Connecting Cloud services is incredibly easy – and useful. But do you really know what you are agreeing to?
One of the major strengths of Cloud systems is the ease with which they can be connected to add new features or to automate business processes. Linking these services is often as easy as clicking a button and supplying your password, allowing a third party to access your Google account.
Most of these third-party services are completely harmless – but if you don’t read the full terms and conditions of service, you cannot be sure. You must stop to consider the permissions being requested, and why the third party needs them.
Check the permissions request carefully
Whenever you connect a new service to your G Suite account, you’ll see a summary of the permissions being requested like this:
In almost every case, there is nothing untoward in these requests – according to Google’s rules, the service provider must tell you what they are accessing. Almost everyone ignores the request specifics, and clicks Allow without a second thought.
This complacency is incredibly risky, however, as some apps ask for permissions they don’t need, or use your data for secondary purposes that could compromise your business.
Understand what is needed. And why.
If you look closely at the picture above, you’ll see that each permission requested by DocuSign is listed. You’ll also notice there’s an ‘i’ icon next to each; click one and you can read a brief description of what you are being asked.
So there’s no reason to simply assume that everything is OK - the permissions request system gives you everything needed to make an informed decision before clicking Allow.
Some apps may ask for seemingly unrelated permissions - like the ability to access your contacts. Does the app really need that information? What if your contacts don’t want their details shared with Facebook? Does sharing that information without permission breach GDPR?
It is essential, that you know exactly what a third party plans to do with your data once connected to your systems.
Implement (and enforce) a policy
Cloud technologies have been specifically designed to simplify the process of extracting useful information from data stores. However, Cloud services provided to employees are still corporate resources and must be treated as such. You must train employees in how to assess these permissions requests and the reputation of the organisation offering the service. If they are in any doubt, employees should raise a request for assistance before clicking Allow.
With each request, your business needs to carry out a risk/reward analysis of the service. Every third party service carries a risk - but do the potential rewards outweigh the risks?
Where the risks are considered too high, users need to be warned not to connect their accounts. Conversely, where the rewards are considered large enough, employees should be given the go-ahead to begin working with the third party. You can create a whitelist of approved apps that workers can install as required.
This isn’t a case of draconian control for the sake of control either. Third party services can – and do – cause big problems. We were recently called to help a worker who had linked Microsoft Outlook on Mac to their company Gmail account – and promptly lost all of their emails.
Clearly, the employee in question had failed to read the “small print” for the service and simply granted full access to their inbox. By not paying attention to what the service did, or fully understanding how to configure it, the user (unintentionally) caused a serious problem. Many hours of productivity have been lost trying to resolve the issue.
You must encourage employees to carefully read the terms and conditions for every service before granting permissions. The most common cause of data-related breaches is human error. Your team will need to be extra vigilant, and prepared, to avoid falling foul of GDPR next year.
If you need help creating a policy for third-party services, or for identifying “safe” ones that allow your business to be more productive, please get in contact.