Initial setup
Make sure the account has:
Verified admin email
Access to all scopes
Data sync on
Account customization
Create and assign custom user roles
Set up Trusted network
Best practices
Step 1: Identify potential security risks:
Focus on most sensitive, highest risk files first
See High risk files overview for suggestions: https://security.florbs.io/security-auditing/high-risk-files
2. Identify where sensitive information is stored
Examples:
Specific shared drives: Management, Legal, Finance often contain confidential files
Shared drives or folders dedicated to specific projects that operate with sensitive data (e.g. Project X folder)
Files in the MyDrive of the C-level executives
3. Identify keywords commonly used in file titles that contain sensitive information
Examples:
Agreement
Confidential
Financial
Contract
Performance review
CV
Client
Forecast
Employee
Non-disclosure
Meeting notes
Internal
Employment
Payroll
You can search for files containing specific keywords in the title using filters in Audit files.
4. Remove outdated access in time
Tips:
Remove all sharing for files that have not been modified longer than 3 years
5. Check which domains have access to the most files and remove if collaboration is finished
6. Check which external users have access to the most files and remove if collaboration is finished
Step 2: Classify information
7. Classify information based on sensitivity
Why?
Many data protection regulations, such as GDPR, HIPAA, ISO 27001, require businesses to classify their data based on the sensitivity of the information and define appropriate levels of information security and protective measures
Labeling information simplifies access control
Expedite audit and elimination of potential risks
Demonstrate effort towards data security
Step 3: Protect existing files
8. Take “Anyone with the link” access under control
Why?
Files that are shared with “Anyone with the link” are accessible to ANYONE on the Internet.
If files containing any sensitive information are shared with “Anyone with the link”, your company may be facing a data leak and fines for non-compliance with data protection regulations.
Tips:
Look out for files shared with Edit rights
Remove link sharing for files that have not been modified longer than 1 year
Change sharing settings to “Editors cannot change permissions and share”
Change sharing settings to “Viewers and commenters cannot download, print, and copy”
You can see a quick overview of files shared with “Anyone with the link” in the High risk files overview, and search for files shared with “Anyone with the link” using filters in Audit files.
9. Take “Domain with the link” sharing under control
Why?
Files that are shared with “Domain with the link” are accessible to ANYONE in your company.
With the “Searchability” setting on, files can be accidentally found by employees that are not authorized to access them.
Tips:
Look out for files with the “Searchability” setting on
Look out for files shared with Edit rights
10. Remove external party access when it’s no longer needed
Tips:
Remove external sharing for files that have not been modified longer than 1 year
Change sharing settings to “Editors cannot change permissions and share”
Change sharing settings to “Viewers and commenters cannot download, print, and copy”
11. Keep sharing with personal accounts in check
Why?
Personal accounts are generally protected worse than company accounts (encryption, 2FA, VPN - these are generally not implemented on personal devices)
Ex-employees often retain access by sharing company files with their private account before leaving the company
Sensitive data shared with personal accounts goes against most data protection regulations
Personal accounts are targeted by hackers more often than company accounts
Files shared with personal accounts can be accessed from different personal devices that are notoriously easy to breach: think of someone forgetting their phone in a taxi, accessing sensitive files on holiday, leaving the screen unlocked at a cafe, etc.
12. Make sure labeled files are shared appropriately
Use the Labels overview to quickly identify files that are shared inappropriately. Examples:
Files labeled “Confidential” are shared with “Anyone with the link” with edit rights (Publicly editable)
Files labeled “Internal” and shared outside trusted network
Files labeled “Confidential” and shared with personal accounts
13. Set appropriate sharing settings
Where appropriate, change sharing settings to “Editors cannot change permissions and share”
Where appropriate, change sharing settings to “Viewers and commenters cannot download, print, and copy”
Step 4: Protect future files
14. Create automated security policies to eliminate human errors
Examples:
Automated labeling:
Automatically apply label “Internal” to all files in the shared drive “Management”
Automatically apply label “Contains PII” to all files with the keyword “CV” in the title
Automated permissions management:
Automatically remove sharing with external users from files with the label “Internal”
Automatically remove all sharing from files that have not been modified for 1 year
If you have a temporary project with an external party with a known end date, create a policy to automatically remove their access after that date.