Survey finds many users blow by SharePoint security
A new survey of 100 SharePoint users across a variety of business sizes and job categories found that users were surprisingly cavalier when it came to maintaining SharePoint security requirements. Survey participants were attending the UK SharePoint Saturday conference and the survey was conducted anonymously.
The survey, which was conducted by Cryptzone, an IT threat mitigation company, found that when asked if they understood that taking content out of SharePoint made content less secure, 92 percent answered in the affirmative, yet when asked if they were willing to take it outside of SharePoint, fully 30 percent were willing to take the risk for the sake of convenience.
Further when asked if they had access rights to see a document they knew they shouldn't look at, a third said they would look at it, and another 10 percent said they weren't sure what they would do.
When asked what unauthorized documents they were most likely to take a peek at, 23 percent said salary details and another 34 percent said "other employee details." In other words, information they had no business looking at because it was HR-related and personal.
But it got worse. When asked if they ever copied sensitive documents from SharePoint to a USB or other personal drive, 18 percent answered they did so regularly and another 27 percent said they did so sometimes.
Finally, when respondents were asked why they took sensitive documents out of the safety of the system, 43 percent said because they needed to work at home (which makes sense), but 55 percent said because they needed to give it to someone who didn't have access to SharePoint.
I always point out the inherent bias in vendor-driven surveys. There is a tendency to show data that puts your business in the best light and the sponsor is an IT security company, but any way you look at this data, the results are fairly shocking and show that either IT needs to provide ways to protect documents better, or they have to find ways to make it easier to share with different parties inside and outside the company when needed in a way that allows IT to have an audit trail.