The most frustrating job in corporate IT security
Whatever you do, never be responsible for end-user security on SharePoint
Even the users and administrators who work most closely with and are most responsible for installations of Microsoft's SharePoint document-sharing application either don't know or don't care enough about security to use the security features built into SharePoint themselves or encourage others to do so, according to a new study.
All but 8 percent of respondents to the survey understood that removing a document from the SharePoint server made it less secure, but 45 percent had done it anyway; 18 percent do it "regularly."
That means taking secure documents off the SharePoint server and copying them to either local hard drives or flash drives so the user can take the docs along when they leave, or even email secure documents to other people. Those who were willing to violate security in so obvious a way wouldn't hesitate to do it, either, if it "helps me get the job done," according to the study sponsored by Swedish risk-mitigation software developer Cryptozone.
Another 34 percent said they never think about the security of SharePoint documents and 13 percent said protecting the data or documents is not their responsibility.
The study itself comes with a couple of caveats, one of which actually makes that last point more disturbing.
Caveats about study make results even more disturbing
First, Cryptozone sells software designed to add security to SharePoint itself, so it's not exactly objective in its analysis, or in the choice of questions or respondents.
The sample size is also way too small to be statistically significant; the report is based on a survey of 100 attendees of a SharePoint Saturday conference in Nottingham, U.K. in November.
On the other hand, the only people who would go to a SharePoint Saturday meeting are either total newbies sent there for training, or they're the user administrators and IT people most responsible for security, maintenance and all the other systemic flaws IT people continually have to drill into end users to keep them from writing top-secret passwords on Post It notes or leaving security doors unlocked while they run to pick up a pizza.
Though respondents didn't identify their roles clearly, 51 percent said they don't assign access rights within SharePoint and 69 percent said it's the in-house IT administrators who do that.
So the sample size was split about evenly between end users and IT people.
Even assuming that all 49 percent of respondents who are IT people were among those who didn't think it was OK to bypass SharePoint security at will, that leaves a huge percentage of end users (and probably IT people, too, be honest) who not only don't take any pains to keep documents secure, they don't think it's their responsibility at all.
Actually only 13 percent said explicitly that it's not their responsibility to keep documents secure. Forty three percent said document authors can't be trusted to handle security or access rights on documents.
Assuming there's no crossover between respondents in those two categories, the results pretty well confirm that document authors (users) can't be trusted.
When they were asked why they copied documents out of SharePoint, 43 percent said it was because they needed to work on the documents at home.
Fifty-five percent said they needed to send it to someone who didn't have access to SharePoint at all.
If there is any single characteristic that should give everyone involved a hint that a particular person should not have access to a document – whether because he/she doesn’t need to or because it would violate security – it's the complete lack of access to the system.
Since almost none of the respondents said customers or employees of business partners were able to get into the SharePoint system, but the 45 percent willing to take documents out of SharePoint were also willing to email them to third-party companies, the picture painted by this little survey is pretty sad.
The only real conclusion is that SharePoint users, no matter what security is built into the system or how much training they have, appear to be willing to do anything necessary to bypass that security if it makes their own jobs easier or faster, even sending secret documents outside the company and permanently out of the control of anyone in it.
Whatever you do, never take a job handling security for SharePoint end users
According to market-analyst firm the Radicati Group, by 2014 there will be a 477 million people using SharePoint systems worldwide.
Of the companies Radicati surveyed, half have deployed SharePoint companywide, most with no overall strategy to either the deployment, use or efforts to secure documents in SharePoint.
One third of the Radicati respondents said more than half of the content in the system is mission critical.
So, just to summarize:
- if these two studies are at all accurate, there will soon be almost half a billion users of SharePoint worldwide;
- one-sixth of all the documents in all SharePoint systems will be mission critical;
- at least half of SharePoint end users will be willing to remove secure documents from all the security SharePoint or their employers put on the documents;
- of those willing to remove documents from SharePoint, nearly all are willing to email them to toher people, including people outside the company, who would then be free to do whatever they want with what may often be mission-critical documents.
In most companies there is a small staff of document-management, records-management or IT security specialists who are in overall charge of keeping unstructured data like documents secure and training users how to do so as well.
After reading these reports, the only thing I can think to say to them is: get a different job. And good luck.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.