Have you considered the validity of your email delegations? And OneDrive for Business? And SharePoint Online?
The summer period is often synonymous with leavers and reorganisation. Automatic replies, internal change announcements and requests for delegations multiply as the weeks go by.
Email delegation, which allows an employee to manage someone else’s mailbox, is frequently required, especially with senior employees – managers and their assistants, strategic employees in HR, finance, security,…
Such delegations are often a mark of trust, and are used frequently to compensate for a temporary absence. It often happens that these delegations remain active after the holiday they were covering, or beyond the point that they are relevant for other reasons – promotions, transfers, departures. A nightmare for the IT and security teams!!
Here are our 3 back-to-school tips, that your users will love.
1. Update Delegations on Mailboxes
Rights granted during exceptional events such as the summer period can quickly multiply. Among our customers, we see, on average, up to four delegations per person who is on holiday.
The risk is obvious. The more delegations there are, the more likely they are to be unknown, forgotten or missed. The more delegations there are, the more difficult it can be to identify malicious behaviour or even intrusion. For example, if one of the CEO’s delegates is themselves hacked, then the hacker will also have access to the CEO’s mailbox.
For the IT and security teams to maintain rigorous control, it is important to regularly check who has access to which mailboxes and whether delegated rights are up-to-date and valid. Take the opportunity to clean up at the end of the summer and withdraw all out-of-date delegations.
NB For IDECSI customers and users: You have the ability to time-limit temporary delegations, in two ways.
- You can set up a rule in advance specifying a temporary delegation.
- When closing an alert for a new delegate, you can specify the period during which the delegation is acceptable. After the time limit expires, IDECSI will alert you to the out-of-date delegation.
2. Educate and engage users regards OneDrive and SharePoint delegations
Take advantage of this time to inform and educate users regards collaboration tools.
In many companies, extremely wide sharing permissions are frequently given via OneDrive or SharePoint. Users easily share folders, give access, view files, and communicate externally, but often they do not know the specifics of sharing, and do not know how to delegate OneDrive and SharePoint access appropriately.
Once upon a time, we used to delete documents once they were no longer needed. But now that we no longer have any storage restraints, thanks to the cloud, documents that have been shared often remain available indefinitely.
However, users often do not understand appreciate the subtleties of the sharing settings* in tools like OneDrive and SharePoint and their consequences. If users do not want to delete shared documents, they should withdraw the sharing permissions – in order to avoid colleagues accumulating unnecessary rights to their documents. Please note that in some cases, documents can even be indexed by search engines.
Therefore it’s important to educate users on the consequences of sharing and to support them with understanding good practice.
*Two sharing settings exist in OneDrive and SharePoint that users are frequently unaware of, but often use inadvertently:
– Worldwide share
– Company share
3. Give users visibility to delegations on their resources (email, OneDrive, SharePoint)
What if your users could easily see all delegations and shared access to their resources?
Even if users do not like the constraints of security policies, they are concerned about the security of their data. In order to engage users in the security of the company, one key thing is missing: visibility. If users knew exactly who has rights and access to their mailbox and files, they could check if it’s correct and would be able to keep it up-to-date. Users with such visibility would begin to see security differently – not as a constraint, but a positive support.
Based on this observation, IDECSI recently launched “MyDataSecurity”. An interactive web interface that shows users the current status of rights and permissions for their resources in OneDrive for Business, SharePoint Online and Exchange Online. Every user can verify their own delegations and report any updates needed.
During the summer period, IT and security teams often have real challenges following-up every change within the company. Therefore, at the end of this period it’s important to identify all delegations that are not used or needed anymore to keep the environment sanitised, and to help identify suspicious activity in future.
Every delegation represents a risk – unauthorised access, abuse of rights, account takeover, and data loss. Delegations not only concern email, but also collaboration tools. The user must be aware of good practice.
To enlighten and engage the user regards their own security and the security of the company, IDECSI offers a solution which allows each user to easily verify who accesses what, who has permission to do what, and who is sharing what within Office 365, Exchange, OneDrive and SharePoint. You can therefore give everyone visibility to their own security. This positive, trust‑based initiative ensures that all employees can actively participate in the defence of the company.
