Key Points

• Google Drive usage carries cybersecurity risks, with over 350,000 files analysed revealing public accessibility, posing potential consequences for financial institutions' data security and compliance.
• Financial institutions face escalating cyber threats, including ransomware attacks and generative AI sophistication, emphasising the imperative for heightened security measures to safeguard valuable data stored in platforms like Google Drive.
• To address these risks, financial institutions are advised to adopt best practices such as strengthening access controls, implementing Multi-Factor Authentication (MFA), educating employees on data security, utilising Data Loss Prevention (DLP) tools, and leveraging Metomic's data security solution to enhance Google Drive security through tailored notifications, swift issue resolution via Slack, and facilitating risk audits for effective sensitive data protection.

Using Google Drive can bring valuable productivity benefits to companies, but many aren’t aware that storing data on the platform carries significant cybersecurity risks. 

As our recent Google Drive report highlights, a lot of businesses aren’t doing enough to protect their data from breaches. Over 350,000 of the files we analysed were left publicly accessible, potentially exposing company data.

These gaps in Google Drive security are particularly pressing for financial institutions. As they are responsible for more sensitive data than most, failing to take the necessary protective measures can lead to serious financial, reputational and legal consequences. 

In this guide, we’ll highlight the different risks that insecure Google Drive data poses to financial institutions, and set out key best practices for them to mitigate these and safely experience the platform’s benefits.

Is Google Drive Data Secure?

Financial institutions are very attractive targets for cybercriminals. As a result, they face relentless and increasingly sophisticated efforts to steal their valuable financial and personal data stored in cloud platforms like Google Drive. 

There’s been a large increase in ransomware attacks on the financial industry in recent years. Modern ransomware strains are becoming better and better at encrypting files quickly and stealthily. This improves the attacker’s chances of being able to steal data and demand extortionate ransoms. 

Phishing attempts and social engineering are also increasingly common threats. These involve tricking employees into sharing login details or providing access to critical data stored on platforms like Google Drive. In 2022, finance was the most heavily targeted sector for phishing attacks, highlighting the scale of the threat. And as the Google 2024 Cybersecurity Forecast warns, generative AI is making these attackers even more sophisticated.

Recent incidents highlight how bold cyber attackers have become in attacking financial institutions. For example, the world’s largest bank - ICBC Financial Services - was crippled by a recent ransomware attack, forcing it to resort to settling trades with a USB stick.

Those that don’t properly protect themselves against breaches like these risk falling foul of financial data security regulations across North America and Europe. Regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and the General Data Protection Regulation (GDPR) mandate strict measures for securing financial data, with non-compliance penalties ranging from strict fines to costly forensic audits. 

Beyond cyberattacks, financial institutions also need to guard against other Google Drive data loss scenarios, like accidental deletion, data corruption, and hardware malfunctions. Such incidents can lead to damaging operational disruptions and financial losses.

Out of all sectors, finance is second highest in terms of the financial cost of breaches. However, the costs are never solely monetary. Damage to reputation and diminished customer trust are common, and often worse for financial institutions due to the sensitive nature of the data they hold. 

Top 7 Security Risks in Google Drive for Financial Data

1: Typical hacking risk

Ever present is the risk of brute-force hacking attempts.

The risks of this are fairly low due to the overall security of Google Drive, and of modern technologies in general.

Plus, it makes less sense to try and brute force your way through heavily protected systems  when you could spend less time and effort getting the people you’re targeting to let you in with phishing and social engineering (more on that later). 

But the risk of brute-force attacking is never zero, so don’t take it for granted that you won’t suffer such an attack. After all, brute-force hacking attempts to crack passwords occur every 39 seconds.

2: Phishing and social engineering

Google Drive is a secure platform and does contain plenty of security features to help protect your data, such as encryption, two factor authentication (2FA), and phishing and malware detection tools. 

However, even with these tools, the weak security link in all of these is the human element. Phishing and malware databases need to be constantly updated, making it likely that an attack may slip through the net. After that, all that’s needed for a data breach is for someone to click on a suspect link.

And even worse, the humble phishing email has received a new lease of life with the advent of Generative AI. Whereas previously, phishing emails were easy to spot through their terrible spelling and grammar, AI can create perfectly legible emails that can pass a cursory glance. 

It’s even sophisticated enough to write the code necessary to create passable landing pages to help capture an unfortunate target’s identity credentials.

Not to mention social engineering - why steal the keys to the kingdom when you can get your targets to give them to you with a few well placed questions?

3: Connection to multiple devices

If one of your devices that is connected and signed in to Google Drive is misplaced or stolen, the thief potentially has access to everything in your Google Drive, including any sensitive financial data you’re storing in there.

Considering that just over half the UK population has lost at least one phone, it’s easy to see how this can be a pretty big problem.

It is more difficult to steal a laptop from a home or your person, but because mobile phones and tablets are smaller and more mobile, they are by their very nature at greater risk of theft and misplacement.

4: Connection to multiple accounts

Now, multiply the problem in the previous point by how many people are using that Google Drive.  

Any Google Drive used for work will have multiple accounts connected to it, which increases the potential attack surface exponentially. 

Accounts you share financial information with could also experience a breach that could reveal your data. 

Also, the owners of those accounts are subject to the same risks of device theft and misplacement in point number two.

5: Data encryption stays with Google 

Google Drive's encryption sits on the server side, and not the client. This poses risks for storing financial data, as users entrust all security to Google. 

This reliance on one company heightens vulnerability to breaches. It's crucial for individuals dealing with financial information to diversify storage and employ additional encryption for protection.

6: It’s not specifically designed for financial data

While Google Drive does offer secure storage options, it isn’t specifically designed for financial data storage, leading to concerns about the platform's suitability for the storage of  sensitive information. 

The limitations in comprehensive security features, in comparison to specialised platforms designed for financial data storage, means that you could be leaving yourself and your organisation vulnerable to risks - such as data breaches and cyber attacks. 

7: Lack of control over third-party API’s

Google's ecosystem easily integrates with third-party applications. This is great for compatibility with platforms and applications your organisation is already using, meaning you don’t necessarily need to use a brand new technology ecosystem to take advantage of it.

However, this does raise concerns about potential security vulnerabilities. The lack of direct control over these integrations increases the risk of unforeseen issues, and users may be unaware of all security measures or vulnerabilities within third-party integrations.

The result? Financial data stored on Google Drive could be compromised if vulnerabilities in third-party APIs are exploited by hackers. Furthermore, users have limited oversight and control over the security practices of third-party developers.

Vigilance is crucial when integrating third-party services with Google Drive, particularly for storing financial data.

Report: The Risks of Storing Sensitive Data in Google Drive

In Q1 2023, we built our Google Drive Risk Report to help people understand where their data is stored, who has access to it, what files are publicly accessible, and how they can ensure they can protect their most sensitive data.

What we found was alarming, but not surprising to us - we see this with plenty of customers who haven't had full visibility and control over their data before this point.

Have a read of our findings in full, showing the risky nature of storing sensitive data in Google Drive.

Google Drive’s “shared fate” security framework

Google’s name carries a lot of weight, projecting a sense of security. It’s hard for many to believe that data stored by a company with such a strong reputation could be at risk, but this isn’t the case. 

While there’s no reason to question Google Drive’s cybersecurity credentials, they operate on a “shared fate” model of security. This means that responsibility for keeping your data secure is divided between the company and the customer. Google Drive does offer a range of built-in security features, including multi-factor authentication (MFA) and data encryption, to protect your information. However, while Google provides foundational security measures, it does not take full responsibility for the security of your data.

In particular, using Google Drive does not automatically ensure compliance with various regulations critical to financial institutions, such PCI DSS or GDPR. Google’s FSI Migration paper provides a detailed breakdown of what the platform can and can’t do to ensure regulatory compliance.

So the bottom line is that as a financial institution, you need to take extra security measures to completely secure your Google Drive data and ensure regulatory compliance. 

Best practices for securing your Google Drive data 

For financial institutions to fill the gaps left in Google Drive’s basic security features, they should follow the following best practices: 

1. Strengthening access controls

Financial institutions should limit access to their most sensitive documents. Exposed data increases the risk of unauthorised access or public exposure, especially through settings like 'Anyone on the internet with the link can view'.

2. Enabling Multi-Factor Authentication (MFA)

Without MFA, an organisation's defences are inadequate. MFA adds an extra security layer by requiring a second form of verification (like a text message), making unauthorised access much harder. It’s also important to use MFA that follows a zero-trust model.

3. Monitoring account activity

Financial institutions should use automated tools to monitor employee and contractor activities within your Google Drive. This allows unexpected changes in sharing settings, downloads of sensitive data, or third-party app access to be flagged and rapidly addressed.

4. Backing up data

Regular backups are essential, particularly for emergency situations where data recovery might be challenging. Also, it’s important to have a contingency plan in case Google Drive ever has service interruptions.

5. Educating employees

Financial institutions should train their employees to be vigilant about data security. Knowledgeable employees can better manage sensitive data and make smart sharing decisions, acting as a shield against breaches. We call this the Human Firewall. 

6. Implementing a Data Loss Prevention (DLP )tool

A DLP tool can automate security tasks and scan Google Drive for sensitive data, showing who has access. This saves time and offers added oversight over how secure the company’s data is.

7. Adding extra encryption

For the most sensitive data, financial institutions may need to use zero-knowledge encryption, which Google Drive doesn’t provide. Adding this extra layer of encryption helps to ensure that these most important records are as secure as possible. 

8. Comprehensive auditing processes‍

It’s important to set up thorough auditing processes to track who accesses and modifies data within Google Drive. Regular audits help identify potential security gaps and ensure that data handling practices meet the stringent standards required in the financial sector.

Secure your Google Drive data with Metomic

Metomic’s data security platform helps financial institutions to go beyond Google Drive’s basic security features and fully protect their sensitive data:

• Our software protects your most critical Google Drive data, helping you disable internal, domain, and public sharing of files containing sensitive information.
• Metomic allows you to send tailored notifications to employees that demand immediate action, preventing notification bombardment and streamlining your security workflow.
• With Metomic, you can swiftly address Google Drive security issues directly from Slack, minimising the disruption involved in keeping your data safe.

Book a Risk Audit with one of our experts to find out where your sensitive data resides in Google Drive. Learn where this data is stored, who has access, and how Metomic can help you secure it.