Google add-ons were introduced in 2014 as a way to bring additional functionality to Google Docs and Sheets by installing plugins published by third-party developers.
Add-ons can be browsed and installed directly from within G Suite by clicking the “Add-ons’ tab in the main menu of any document you’re working on. The fact that these add-ons are so easy to install and seem to be officially approved by Google may lull users into a false sense of security that they are as safe as using G Suite itself, but in fact third-party add-ons can introduce new security risks into your organization.
What are Google Add-Ons and Why Use Them?
Add-ons extend the native functionality of Google Docs and Sheets and can help to increase productivity and efficiency of document creation, add functionality such as electronic signatures, and improve opportunities for collaboration and communication within G Suite.
Some examples of the most popular add-ons for Docs include:
- EasyBib – automatically cite books and journals and generate a bibliography
- Table of contents – automatically create a clickable table of contents in the sidebar
- Easy accents – add accents from a side bar when typing in another language
- Openclipart – browse and insert free clipart images from directly inside your document.
Some add-ons for Sheets include:
- Flubaroo – automatically grade multiple-choice assignments
- Remove duplicates – easily remove duplicate data in spreadsheets
- YetAnotherMailMerge – create email campaigns in Gmail, format and send based on data in Sheets
- Save as Doc – convert a Google Sheets spreadsheet into a Google Document
Without the functionality that these add-ons provide, it may take significantly more time and effort to perform certain tasks when using G Suite. However, it is sensible to be cautious about how many add-ons are installed and be aware of the permissions that each add-on requests, particularly in a business setting.
The Security Risks of Google Add-Ons
When you install an add-on from within Google Docs or Sheets, it will request several permissions for accessing your G Suite data and apps. These may include:
- Full access to all your Drive files
- Create new documents
- Edit existing documents
- Share documents with others
- The ability to send email as you
- Connect to external services to read and write data
- Run the application while you are not present
- View, manage, and permanently delete your email
- View and manage your contacts
There are probably very few people that you would trust to have complete control over your G Suite data including the ability to read and delete all of your documents and email messages, copy any information to an external source, and send messages on your behalf. However this is exactly the access you are granting when you approve permissions for some Google add-ons.
Once a third-party add-on has been granted access permissions, it will retain them until the permissions are manually revoked. This means that add-ons that have not been used for several years could still have access to sensitive corporate information.
Insecure add-ons that have access to corporate data could potentially cause a serious data breach or data loss by accessing or deleting files without your knowledge. It is also very difficult to control add-ons that employees install on their own devices and this is of a particular concern for high-level employees who have access to sensitive company information (as the add-on will also be able to access this data).
How to Limit the Security Risks of Google Add-Ons
Allowing unlimited and unmonitored installation of Google add-ons is a recipe for disaster, so the first defence step in any organization should be to develop a policy for the use of add-ons within G Suite and make sure that employees are trained in the importance of following this policy.
Many organizations have success with issuing a list of officially approved apps and add-ons and this can help to reduce the number of insecure third-party add-ons that are installed, but it is unlikely to stop it completely (as staff may choose to ignore the security policy or simply be unaware of it).
When assessing add-ons for suitability and security, particular care must be taken to ensure that the permissions requested by the add-on are required for its functionality, and that the add-on provides sufficient benefit to the organization to be worth the increased security risk.
Using monitoring software such as Spinbackup G Suite Cyber Security Solution with 3rd-Party Apps Audit can greatly reduce the risk of data breaches through continuous monitoring of connected apps. If an employee grants access permissions to a risky add-on, administrators can be alerted of this and choose to revoke the permissions and block the add-on.
Another essential step is to ensure that an adequate backup system is in place. If an add-on deletes vital company data either through a software error, or because it has been hijacked by a hacker for malicious purposes, having a full G Suite backup in place will limit the impact as you will be able to restore all company files to a point in time before they were deleted.
1,423 total views, 6 views today