Home / Our blog / Unmanaged G Suite accounts - how risky are they?

Every year, the chance of organisations experiencing a data breach continues to grow. According to research by the Ponemon Institute, businesses in 2019 have a 30% chance of experiencing a data breach within two years. This has grown by almost one-third, compared to odds in 2014.

For businesses in the media industry, for example, these incidents represent an average total cost of $2.24 million. This includes detection activities, regulatory fines, cost of business disruption and more.

Here at CTS, we have always recognised the importance of data security and what this means to organisations, whether they’re an SMB or Enterprise. As Google’s leading collaboration premier partner, we are always striving to ensure businesses are fully aware and up-to-date on the latest security and compliance risks around G Suite.

In this blog, I’ll discuss the potential compliance and security risks that companies are facing from a tech stack perspective. As employees seek ever more collaborative ways of work, they often turn to consumer Google products. This means there are potentially unmanaged G Suite accounts sitting outside of the organisation.

Note: This article relates to organisations not using G Suite as their primary email platform and using other available platforms.

Shadow IT is the practice of teams and employees utilising tech solutions outside of their companies stack. As technology becomes more democratised across business, the risk posed by shadow IT increases.

Shadow IT, sounds risky

An important focus for us is finding opportunities to increase data security for our partners, both inside and outside of their tech solutions. An example of this risk are cases where our media customers find they have users who have created “consumer” accounts for a variety of collaboration tools, cloud and/or ad platforms. These accounts use a work email address but are not linked to any corporate directory, presenting a number of serious compliance and security risks.

This means that a team in an agency could be using collaboration apps, completely unrelated to the organisation’s tech stack, to share data with their clients online and the IT department would have no way of managing these accounts and ensuring regulatory compliance. It also means that users could have a work account to access an online ad platform and the company would have no way to administer them, since it’s not integrated into their set of technology.

In these cases, consumer accounts don’t just potentially hold corporate data such as documents and spreadsheets, they can also access a number of different business services such as Google Cloud Platform environments, Google Campaign Manager and AdWords.

These apps and services can be used heavily by end-users to handle data of significant value to their company, but are completely unmanaged by the organisation they work for! Companies face the challenge of unknown GDPR liabilities and a growing “Shadow IT” function.

How did this happen?!

This can happen if a user creates a personal Google Account using the domain name of their company or organisation. If the company/organisation then signs up for G Suite and tries to create those users in the managed tenancy, they have two options. They can either proceed to invite the consumer account into the managed tenancy or they can create a G Suite account with the same address, the latter option creates a conflicting account situation as two accounts can't share the same email address.

Migrating and securing your data

We have been working closely with Google to identify all unmanaged accounts associated with an organisation’s domain email address and developing a strategy to safely transfer these accounts to a managed secure service. This means the content of that consumer account and the business services it has access to, then become managed by the organisation.

Some of the benefits this brings include organisational data compliance and security of corporate data as well as being able to use their corporate login credentials to access any Google Service, avoiding the need to remember separate passwords.

If you are concerned about unmanaged consumer accounts, contact us by filling the form below.

Similar Stories