How to Share Data Securely
In cyber security, when we talk about data, we are not only talking about numbers and figures, but all types of information, such as documentation. The terms ‘data’ and ‘information’ do mean different things, but are often used interchangeably, or used as umbrella terms to include documents, files, and other electronic media. When we talk about sharing data securely, we are thinking about the security of all data, information, documents, records, and files that are stored on our computers and in the cloud.
SharePoint and One Drive provide a cloud-based hosting platform that you can use to store and share documents securely. These Microsoft products also allow you to secure your files so that only the people you want to be able to access these files can do so.
Before sharing any data it is important to question:
Who you are giving access to, and
Why they need access
In the same way that you would not pass your personal data, such as banking information on to just anyone who asked without first evaluating if they are a person you trust, and if they are requesting it for a legitimate reason, this principle should also be applied to sharing work and personal files, because when you do so you are not only sharing the data stored within those files with that person, but also sharing access to your SharePoint or One Drive.
When using your work SharePoint account, you can access only the files that you have been given permission to view. This is a safe way for the company to store confidential data that they do not want to become public knowledge. Sharing links that are generated for restricted SharePoint files will not be able to be opened by any user who does not have the necessary permissions for this file.
You can set this level of security up for yourself too, at work and at home. When creating a document or file in SharePoint or One Drive, you can manage the ‘Share settings’ by clicking on the ‘Share icon’, which looks like a box with an arrow inside of it. Once inside the ‘Share’ pop-up you can click the pencil drop-down to open ‘Sharing settings’.
The default sharing settings shown above allow for anyone with the sharing link to edit your documents and files. This means that if you share this link via email, and that email gets forwarded to someone else, or intercepted by a hacker, then your files can be read, edited, or even deleted by this third party that you did not intend of having access to your files in the first place. Your work account has some more security settings configured, so the default sharing links will instead go to only people in your organisation, and they will be 'view' only links rather than 'edit'.
On SharePoint, the security options have mostly been set by what is allowed and not-allowed by the company’s SharePoint as a whole. However, you can still restrict access to a sharing link based on who you want to be able to view this file in particular, and how much access you wish for them to have – are you letting them read the file only, or do you want them to be able to edit it too?
On One Drive, you will see a greater variety of security options for sharing your files, including the option to set sharing time limits. This is important when sharing files externally to your company, as it restricts the amount of time your files sharing link can be used for. This prevents ‘open access’ to your One Drive that any hacker who intercepts your email would gain, which can be further protected against by password protecting any files that you share.
When you set a password on a file, it is important to use two separate methods of communication to pass the file sharing link and the access password on to the person you are sharing with, such as sending the file sharing link via email, and using a Teams messaging channel to pass on the access password. File passwords should also be unique, which means they are not the same as used for any other files you have shared and are not the same as any of your account passwords.
Setting these restrictions when sharing a file is similar to using allow lists - this means no-one has any access to anything until you specifically allow them. This is the opposite of how most people think of security - it’s not saying what you can’t do but rather it is saying what you can do. When it comes to giving people permissions on your system the best advice is: just enough and no more. Give people just enough access to do their job and no more. This is known as the principle of least privilege.
Removable storage devices such as USB sticks are often considered a security risk, which is why they are not permitted to be used at work, unless a very specific exception is granted. In some instances, such as a personal device you have purchased and been in control of the whole time, they do not pose as much of a threat. However, malware can be present on a device that you connect a trusted USB stick to, which can be transferred to the USB, and then to your personal or work computer when you next use the USB on that device.
The main threat presented by USBs come from using devices that are ‘found’. Items that you are not sure where they have come from, or do not recognise, should never be connected to your computer. Even if the device is clean from any malware, and old and badly-treated USB could cause file corruption, making your data no longer available to you or the person you are sharing the data with. These reasons together result in the government-back cyber security accreditation Cyber Essentials prohibit the use of USB storage devices without authorised justification.