Securing Google Drive Files with Excessive Permissions

Sharing files on Google Drive is convenient and efficient. It's one of the most popular collaboration tools used in organizations today for a good reason.

However, the convenience of Google Drive does come with some risks. If files are not properly managed and secure, your organization can quickly find itself exposed to serious security threats and data breaches. 

The risk of shared Google Drive files can cause financial and reputational damage, and sensitive information such as customer or employee data could get exposed.

In this post, we’ll outline the risk of overly-permissive Google Drive files for organizations and explain how to take actions to mitigate this risk.

The Security Risk of Google Drive Files with Excessive Permissions

The risk of shared Google Drive files is real, and organizations of all sizes have fallen victim to data breaches caused by publicly-available files.

For example, in 2020 the NHS was developing a coronavirus-tracking app and accidentally exposed a publicly accessible Google Drive link to sensitive documents about the app’s future development roadmap. These documents could be viewed anonymously as long as someone had the link address.

Even worse, in 2023 a Google Drive link from the American College of Pediatricians published publicly on the doctors' organization website exposed more than 10,000 sensitive documents. The documents included financial and tax records, membership lists, and emails that date back over ten years. The publication of these documents happened while the organization battled a legal fight over the abortion drug mifepristone, further damaging the organization’s reputation.

IT and security teams must consider the systematic protections they can put in place to prevent this type of data exposure from applications like Google Drive.

Understanding Permission-Levels for Google Drive Files

For Google Drive files, you can extend file permissions to specific people by specifying one of four access levels:

• Can view
• Can comment
• Can edit
• Is owner

You can also specify the following general access permissions:

• Restricted (only accessible to specific invited people)
• Shared with anyone in a specific group or organization
• Anyone with the link can view

All of these access levels come with risks, such as:

Insider Threats: Individuals with access to sensitive files can abuse their privileges and steal or misuse sensitive information. For instance, an outgoing employee with file access can download or alter files in a malicious way.

Third-party Risks: If you share files with third parties, such as vendors, contractors, or customers, they may not have the same security standards in place as you do. Additionally, if their access to the file is not properly managed, they could continue to have access even after the business relationship ends.

Employee Mistakes: It’s easy to make mistakes when sharing files, such as accidentally giving someone too much access or forgetting to revoke access after completing a project. An employee might also mistakenly share a sensitive file with someone who shouldn’t have access to it, such as a competitor.

Public Links: Public links are a convenient way to share files with people outside your organization. However, this also comes with the risk of exposing sensitive information to anyone with the link.

Google Workspace Tools for Administrators

Administrators have access to a wide range of tools and settings that can help them prevent data breaches and other security threats. 

For example, if an administrator identifies a file that is shared inappropriately, they can manually update permissions and access levels.

Administrators can also keep track of user activities in Google Drive using audit logs. By monitoring for suspicious activities, administrators can protect against data theft and develop Data Loss Prevention (DLP) policies.  

If you have the licensing to define and implement DLP policies in Google Workspace, this can be another way to detect if a user is about to share confidential data and alert the user or administrator before the file is publicly available.

Automatically Monitoring for Overly-Permissive Google Drive Files with Blink Copilot

Google Workspace administrators shouldn’t have to manually monitor which files are publicly-available or high risk. Most organizations have hundreds and thousands of files with constantly changing permissions. 

How do you actually keep track of your permissions creep?

With Blink Copilot, you can easily create an automated workflow to detect any publicly-accessible files in your organization’s Google Drive and notify the owner to make updates via Slack.

‍

When this automation runs, it executes the following steps:

1. Gets all the Google Drive users.
2. For each user, it lists insecure files.
3. For each file, it asks its owner to update the permissions via Slack.

You can also add conditional steps if you want to send reminders or take actions automatically if the owner doesn't update the settings.

If you have data loss concerns about outgoing employees, you could run an automation to monitor the Google Drive audit logs for suspicious activity so you can act in real time if data is being stolen.

Whether you want to create your own custom workflows or use the over 5K pre-built automations in the Blink library, it’s never been easier to secure your Google Drive and prevent data loss.

You can try typing a prompt into Blink Copilot here.

Get started with Blink today to see how easy automation can be.