Information sharing is a fundamental aspect of business operations, but the ease with which information can be shared also brings the risk of oversharing.
Oversharing, in the context of information security, refers to providing access to data or resources beyond what is necessary for a specific task or role. This often occurs when links with higher-than-necessary privileges are sent, exposing sensitive information to unauthorized individuals.
Why oversharing is a growing concern
Oversharing may seem like a minor issue–what are the odds a shared document will be read by someone who should not read it? But there are three factors that make oversharing a growing risk:
- Many users are not aware that oversharing exists
- As overshared documents tend to stay overshared indefinitely, the amount of overshared documents grows
- The increasing adoption of AI by organizations makes overshared documents easier to resurface
Defining Oversharing in Information Security
In the past when people wanted to collaborate on a document one of the easiest things to do would be to send an attachment in an email. While attachments still exist and are still useful in some cases, in recent years, sending links to shared documents has become a much more secure and efficient way to collaborate. Once an attachment is sent, it is no longer in the control of the sender. But when a link to a document is sent the sender retains control of the original document. But this is where oversharing can become an issue.
Not all types are sharing are the same. While sending an attachment was a single, simple action (just drag the file into your email), there is more nuance to how shared documents can be shared and more ways that shared documents can be overshared.
Here are four examples of types of oversharing
- Oversharing information: You are collaborating with a junior team member and need them to review the client’s most recent order so you sent them a link to the client’s folder. The junior team member can now see the client’s most recent order…but they can also see everything else in the client’s folder, which they don’t need to see. All of the information that is not directly relevant to the junior staff member’s role has been overshared. While everything that was overshared may be innocuous and it’s only been overshared internally, the relevant information could have been shared more securely by limiting what was shared to only what was necessary.
- Oversharing permissions: You’re collaborating with an external partner for an upcoming event. You share the schedule for the event with them, but inadvertently give them editing as well as viewing permissions. They make some changes (including typos) to the schedule without consulting you and the altered schedule gets printed without you knowing it.
- Sharing with everyone: You’re collaborating with an external auditor for an upcoming review. They ask you to send over some documents for them and their team to review. You don’t know exactly who needs to review the documents at the auditor’s company so you set the link’s permissions from the most strict setting of, “only people I select” to, “anyone with the link”. Now anyone who has the link can access the information, and that information has been overshared.
- Sharing without expiration: You need to send a report to your supervisor but you don’t know when they’ll get a chance to review it. So you just send the shared link without including an expiration date. Unless you go back in and change the settings at a later date, that report is now (over)shared forever.
Oversharing and AI
Fundamentally, oversharing poses a security risk as information is accessible to people who should not have access to it. Most overshares get lost in a sea of shares and do not lead to any cybersecurity incidents. However, with the increasing adoption of AI by organizations, these overshares can pose an increased risk.
AI tools can unintentionally bring overshared information up to the surface.
Enterprise AI tools require vast quantities of data to be effective. When a new AI tool is legitimately given access to an organization’s network, by default the AI will “read” any documents to which it has permission–and this includes overshared documents. To be clear, the overshared information isn’t leaving the organization in this scenario–the AI tool will not be sharing any of this information outside of the organization. However, there may be sensitive information that could become accessible to all staff when the AI tool has access to overshared files.
For example, a company is quietly getting ready to merge with a larger company and has been sending (and unintentionally oversharing) financial data back and forth. Unrelated, the head of the Sales department asks the company’s AI chatbot to help put together a Sales budget for the upcoming year based on past budgets. The AI generates a new budget based on past budgets as well as projections from the overshared merger documents. Suddenly, staff have privileged information that could negatively impact their work or potentially hinder the company’s plans.
What can you do about oversharing
- Share with a purpose: When you share a link, you’re giving someone access to information. You should always set the strictest sharing setting you can.
- Set an expiration date: If you only need to share the information for the duration of a project, set the share for the duration of that project.
- Train staff: many people do not realize oversharing exists. training staff and setting up clear policies can help reduce the amount of oversharing in your organization.
- Prepare your network before activating an AI: Tools exist that can scan your network and generate a report listing all of your organization’s active shares. Before you activate a new AI platform on your network, it is worth looking at one of these reports to find out exactly what your new AI tool will have access to.
At BSC Solutions Group, we know the value of balancing productivity with security. If you’re thinking of implementing a new AI tool and want to prepare your network to be as secure as possible, contact us today.
