Discover what sensitive data–credit card numbers, medical info, government ID, and more–people in your organization have shared externally.
In October 2020, Google Workspace launched a new data protection insight report for admins in organizations that use Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, and Enterprise Plus editions. Unlike other security reports already available to Workspace admins, Google sends this report to admins automatically.
The report notifies administrators of potentially sensitive data, such as credit card numbers, birth dates, and governmental identification numbers, detected by the system. For example, I received my first email with “Data protection insights” on December 3, 2020. The system identified that 4% of files (305 of 7,555 shared items) containing sensitive content were shared externally (Figure A).
If data loss protection (DLP) is a concern, Google Workspace administrators may want to follow the steps below after receiving each data protection insight report.
Figure A
1. Review the key takeaways
The email lists some of the significant data shared externally. In my case, the system featured the following three types of data:
- 131 files with Global – ICD 10-CM Lexicon (International Classification of Diseases, 10th edition)
- 319 files with Global – ICD 9-CM Lexicon (as above, but 9th edition)
- 13 files with United States – Driver’s License Number
This gives you a quick indication of the top three data types that may be available to people outside your organization.
2. Access the data protections insights report
Next, either follow the View Report link from the email or access the data protection insights report in the Google admin console at https://admin.google.com/ac/dp (Figure B). You may need to sign in with your Admin account.
Figure B
The report lists several data types, along with the number of files detected with each data type, and the number of those files shared externally. In my case, for example, “Global – Email address” was the most frequently shared item. However, this data type is not actually a security concern for me, since I often include my email address in publicly shared presentations and documents.
3. Communicate concerns
Take a screenshot of your data protection insights summary and share it with appropriate people in your organization along with a brief security reminder:
“A recent automated Google Workspace data protection scan identified a few potential security concerns. While some of these may be false positives, it’s a good reminder to be thoughtful about any data you share.”
You also might include an additional sentence that summarizes the items of greatest concern from the report. For example, in my case, I might add, “Make sure to not share sensitive information, such as personally identifiable medical information.” Different organizations will no doubt have different security priorities and concerns to emphasize.
4. Configure a custom data protection rule
Administrators for organizations that use Google Workspace Enterprise or Education editions may want to create a data protection rule to address specific items of concern. To do this, sign in to the admin console and go to https://admin.google.com/ac/dp/rules/ to either add a new rule or edit an existing rule.
When you choose Add Rule, the system takes you through the following four-step sequence to configure the data protection rule (Figure C).
Figure C
- Name and scope: Where you select whether the rule applies to the entire organization, specific organizational units, or specific groups.
- Triggers and conditions: Where you specify what criteria the content must match (e.g., specific text, a default detector, regex detector, or a word list detector). You may add multiple conditional detectors within a rule.
- Actions: Where you choose whether to warn people before sharing or to block sharing certain content entirely, as well as choose whether to notify specific admins of the detected data exposure.
- Review: Where all of the above settings are displayed before you Create (or Update) the rule.
If you’ve configured the rule to alert you or others, be prepared for an initial series of emails as the rule detects conditions that match your specified settings. After this first set of alerts, activity tends to decrease–unless you have several people actively sharing triggering data, which is exactly what you want.
In my case, I configured a rule to track down the US driver’s license sharing identified in my data protection insight report. Fortunately, the rule helped me figure out that the only actual license number shared was a fictitious license number found in a screenshot of a database vendor’s demo record. I had shared the screenshot with an external editor.
What’s your data protection approach?
If you’re a Google Workspace administrator and have received a data protection insight report, did you find the information useful? Did you, like me, notify others of the data shared? And, if you use the Education or Enterprise editions, did you add a new rule to help identify any shared data of concern? Let me know how you educate and alert people in your organization about shared sensitive data, either in the comments below or on Twitter (@awolber).