There’s no doubt that Google Drive continues to grow in popularity as time goes on. The convenience factor simply can’t be ignored. You can work on projects and store them online while giving access to others who need to work on the same files. It’s a valuable tool for both business and personal file storage.

However, with all of this convenience comes a bit of concern: “Is my Google Drive secure? Are my files safe?”

To give you a better understanding of Google Drive security, let’s review how Google handles security, a few of its vulnerabilities, and some tips to make sure your Google Drive is always secure.

How Google Drive security works

It’s no secret that security is a priority for Google. With an astronomically high number of users comes a certain level of responsibility to provide top-notch Google Drive security.

Google Drive uses two different levels of security:

1. 256-bit SSL/TLS encryption
2. 128-bit AES keys

You’re likely asking yourself: Why two different levels of security?

Data becomes more vulnerable whenever it’s uploaded, downloaded, or accessed by end-users. This makes it easier for hackers to intercept data being transferred between the user and Google Drive. When these files are in motion, the higher 256-bit encryption level makes it harder for hackers to access them. While files are static, the lesser, yet still strong 128-bit encryption is used.

Also, while files are being stored in Google Drive, Google breaks them into several chunks. Each of these chunks is given a separate encryption key. Not only are these chunks useless on their own to a hacker, but it would take a superhuman effort for that effort just to obtain each piece of data.
Overall, Google Drive security seems to be fairly airtight. However, there are still a few concerns for IT admins to be aware of and be proactive about remediating.

Google Drive security vulnerabilities

One of the biggest Google Drive security vulnerabilities has to do with how Google has keys to access your data at all times.

Hackers have an easier time accessing your data since Google can decrypt your files at any time. Should a server breach occur, all of your data could be largely compromised.

At the end of the day, you can be your own worst enemy when it comes to Google Drive security. For each device (computer, phone, or tablet) you choose to sync with Google Drive, you can choose which folders will sync from Google Drive to that device. Some users choose to sync all folders, and some select specific folders to sync. Either way, should a hacker gain access to any of these devices, they will have access to the data you’ve synced over from Google Drive to that device.

Losing track of who has access to your Google Drive files is another potential vulnerability. It can be tough to manage access to your files, especially if IT is doing so without a SaaS management platform.

With these vulnerabilities lurking, IT must implement additional Google Drive security measures to protect your important data.

Tips for Improving Google Drive Security

Despite Google Drive security being adequate out of the box, it still makes sense to do everything in your power to protect your data.

Here are some important tips for keeping your data safe and secure.

Two-factor authentication

Phishing traps can be used to obtain your password and gain access to all of your Google Drive files. Not an ideal scenario for anyone, whether it’s business files or personal data.

Because of this, two-factor authentication is quickly growing in popularity as a security measure for various software and applications. It’s a simple countermeasure designed to prevent hackers who have obtained your password

Enabling two-factor authentication means that Google will send a verification code to your mobile phone number after you enter your password. If someone is trying to maliciously gain access to your files, they’ll need both your password and your phone to do so.

While it may seem tedious to enter this code every time you sign in to your Google Drive, it only adds a few extra seconds to the experience. Two-factor authentication is also simple to set up. Here’s a guide from Google to help you get started with two-factor authentication.

Keep the circle small

As we’ve mentioned, it’s easy to lose track of who has access to your Google Drive, especially in the business world.

A good place to start is by ensuring that everyone only has access to the files they need to do their jobs. This “least-privilege” principle helps you keep track of who can access data and can help you reduce potential data exposure.

Back up your data

Losing critical business or personal data and files can be a mess, which is why backing up your Google Drive is a crucial step to eliminate the impact of this scenario.

Losing data isn’t always someone else’s fault, either. It’s easy to accidentally delete files that you intended to keep—a mistake that everyone on the planet has made at some point.

Leverage a SaaS management platform to simplify data security

As several research reports have confirmed, the SaaS explosion has created a new (and urgent) need for a SaaS management platform like BetterCloud. Without full visibility into how files are shared internally and externally, it’s virtually impossible for IT to secure a cloud-based environment.

BetterCloud enables IT admins to simplify file security in several ways. Our content scanning capabilities give you the visibility that you need to ensure that files aren’t improperly shared or exposed. Admins can also build automated workflows to remediate oversharing of sensitive information without manual intervention.

Want to get into the nitty-gritty of how BetterCloud empowers you to secure your organization’s files? Check out this in-depth blog post on our content scanning functionality.

Take Action and Improve Your Google Drive Security

Being concerned with your Google Drive security is perfectly reasonable. You wouldn’t want any of your data to end up in the wrong hands.

Security is certainly a priority for Google, but that doesn’t mean that there aren’t any risks and vulnerabilities. Google always having access to your files is a cause for concern for many security experts. Not to mention the damage that either you or the people who have access to your drive that you don’t know about can cause.

Data security is crucial for both business use and personal files. Implement these tips today and ensure that your Google Drive is as secure as possible.

To learn more about how BetterCloud can help you improve your Google Drive security, click here to schedule a demo.

These days your inboxes are undoubtedly full of headlines about yet another security breach or GDPR, a new regulation designed to give EU citizens more control over their privacy and personal data. And for good reason. These issues are becoming increasingly important for the enterprise and all companies should take note. Did you know that under GDPR, you have only 72 hours to respond to a data breach or risk being fined up to 4% of your company’s revenue or €20 million, whichever is greater?

At AODocs, a document management and business application platform built on top of Google Drive, we are all about helping companies control their documents and improve security and efficiency, without sacrificing user experience. Helping you comply with GDPR is naturally part of our mission. Many companies are using AODocs to centralize their documents, automatically detect and manage files containing personal information, and apply retention and disposition policies. Beyond helping them achieve GDPR compliance, AODocs allows these companies to improve efficiency and significantly reduce costs.

But what about the documents that your users leave in Google My Drive and never put into AODocs? This scenario poses major risks to the enterprise as these documents are not controlled. Imagine if someone in your HR department accidentally put a document containing sensitive personnel information in their My Drive and the file accidentally gets shared to a large group. This could have some pretty serious repercussions.

That’s why we’ve partnered with BetterCloud, a SaaS operations management platform that allows companies to monitor content in G Suite and Google Drive and enforce the proper policies automatically. With a powerful content analysis engine, BetterCloud scans your Google Drive and detects files containing sensitive data, including personally identifiable information, which are not controlled by AODocs. You can then create policies that automatically alert your administrators and make sure these documents are secured by putting them in the right AODocs library. AODocs then allows for proper document ownership, permissioning, and retention and disposition rules.

Given the need for companies to identify, audit, and repair breaches as required under GDPR, this integration couldn’t come at a better time. Our user-friendly platforms make it easy to automate security and compliance, freeing up your employees to focus on business critical issues.

Contact us for a demo!

The entire organization is frantic and they’re looking to you for answers.

“I thought we had policies in place to prevent this. What happened?”

“Why didn’t you catch this sooner?”

“Has this happened before?”

“How are you going to fix this?”

Despite more and more breaches making headlines every day, many organizations aren’t in a position to answer questions like these, let alone prevent, identify, or remediate any sort of data breach.

That must change.

And it starts with coming to terms with a hard truth: Your organization is at risk. While many may read this post and chalk it up to basic fear-mongering tactics, a quick search for the words “data breach” will hopefully convince you otherwise.

Even the world’s most secure organizations are affected by data loss. It’s unavoidable. But that doesn’t negate the need for preventative measures. Risk reduction is essential, and only by following best practices and implementing the right technology is it possible.

Download our latest whitepaper: Protecting Google Drive Data: 5 Critical Requirements for Data Loss Prevention.

Every Organization is a Target, Especially Small Businesses

Small businesses are attackers’ “favorite targets,” according to an Oct. 2015 SEC report, which called for small and midsize businesses to dedicate more time, money, and energy to prevent cybercrime. Approximately 75% of all spearphishing attacks (i.e. highly targeted attacks that usually involve executives or people handling sensitive information) are targeted at companies with less than 2,500 employees, with roughly 38% targeting companies with less than 250, according to a June 2015 Symantec Intelligence report.

Take UGI Utilities, a small Pennsylvania-based public utility company, for example. In January 2017, the names, social security numbers (SSNs), birthdates, addresses, salaries, and W2s of 1,600 employees were “acquired” via a data breach. Every affected employee is now (and for the rest of their lives) at risk of becoming an identity theft victim.

Financial organizations are the most common victims, making up 24% of confirmed breaches. Healthcare (15%), retail and accommodation (15%), and public sector entities (12%) rounded out the top four most commonly breached.

The Cost of a Data Breach

The average data breach costs $4 million, according to a 2016 Ponemon Cost of Data Breach Study. That’s why more and more attention and budget is allocated to the category of data management and protection. In fact, 57% of companies use two or more vendors to prevent data loss, according to the 2016 edition of the Global Data Protection Index.

Of course, there are direct financial consequences to data loss, but the indirect consequences are arguably even more significant. Deloitte lists 14 cyberattack business impact factors with the most costly being value of lost contract revenue, operational disruption, devaluation of trade name, and loss of intellectual property.

Further, employees affected by breaches are at a much greater risk of identity theft and falling victim to a phishing attack. “1 in 8 English consumers have experienced a breach of their digital healthcare data—more than half of those (56%) were victims of medical identity theft,” according to an Accenture 2017 Consumer Survey on Healthcare Cybersecurity and Digital Trust. This is a liability for the organization from which the data was stolen.

In 2015, 435,000 former Sony Pictures employees won a class-action lawsuit after being affected by a data breach. The settlement cost Sony an estimated $15 million and each employee was awarded $10,000.

Image credit: Deloitte.

Sophisticated Attackers Make Detection Difficult

There are many intelligent people who are motivated by various factors, primarily money, to commit fraud or identity theft.

In late 2016, news surfaced of a hack affecting a midsize telecommunications and internet provider called Three UK. The hackers obtained personal information about 210,200 customers, according to The Telegraph. The attackers then used employee logins to carry out the hack, which enabled them to “trick the mobile company into sending them high-end upgrade handsets meant for customers.”

And it can take just minutes to compromise a domain, yet more than 75% of data loss incidents aren’t discovered for many days, according to a Sept. 2016 McAfee Labs Threat Report. Yahoo was affected by one of the largest data loss events in history (more than one billion accounts were exposed). They remained unaware for three years and the breach wasn’t even discovered by the Yahoo IT or security team.

To mitigate damage and remediate a breach quickly, you must detect the incident in the first place.

Middlesex Hospital is a great example of this. On October 9, 2015, the Middlesex IT team discovered that four of its employees had fallen victim to an email phishing scam. Unbeknownst to the victims, attackers secretly set up email forwarding rules. Even if the affected users followed recommended best practices and changed their passwords, the malicious email forwarding rules would continue to forward all emails to the hackers.

During a demo of BetterCloud, Middlesex Hospital decided to test one of BetterCloud’s email forwarding reports, which helps IT see all users who have forwarding rules in place, enabling them to identify where email is being forwarded to.

When the Middlesex Hospital IT team ran the report, they immediately noticed that emails were being forwarded to a suspicious address. “BetterCloud gave us the ability to identify exactly what happened that led to the breach,” said Shelton. The IT team immediately remediated the issue, removing the forwarding rules and resetting everyone’s passwords. Thankfully, the issue was identified within time to ensure no social security or credit card information was accessed.

Breaches Aren’t Always the Work of Attackers

While cyberattacks might get all the press, many data loss events are the result of human error and privilege misuse, which commonly takes months or years to detect without proper data loss prevention (DLP) in place, according to Verizon’s 2017 Data Breach Investigations Report.

These breaches can occur due to:

• Improper or incomplete offboarding: Companies often have former employees that still have access to company data, even years after exiting. Offboarding that takes hours, days, or even weeks to complete leaves companies vulnerable and is often a significant compliance issue.
• Accidental data disclosure: Misdelivery of information is far and away the primary form of human error, making up more than 50% of all error-related data breaches, according to Verizon’s 2017 report. With email autofill and human inattentiveness, it’s easy to understand how sensitive information escapes to the wrong person via email or accidental document sharing. Organizations should “focus on monitoring designed to capture (and prevent) data transfers” in real time, according to the Verizon report.
• Failure to revoke partner, contractor, or consultant access: The “freelance economy” is exploding. In fact, freelancers made up 35% of U.S. workers in 2016. Freelancers, along with partners, consultants, and other external parties are often granted limited time access to information. Many companies fail to revoke that access after the contract or partnership is severed.
• Lost or stolen devices: 95% of Americans own a cell phone, nearly 80% own a desktop or laptop computer, and more than 50% own a tablet, according to a 2017 Pew Research Center Mobile Fact Sheet. Losing or having a device stolen is common. Organizations without the ability to perform remote DLP actions, whether it’s wiping devices, resetting passwords, or even suspending accounts are vulnerable to a data breach.
• Malicious theft: In some cases, existing employees take advantage of the access they’re afforded. Many times, cases of malicious data theft have financial motivations, where employees intend to use company data for monetary gain or for a future competitive advantage, according to the Verizon report.

Combatting Complacency

Complacency is often the cause and catalyst for a data breach. Taking the “it-won’t-happen-to-me” approach is less expensive and less stressful, but it makes for a bigger headache later.

You need to take proactive action and take data loss head on. If you’re prepared and armed with the right technology, the likelihood of significant data loss undoubtedly decreases.

So how would you rank your ability to prevent, detect, and remediate a breach?

Before you go, download our whitepaper: Protecting Google Drive Data: 5 Critical Requirements for Data Loss Prevention.

Just last week, during Google I/O, Google announced huge updates to Google Drive making it a truly enterprise-ready collaboration and productivity tool. These new updates should make you more motivated than ever to begin rolling out Drive to your entire organization. Here’s how:

1. Determine the Requirements

First and foremost, you need to clearly illustrate why you want to roll out Drive to your organization. Having a clear reason in mind will not only help to better define your goal and gauge your success at the end of the roll out, but it will help you achieve buy in from others within the IT department and your organization’s management, not to mention employees.

Some reasons for rolling out Drive could be to:

• Move away from Microsoft Office, Box, Dropbox or OneDrive
• Increase collaboration and consolidate the use of collaboration and storage tools
• Deprecate your legacy file share / server

2. Start Using Drive Primarily for Storage

As noted above, reasons you’d like to implement Drive could be to move away from third-party cloud storage services like Box, Dropbox or OneDrive or deprecate your company’s file share. With Google’s recent announcement of Drive for Work, which includes unlimited storage with up to a 5 TB file size, Drive seems like a no-brainer for companies already operating on Google Apps. And there’s no easier way to encourage employees to adopt Drive than by starting with storage. After all, employees are very likely already storing personal files on consumer-facing cloud storage systems, so adopting these behaviors in a professional setting shouldn’t be too big a change. To speed up the adoption, you can also upload your file server to Drive so employees can access this information in the cloud. You’ll not only slowly be able to do away with a legacy file share like SharePoint, but you’ll also encourage employees to use Drive more frequently.

Storing files on Drive also carries with it a great value proposition – with the Drive mobile applications available for both iOS and Android, users will be able to access their important documents from literally any device, anywhere at any time. The experience these Drive mobile apps provide is impeccable and allows users to view, edit and share files on the go.

3. Encourage the Use of Native Google Docs for Simple Work

Now that your employees are used to accessing files on Drive, you should encourage them to create native Drive files for simple purposes like meeting notes that need to be shared within a team or across the company. Creating Google Docs for simple items like note-taking is easy and doesn’t require employees to really change their behavior – over the years Google has significantly upped functionality for Google Docs, creating an experience akin to Microsoft Word.

Even if you don’t actively encourage users to create Google Docs, you’ll likely see some passive adoption from users who are experienced with Drive via personal Gmail accounts. Others might adopt Drive on their own because of its integrated nature – Drive pops up everywhere in the Google Apps suite from Gmail, to search results and even Hangouts. We’ve seen this passive adoption first hand when a company installs our product, BetterCloud, and runs a Drive usage report. More often than not, a larger portion of the company is using Drive than previously thought.

4. Move Certain Departments to Native Google Docs

At this point in your roll out, employees are used to accessing important files on Drive and even creating Docs for simple purposes. It’s time to migrate certain departments to Google Drive completely, but before doing so, evaluate the needs of the departments you’re hoping to migrate. It’s not a good idea to transition departments that rely heavily on Microsoft Excel, Project or Visio. While there are certainly Google Apps native and third-party offerings to replace these systems (more on this below), starting the full migration with Microsoft power users won’t make for a smooth transition to Drive. To help specific departments adopt Drive more quickly, work with department managers to set guidelines about what must be created and stored in Drive.

When you do select the departments you’d like to fully migrate, expect for some pushback. No matter how ready or well prepared your employees are for the transition, change is always difficult. To ease the transition, explain why moving fully to Drive makes sense for the organization and individual users. Hold training sessions and share useful resources so users can educate themselves.

5. Monitor Drive Adoption and Uninstall Drive Competitors

To make sure employees you’ve fully transitioned to Drive are really using the application to its fullest, uninstall competitors like Microsoft Office from their devices. Using a third-party application like BetterCloud can also help you determine whether or not users are accessing products like Box and Dropbox with their Google Apps credentials. BetterCloud will also show Drive usage trends to help you better evaluate desired versus actual usage rates. Some key indicators of Drive usage should be increasing rates of Doc creation, sharing, adding several collaborators to a document and so forth.

6. Evaluate and Install Third-party Applications & Docs and Sheets Add-ons

Now, it’s time to take advantage of the third-party applications that extend the functionality of native Google Drive features. Explore third-party applications in the Google Apps Marketplace. You’ll find that Lucidchart, which provides Visio-like functionality in the cloud, and Smartsheet, a Microsoft Project replacement, are both fully integrated with Google Drive. Heavily integrated applications like these really show employees the true power of Drive. And cost savings following the deprecation of costly Microsoft software provide additional benefits.

In addition to Lucidchart and Smartsheet, there are a host of applications that seamlessly integrate with and enhance Google Drive. Utilizing the Marketplace and Add-ons for Docs and Sheets, launched earlier this year, can greatly augment Drive functionality.

You should look for applications that not only replace crucial functionality, but ones that are fully integrated with Google Drive and Google Apps. Features to look for are single-sign on with Google ID, Google contacts integration for easier sharing, the ability to attach and access Drive files within the application and the ability to chat with Google contacts.

7. Migrate Microsoft Power Users to Google Drive

Now that certain users within specific departments are comfortable with Drive and you’ve even given them replacements for legacy tools, it’s time to start transitioning over Microsoft power users. Be sure to show these users the power of Google Sheets, updated late last year to provide diehard Excel fans with similar functionality, and introduce them to aforementioned third-party applications that fully integrate with Drive and can replace legacy mainstays like Visio and Project.

8. Gauge the Success of Your Rollout

Following your rollout, make sure to hold training sessions and office hours. Invite people to come speak with the IT department and designated Google Guides (expert users). To gauge your success, survey your entire user base asking about overall satisfaction and any pain points encountered and continue to monitor usage with third-party reporting applications.

9. Continue to Educate Your User Base

Though your entire organization is now using Google Drive, it’s important to continue to educate your user base. As we saw with last week’s huge announcements at Google I/O, Google in constantly updating their core service offerings. These updates usually bring added functionality, better parity with legacy systems and added ease of use for your users. While change can be scary, ease the transition by staying on top of feature updates and sending out a company-wide email whenever drastic changes occur. Keeping your user base informed will not only enhance their productivity, but each new feature update can serve as a reason to get them back into the application.

Stay tuned for the next post in this series, focusing on how to roll out Google Hangouts.