Key Points

• Despite built-in security features, Google Drive carries cybersecurity risks. After scanning approximately 6.5 million Google Drive files, Metomic found 40.2% contained sensitive data that could put an organisation at risk of a data breach or cybersecurity attack.
• Organisations such as financial institutions face escalating cyber threats, including ransomware attacks and generative AI sophistication, emphasising the imperative for heightened security measures to safeguard valuable data stored in platforms like Google Drive.
• To address these risks, organisations are advised to adopt best practices such as strengthening access controls, implementing Multi-Factor Authentication (MFA), educating employees on data security and utilising Data Loss Prevention (DLP) tools
• ‍Metomic's data security solution can be used to enhance Google Drive security through tailored notifications, swift issue resolution via Slack, and facilitating risk audits for effective sensitive data protection.

Is Google Drive Data Secure?

Using Google Drive can bring valuable productivity benefits to companies, but many aren’t aware that storing data on the platform carries significant cybersecurity risks. 

Our 'Google Drive Risk Report' highlights over 350,000 of the files analysed were left publicly accessible, meaning a lot of businesses aren’t doing enough to protect their data from breaches and potentially exposing vast amounts of sensitive company data.

These gaps in Google Drive security are particularly pressing for financial institutions. As they are responsible for more sensitive data than most, failing to take the necessary protective measures can lead to serious financial, reputational and legal consequences. 

Are financial organisations more at risk?

Organisations, such as financial institutions, are very attractive targets for cybercriminals. As a result, they face relentless and increasingly sophisticated efforts to steal their valuable financial and personal data stored in cloud platforms like Google Drive. 

There’s been a large increase in ransomware attacks on the financial industry in recent years. Modern ransomware strains are becoming better and better at encrypting files quickly and stealthily. This improves the attacker’s chances of being able to steal data and demand extortionate ransoms. 

Phishing attempts and social engineering are also increasingly common threats. These involve tricking employees into sharing login details or providing access to critical data stored on platforms like Google Drive. In 2022, finance was the most heavily targeted sector for phishing attacks, highlighting the scale of the threat. And as the Google 2024 Cybersecurity Forecast warns, generative AI is making these attackers even more sophisticated.

Recent incidents highlight how bold cyber attackers have become in attacking financial institutions. For example, the world’s largest bank - ICBC Financial Services - was crippled by a recent ransomware attack, forcing it to resort to settling trades with a USB stick.

Staying compliant with industry regulations

Those that don’t properly protect themselves against breaches like these risk falling foul of financial data security regulations across North America and Europe. Compliance regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR) mandate strict measures for securing financial data, with non-compliance penalties ranging from strict fines to costly forensic audits. 

Beyond cyberattacks, financial institutions also need to guard against other Google Drive data loss scenarios, like:

• accidental deletion
• data corruption
• hardware malfunctions

Such incidents can lead to damaging operational disruptions and financial losses.

Out of all sectors, finance is second highest in terms of the financial cost of breaches. However, the costs are never solely monetary. Damage to reputation and diminished customer trust are common, and often worse for financial institutions due to the sensitive nature of the data they hold. 

What are the Security Risks in Google Drive?

As we have mentioned, Google Drive is not completely secure from cyber threats. Here are some of the security risks that could spell trouble for an organisation:

1. Phishing and social engineering

Google Drive is a secure platform and does contain plenty of security features to help protect your data, such as encryption, two factor authentication (2FA), and phishing and malware detection tools. 

However, even with these tools, the weak security link in all of these is the human element. Phishing and malware databases need to be constantly updated, making it likely that an attack may slip through the net. After that, all that’s needed for a data breach is for someone to click on a suspect link.

And even worse, the humble phishing email has received a new lease of life with the advent of Generative AI. Whereas previously, phishing emails were easy to spot through their terrible spelling and grammar, AI can create perfectly legible emails that can pass a cursory glance. 

It’s even sophisticated enough to write the code necessary to create passable landing pages to help capture an unfortunate target’s identity credentials.

Not to mention social engineering - why steal the keys to the kingdom when you can get your targets to give them to you with a few well placed questions?

2. Connection to multiple devices

If one of your devices that is connected and signed in to Google Drive is misplaced or stolen, the thief potentially has access to everything in your Google Drive, including any sensitive financial data you’re storing in there.

Considering that just over half the UK population has lost at least one phone, it’s easy to see how this can be a pretty big problem.

It is more difficult to steal a laptop from a home or your person, but because mobile phones and tablets are smaller and more mobile, they are by their very nature at greater risk of theft and misplacement.

3. Connection to multiple accounts

Now, multiply the problem in the previous point by how many people are using that Google Drive. Any Google Drive used for work will have multiple accounts connected to it, which increases the potential attack surface exponentially. 

Accounts you share financial information with could also experience a breach that could reveal your data.

4. Data encryption stays with Google 

Google Drive's encryption sits on the server side, and not the client. This poses risks for storing financial data, as users entrust all security to Google. 

This reliance on one company heightens vulnerability to breaches. It's crucial for individuals dealing with financial information to diversify storage and employ additional encryption for protection.

5. It’s not specifically designed for financial data

While Google Drive does offer secure storage options, it isn’t specifically designed for financial data storage, leading to concerns about the platform's suitability for the storage of sensitive information. 

The limitations in comprehensive security features, in comparison to specialised platforms designed for financial data storage, means that you could be leaving yourself and your organisation vulnerable to risks - such as data breaches and cyber attacks. 

6. Typical hacking risk

Ever present is the risk of brute-force hacking attempts. The risks of this are fairly low due to the overall security of Google Drive, and of modern technologies in general.

Plus, it makes less sense to try and brute force your way through heavily protected systems  when you could spend less time and effort getting the people you’re targeting to let you in with phishing and social engineering (more on that later). 

But the risk of brute-force attacking is never zero, so don’t take it for granted that you won’t suffer such an attack. After all, brute-force hacking attempts to crack passwords occur every 39 seconds.

7. Lack of control over third-party API’s

Google's ecosystem easily integrates with third-party applications. This is great for compatibility with platforms and applications your organisation is already using, meaning you don’t necessarily need to use a brand new technology ecosystem to take advantage of it.

However, this does raise concerns about potential security vulnerabilities. The lack of direct control over these integrations increases the risk of unforeseen issues, and users may be unaware of all security measures or vulnerabilities within third-party integrations.

The result? Data data stored on Google Drive could be compromised if vulnerabilities in third-party APIs are exploited by hackers. Furthermore, users have limited oversight and control over the security practices of third-party developers.

Vigilance is crucial when integrating third-party services with Google Drive, particularly for storing financial data.

Report: The Risks of Storing Sensitive Data in Google Drive

Key Highlights:

• After scanning approximately 6.5 million Google Drive files, Metomic found 40.2% contained sensitive data that could put an organisation at risk of a data breach or cybersecurity attack.
• 34.2% of all the files scanned were shared with external contacts (email addresses outside of the company’s domain).
• More than 350,000 files (0.5%) had been shared publicly, giving access to anyone who had the document link
• 18,000 files were flagged as “Critical Level” data files, meaning the information contained “Highly Sensitive” data or the file permissions were not applied securely.

Have a read of our findings in full, showing the risky nature of storing sensitive data in Google Drive.

Google Drive’s “Shared Fate” Security Framework

Google’s name carries a lot of weight, projecting a sense of security. It’s hard for many to believe that data stored by a company with such a strong reputation could be at risk, but this isn’t the case. 

While there’s no reason to question Google Drive’s cybersecurity credentials, they operate on a “shared fate” model of security. This means that responsibility for keeping your data secure is divided between the company and the customer. Google Drive does offer a range of built-in security features, including multi-factor authentication (MFA) and data encryption, to protect your information. However, while Google provides foundational security measures, it does not take full responsibility for the security of your data.

In particular, using Google Drive does not automatically ensure compliance with various regulations critical to financial institutions, such PCI DSS or GDPR. Google’s FSI Migration paper provides a detailed breakdown of what the platform can and can’t do to ensure regulatory compliance.

So the bottom line is that you need to take extra security measures to completely secure your Google Drive data and ensure regulatory compliance. 

8 Steps on How to Secure your Google Drive Data 

For financial institutions to fill the gaps left in Google Drive’s basic security features, they should follow the following best practices: 

1. Strengthening access controls

Financial institutions should limit access to their most sensitive documents. Exposed data increases the risk of unauthorised access or public exposure, especially through settings like 'Anyone on the internet with the link can view'.

2. Enabling Multi-Factor Authentication (MFA)

Without MFA, an organisation's defences are inadequate. MFA adds an extra security layer by requiring a second form of verification (like a text message), making unauthorised access much harder. It’s also important to use MFA that follows a zero-trust model.

3. Monitoring account activity

Financial institutions should use automated tools to monitor employee and contractor activities within your Google Drive. This allows unexpected changes in sharing settings, downloads of sensitive data, or third-party app access to be flagged and rapidly addressed.

4. Backing up data

Regular backups are essential, particularly for emergency situations where data recovery might be challenging. Also, it’s important to have a contingency plan in case Google Drive ever has service interruptions.

5. Educating employees

Financial institutions should train their employees to be vigilant about data security. Knowledgeable employees can better manage sensitive data and make smart sharing decisions, acting as a shield against breaches. We call this the Human Firewall. 

6. Implementing a Data Loss Prevention (DLP )tool

A modern DLP tool can automate security tasks and scan Google Drive for sensitive data, showing who has access. This saves time and offers added oversight over how secure the company’s data is.

7. Adding extra encryption

For the most sensitive data, financial institutions may need to use zero-knowledge encryption, which Google Drive doesn’t provide. Adding this extra layer of encryption helps to ensure that these most important records are as secure as possible. 

8. Comprehensive auditing processes

It’s important to set up thorough auditing processes to track who accesses and modifies data within Google Drive. Regular audits help identify potential security gaps and ensure that data handling practices meet the stringent standards required in the financial sector.

Add an Extra Layer of Security with Metomic

Metomic’s data security platform helps organisations to go beyond Google Drive’s basic security features and fully protect their sensitive data:

• Our software protects your most critical Google Drive data, helping you disable internal, domain, and public sharing of files containing sensitive information.
• Our free Google Drive Risk Report scans your Google Drive to check if is leaking sensitive data.
• Metomic allows you to send tailored notifications to employees that demand immediate action, preventing notification bombardment and streamlining your security workflow.
• With Metomic, you can swiftly address Google Drive security issues directly from Slack, minimising the disruption involved in keeping your data safe.

To find out more about where your sensitive data resides in Google Drive book a personalised demo with one of our security experts. Learn where this data is stored, who has access, and how Metomic can help you fully secure it.