Eighty-three percent of SharePoint enterprises report actual security losses from user error.
Imagine for a second that you’ve left the world of technology. Suppose you decided to launch a new venture -- a retail store, or a nightclub.
You spend a lot of time working on the floor plans, construction, architecture -- even the menu. Your sign out on the highway has lots of flashing lights to attract visitors. On opening night you have thousands of people show up. There's a line around the block behind a red velvet rope. Everything feels like a smashing success.
Except you notice people aren’t staying as long as they can, and leave fairly early. Soon there's no one waiting to get in and you have plenty of empty space, not a lot of people. You're worried about all of those early exits -- why did they leave? To prevent a similar situation, you try a new policy -- no cover charge, but once in, you have to stay until 2 a.m. and cannot go anywhere else.
The next day no one leaves -- because no comes in. Soon your shiny new sign is dark and you're out of business.
Sounds crazy, right? Except that SharePoint implementations can all suffer from this issue. SharePoint failures are often left running. These so called "zombie" sites may represent nearly 60 percent according to AIIM of all SharePoint implementations ever tried.
Information Leaks on Zombie Sites
Information leaks can happen to many organizations. SharePoint is a fantastic enterprise content repository. Once content arrives, we can work with it -- collaboration, security, management, routing, information lifecycles, classification and archiving, for example.
But all these functions go for naught if the information leaves SharePoint as soon as it arrives. Just telling people they can’t leave isn’t enough. Most people don't have an exit plan for SharePoint -- they upload documents expecting to keep them in perpetuity. Zombie SharePoint sites drive a lot of information out the back door. Perhaps more perniciously, empty or sparsely populated SharePoint sites suggest to users this may not be the best place for them to keep storing documents. If the last home page update was 18 months ago, users won’t have much confidence.
Much of the focus on preventing information loss considers the targets. The two most common exit ramps for SharePoint information are desktop downloads and email. To be fair, content management for SharePoint should almost always prevent these scenarios. Lock the back door -- or at least close it.
Instead of focusing on where the content is going, we should talk about why. Most people approach SharePoint with the best of intentions. They’re trying to achieve a business goal -- usually, its collaboration. People start out trying to do the right thing. Even French philosopher Jean Jacques Rousseau would agree -- “Man is born free, but everywhere he is in chains.”
But despite this, things go wrong. Few people act with malice -- but in a recent HiSoftware webinar survey, 83 percent or respondents reported actual business loss over the past year due to security breaches caused by user errors or mistakes.
Content can be well ordered on SharePoint -- but the farther it moves afield, the less likely our controls will remain effective.
In my experience, there are three principle reasons why enterprise content stays away from SharePoint:
Baroque Information Architecture and Metadata Schemes
Left to their own devices, SharePoint can explode into a maelstrom of duplicate, hard to navigate sites. Users understand the value of using metadata to group and classify their documents with precision, but too often users are overwhelmed with lots of red asterisks -- * -- those all too familiar mandatory fields that need to be filled out before saving documents. It’s too much work, so users find the path of least resistance. Complexity leads to confusion, so anything you can do to simplify the architecture and streamline the metadata will help.
High speed collaboration is inhibited by elaborate security and publishing schemes. SharePoint has all the tools for tightly governed content publishing, with tools like granular security check-in/check-out and publishing approvals. This makes sense for some processes, such as HR policies or ISO-governed manufacturing process. But high velocity collaboration -- ideation, brainstorming, co-authoring -- gets difficult if there’s a heavy administrative process. Make sure that your level of governance is appropriate to the workload.
The Blank Slate
Out-of-the-box, SharePoint provides systems to let people work with SharePoint outside the browser and keep content under management. However, users may not be aware or permitted to use them. OneDrive for Business lets users keep offline, synchronized copies of files from SharePoint. Social tools like Yammer make it simple for users to communicate about content via email with Yammer and the Share function.
Users need to work locally and communicate, but if they don’t know where to collaborate, email and file downloads are the path of least resistance. Users don’t know what they don’t know. Even if you think you’ve already “rolled out” OneDrive and social, ongoing marketing and training will build the network of happy users, and encourage them to keep their files under SharePoint’s roof.
Finally, the obvious problem with SharePoint “zombie” sites is since they don’t contain relevant content, they can’t be managed. It’s really hard to generate reports or searches to answer the question:
Show me all the active content that ISN’T in SharePoint.”
It’s not there. It may have moved to email, desktops or even other clouds. The risks from information loss are real, and even more dangerous because the breaches remain unknown until they have large public impact (See "Thousands of Personal Details Exposed in Latest UK Data Breach Blunders," June 2014 and "Was Monsanto's Security Mistake Made All Too Often’?")
Closing security gaps is always important. But the vigilant enterprise is well served by exploring the most common reasons why users try to move their documents outside SharePoint -- complexity, technical bureaucracy and lack of training.