldiers’ names and ID numbers. The data was listed chronologically, making it easy to group specific soldiers by their unit. This data was accessible to anyone with a browser and link.
According to TechCrunch, in 2019, security researchers found dozens of companies leaking sensitive corporate and customer data that was saved in Box. Using a script to scan for Box accounts, researchers found over 90 companies — including Box — with data that was visible to anyone with the link. Companies, including Amadeus, Apple, Edelman, and Herbalife, exposed customer names and contact information, project proposals, donor names, patient information, and more. This information could have easily been protected had companies used the access controls available within the platform.
It’s clear that sharing links creates a high-risk situation and real-life breaches that can be mitigated through the right processes. Fortunately, there are best practices that companies can follow to prevent data leakage and data loss. These include:
- Share files with specific users — Requiring users to log in before they can access the data drastically reduces the likelihood of data falling into the wrong hands.
- Add expiration dates to shared links — Most documents and files are shared and eventually forgotten about, putting companies in a position where they don’t even know that they are exposed. By adding an expiration date to the link, that oversight won’t come back to hurt the company.
- Password protect all links — Add an additional layer of data security by requiring password protection on all external-facing files.
- Create a Resource Inventory — List all corporate resources in a single place that includes each file’s share settings, providing security teams with a single view that enables them to evaluate risk and exposure.
From sensitive customer data to confidential corporate information, the risks of data leakage and breaches are high and every unprotected link has the potential to expose data. Unsecured document-sharing settings can lead to unintended parties accessing files, resulting in severe consequences.
It’s crucial to follow best practices such as sharing files with specific users, adding expiration dates to shared links, password-protecting all links, and creating a resource inventory. So if you are building an application or just about to start using a new one inside your business it is worth looking at links as being a security risk.
