Spinbackup Cybersecurity Solution: 3rd-Party Apps Audit (part I)


One of the key features of Spinbackup for Business for G Suite is the 3rd-party apps audit. This feature provides a visual report of the current security level of all 3rd-party apps that have access to the company data stored in Google Apps.

This transparency in company data security, both as an overview, and at app-level, allows an administrator to easily identify any security risks and remove the risks before they become big problems.

Why are 3rd-Party Apps a Potential Security Risk?

Using 3rd-party apps with G Suite can be very useful. Apps offer some advanced features, significantly extending cloud functionality and cloud productivity, but they can also introduce a new kind of security risk into your organization.

Drive Ecosystem-01

3rd- party apps have the potential to reduce the security level of your G Suite cloud storage and apps because:

  •      They have access to G Suite services
  •      They can access data stored within G Suite
  •      Once given access, they retain this level of authority until it is manually revoked.

It may be helpful to consider every 3rd-party app in the same way as a new employee within your organization. As with any employee, it is important to think about the level of access that he or she will have to corporate data and programs. You would definitely not give all your employees full-level access to corporate information and the same should be true of any apps that are installed. Just as an employee can cause a breach in corporate data, so can insecure apps that have access to this data.

Shadow IT is the term given to the practice of building and/or using software that is not authorized by the organization and can result in security risks as well as inefficient work processes.

It is vital to make sure that:

  1. The app requires access to the data or service in order to function properly.
  2. The app has a sufficient level of trust to access this functionality and information.

One of the main problems with 3rd-party apps is that while they can be easily installed by any employee onto his or her own devices, their level of access to corporate data can be hardly controlled.

For example, an employee working at a company with a BYOD (bring your own device) policy may use his iPhone to regularly access emails and documents via Gmail and Google Drive. The employee may then install a 3rd-party app onto his phone that requests permission to access his Google account during the installation process.

Most users do not pay much attention to these permission requests and will click the button to grant permissions without a second thought. This app then has access to all data visible by the user in his Google account and all G Suite services, and has the right to delete data and download data to another private cloud storage facility.

Many of the riskiest 3rd-party apps are games and applications that have nothing to do with work. For example, earlier versions of the popular Pokémon Go game requested full access to the user’s Google account.

Most popular cloud apps according to 2016 Spotlight on Cloud Security Report

For example, data migration apps can be particularly risky for the company as they may allow download of data to private storage, which can lead to data leaks and breaches.


While only a small minority of apps are actually malicious and apps that are installed via the official iTunes and Google Play stores have to meet certain requirements, they may well have software vulnerabilities that could be taken advantage of by hackers, even several years after the software is originally installed. Google cannot guarantee the safety of any third party apps and all are installed at the user’s own risk.

This opens the opportunity for a serious data loss or data leak that could affect your whole company.

How You Can Protect Your Organization From Insecure 3rd-Party Apps

  1. Provide Employee Security Training
    Employees are usually not aware that apps they install could cause a serious risk to corporate data. Providing a detailed training program for all employees, explaining the risks associated with 3rd-party apps and how they can compromise corporate data, should be the first step of action for any company.

    Training is particularly important for senior and management-level staff, who are likely to have accounts with access to sensitive corporate data. Employees at this level often assume that computer security is dealt with by the IT department and do not realize they have a personal responsibility to help ensure company data is not compromised.

  2. Implement a Robust Security Policy

    Your corporate security policy should include clear guidelines for employees at all levels in regards to using personal devices at work, installing 3rd-party apps, permissions that may or may not be granted, and the type of data that is allowed to be accessed or downloaded onto personal devices or 3rd-party backup and storage solutions.

    A survey commissioned by Trustlook in Q4 2016 found that a worrying 60% of companies did not even have a BYOD policy in place, which poses a serious threat of data leaks of corporate information.

  3. Run a Regular Security Audit of 3rd Party Apps
    The best way to deal with any potential security problems that may occur via 3rd-party apps is to develop an awareness of the apps that are installed and being used by employees on a daily basis.

    Using Spinbackup cybersecurity service with 3rd-party apps audit allows administrators to easily monitor apps that have access to corporate data and quickly disable apps that may cause a security threat.

How Spinbackup 3rd-Party Apps Audit works

G Suite security - Spinbackup

The 3rd-party apps audit runs a daily automated scan of all apps installed by users within the organization. It then produces a report, listing all the apps with an at-a-glance color-coded view of their level of risk.

3rd-party apps audit - Spinbackup

Administrators have the option to block apps directly from this screen, or can click through to see a more detailed report for each individual app. The report includes:

  •    Risk level of the app and detailed description of possible risks (assessed by Spinbackup’s own criteria)
  •    The type and description of the app
  •    Employees it has access to
  •    List of permissions granted to the app

Each app is rated based on its level of perceived authority and any potential security risks are listed with more detail. Administrators then have the option to mark the app as trusted or to remove access for all users within the organization. 

3rd-party apps audit

In addition to the daily scan, the apps audit can be run manually at any time.

As well as providing a quick and easy way to block risky apps, the 3rd-party apps audit also gives administrators an easy way to monitor apps that have access to corporate data and know immediately if there have been any violations in terms of data access or company policy (for example, downloading data to a private account).

The 3rd-party apps audit now also has a new “auto-remove” feature for blacklisting apps. When Spinbackup detects installation or authorization of a 3rd-party app, it will check it against the blacklist and remove permissions automatically if it exists in the blacklist.

The Spinbackup 3rd-party apps daily audit has discovered over 3,000 apps to date via our smart algorithms and our analytic department. This has helped G Suite administrators save a tremendous amount of time that would normally be spent analyzing each application separately.

You can request a demo of Spinbackup cloud-to-cloud backup and cybersecurity for G Suite, including the 3rd-party apps audit, and try it out for yourself.

2,219 total views, 2 views today

Related Post