.png)
.png)
.png)
Data sprawl is real–and necessary. Email and file-sharing platforms are critical to our day-to-day work. But the amount and type of sensitive information we create and share on a daily basis may surprise you–and demands attention.
Analysis conducted on anonymized, aggregated data from customers who voluntarily opted to share data with Material.
Since our founding, Material Security has operated on a core belief that email security demands more than just stopping inbound threats. The modern threat landscape is far too complex, and the dangers go well beyond phishing and BEC attacks. Bad actors have countless ways to breach accounts, access data, and exfiltrate sensitive information. Protecting email means protecting what’s inside the inbox and what’s linked to the account as much as stopping inbound attacks: that’s why Material focuses on securing sensitive data within inboxes, the systems connected to email, and the configurations governing the platform itself.
Over time, as we’ve expanded our capabilities to include protecting Google Drive and posture hardening of the broader productivity suite, we’ve gained deeper insights into the scope and scale of the sensitive data sprawl across the productivity suite. We all have a sense, instinctively, that there’s a great deal of sensitive and confidential information in our inboxes and shared drives. The cloud office is where we work, communicate, and collaborate: of course it will be full of sensitive, confidential, and mission-critical files.
But in looking at the data, we’ve found that organizations are generating, storing, and sharing sensitive data even faster than we predicted—and sharing files and types of data in ways that create unexpected risks if not carefully monitored and controlled.
It’s been nearly a year since we added the ability to view and control risky file sharing within Google Drive, and as we approach the end of 2024, we wanted to break down the aggregate trends in data creation and sharing we’ve seen in email and Drive across our customer base.
Where does sensitive data live?
Email remains a treasure trove of sensitive information, unsurprisingly. Across our sampled customers, we found an average of about 75,000 sensitive emails in each organization–and of that sensitive content, about a quarter is sent outside the organization.
The sensitive data that is sent outside the organization is broadly about what you’d expect. The most common sensitive content types we saw in this study included invoices, banking information, eSignatures, meeting recordings, financial reports–the sort of information you’d wouldn’t be surprised to see emailed to partners, vendors, investors, and so on.
.png)
There are countless other types of sensitive information found in inboxes at lower volumes, of course. Health records, social security numbers, drivers license info, and other PII made plenty of appearances. Credit card numbers always seem to pop up. Source code, patents, and other sensitive IP were all found.
Depending your level of experience with email security and in what capacity, that may or may not surprise you. We’ve all learned–the hard way–that email contains plenty of sensitive data, and it needs to be treated as the valuable repository that it is. In spite of that, we’re all still human, and we’re all driven to get the job done, no matter what obstacles are in our way. So even when we know we shouldn’t send an email with that critical file, or include that sensitive data in plaintext… when there’s no other way, we do it.
And when we dig deeper into Drive trends, however, things get even more interesting.
Sensitive file trends in Google Drive
Looking at aggregate trends around Google Drive usage, what we found right off the bat, unsurprisingly, is that we all create a lot of files: in a roughly eight-month window, the number of files in the shared drives of our sampled customers grew by nearly 400%. Now, this isn’t a complete shock: we all create new presentations, spreadsheets, and docs all the time. I’m typing in one right now. Google Drive and other file-sharing platforms have become so ubiquitous because they make work so much more productive.
Part of that productivity, of course, involves creating and sharing sensitive and confidential information as part of day-to-day operations, and we do that at an even faster rate. On average, the volume of sensitive files grew by over 1100%--nearly three times the rate of the overall growth of files. On average, over a quarter of files in Google Drive contain sensitive data.
What was really eye-opening was the specific types of sensitive data in files. They’re not only very different from the types of data we see in emails, they’re potentially even more valuable–and riskier to share too broadly.
Source code was the single most common type of sensitive data found in our sampled customers’ Google Drives–as well as being the type of sensitive data most frequently shared externally, comprising nearly a third of the data types in our sampled customer base. Now, it is worth mentioning here that software companies made up a significant portion of this sample, but regardless, it was surprising to see this category so far in the lead, ahead of financial reports, various types of banking information, payroll data, and files manually labeled or tagged as confidential.
.png)
These numbers highlight a sobering reality: organizations are creating sensitive files at a faster rate than mundane documents. This is not surprising: our company’s productivity suites are critical infrastructure: it’s where we do most of our work and collaboration. Our most critical work revolves around sensitive, confidential, and regulated data. But this drives home the need to carefully monitor and control sharing.
Organizations need to treat files at least as carefully as email
Over time, we’ve learned to treat email as a risk surface: regulatory regimes demand robust email security, there’s a general awareness that sharing sensitive data via email is a bad idea, and training programs to spot and avoid phishing, security policies about sending sensitive email via encrypted file-sharing platforms rather than through email.
But in general, we don’t apply the same level of caution to shared files and collaboration tools. Shared files can give us a false sense of security, but that’s exactly where risks accumulate. Sharing files externally is a risk, but an even greater one is sharing sensitive files publicly.
We’ve all been there: we’re sharing a file with a group of key stakeholders, we think we’ve got the permissions set just right, when suddenly the emails and Slacks start pouring in: “I don’t have access.” “I can’t get in.” “Please give me editing access.” In a rush, we just open up the file and change to “anyone with link:” that will make sure everyone who needs access can get to it. And literally anyone else… but that’s not a now problem. It’s a problem we’ll deal with in the future, right? We definitely won’t forget to go back and make those permissions more restrictive.
Some reason for optimism: visibility & control with Material
Among customers who were using our Data Protection for Google Drive product when this data was collected, we saw distinct trends in risky Drive behavior. Most noticeably, public sharing of sensitive data fell off at drastic rates as customers were able to see just how much of their sensitive data was available to anyone who knew where to look.
Sensitive files shared with “anyone with link” permissions dropped by 94%, and public sharing of particularly sensitive data fell even more–instances of files containing source code shared publicly fell by 99% and public sharing of files with “confidential” tags fell 96%, for example.
.png)
This shift highlights that while organizations still need to share sensitive data to operate—sending reports to auditors, sharing operational data with consultants, or collaborating with contractors—they’re becoming more intentional about reducing unnecessary exposure.
The goal of monitoring file sharing isn’t to stop it: it’s to ensure sensitive files are shared carefully, with the right people, at the right level. Material is uniquely suited to help companies do this effectively at scale, as we’re able to provide unique insights into risk across the productivity suite, and automatically fix risky sharing at the speed and level that’s most effective for your organization.
Data sprawl is real — and technology is only part of the solution
The trends we’ve seen over the past year confirm what we’ve long believed: data sprawl is a growing and persistent problem. Organizations create sensitive files and share them at an astounding rate. Technology alone can’t fully solve this problem: a recognition of the risks posed by file sharing platforms and comprehensive plans to address those risks are critical.
File sharing is a critical part of modern business–and we don’t need to overindex on this. But just as the risks posed within email required security, IT, and HR teams to reframe the problem, the risks posed by sensitive data shared externally demand similar actions be taken.
Employees need to be aware of the risks they create when they open access to sensitive documents. Role-based training, easy-to-follow policies, and ongoing reminders can help foster a culture where the potential dangers of risky file sharing are as well-understood as the risks of clicking links in unsolicited emails.
And with organizational and behavioral changes, the gaps that remain can’t feasibly be managed manually—the sheer volume of files and sharing activity requires automation, visibility, and control to balance security with the speed of business.
By helping our customers protect email and collaboration platforms like Google Drive, we’ve learned that securing sensitive data requires a shift in mindset. It’s not just about protecting the inbox or blocking threats. It’s about safeguarding the data that drives your business forward—no matter where it lives or how it’s shared.
With tools that automatically detect, classify, and protect sensitive data, organizations can gain the visibility and control they need to reduce risk—without slowing themselves down.
Want to learn more about how Material can help you protect sensitive data across email and collaboration tools? Get in touch today!