Skip to main content

Restricting unnecessary data sharing is key to any information security strategy.

Why?

It helps to minimize the potential impact of a data breach or unauthorized access to sensitive information. The less data that is shared, the fewer opportunities there are for hackers or other malicious actors to access and exploit that data. When you restrict unnecessary data sharing, you can also reduce the risk of data breaches caused by human error, such as an employee accidentally sending sensitive information to the wrong person.

Additionally, sharing data with third-party companies and service providers can also pose a security risk, as you are entrusting the security of that data to another organization. Restricting unnecessary data sharing helps you to be more selective about which companies you share data with and to ensure that they have adequate security measures in place to protect that data.

Finally, restricting unnecessary data sharing is also important from a compliance perspective as it helps organizations to comply with regulations such as GDPR and HIPAA that require organizations to protect personal data of individuals and to limit the sharing of sensitive information.

Guidance

Before making any changes, we recommend using a tool like GAM or other reporting tool with deep hooks into Google Workspace to better understand how many people are utilizing these features and what the impact of your changes will be.

Gmail

  • Disable settings such as Automatic Email Forwarding under End User Access to ensure that users cannot automatically send all emails outside of the organization or to unauthorized services.
  • Review and adjust Safety settings. We’d recommend settings all of them to ON, with the exception of “Protect against unauthenticated emails” to avoid legitimate flagging emails from misconfigured domains as spam.

Calendar

  • Prevent users from sharing anything other than free/busy information with external sharing for primary and secondary calendars. Depending on the organization, consider also disabling sharing for all information internally as well, or apply a rule to disable it for a group/OU of users with privileged calendar information, such as executives or your People team.

Drive

With Drive, you will need to think through how your employees are utilizing Google Drive to interface with external parties, like customers. In some cases companies may be presenting a Google Drive file as a public link to publish content online. Remember that settings can be applied to groups or OUs to more granularly scope permissions. The settings below represent an ideal:

  • Disable the ability for users to make files and published web content visible to anyone with a link
  • Only users in your domain can share content outside of your org
  • General access default is set to be private to the owner by default