Shared PSTs – How Bad Can That Be?
Recently, a customer revealed a pretty depressing secret to me. They put PSTs on network file shares and use these old-fashioned, insecure, and horribly unstable files to share confidential corporate information between team members. Now, I think the reason why this admission is so exasperating is not just that there are so many better ways to collaborate, but because all these methods are fully available to this particular customer. So, why would they still use shared PSTs?
A quick history lesson tells us that PSTs only exist to give Outlook users additional storage. This need for the extra storage arose twenty years ago, because the server-based storage used for Exchange databases was very expensive, meaning that mailbox quotas were small. When quotas depleted, people spent hours cleaning out their mailboxes, so that they were able to receive new email. PSTs were the perfect solution because mailbox owners could move (or “dump”) items from their mailboxes into PSTs and get on with life.
But that was then, and this is now.
Exchange Online now offers users a default mailbox quota of 100 GB, and if that’s not enough, they can take advantage of expandable archive mailboxes to store literally every single piece of email that they receive. Good, bad, and spam. The lack of storage argument simply does not justify the use of PSTs anymore.
I have some sympathy for those who persist in using PSTs for personal storage, because that’s what the solution was meant for, all that time ago, and at least Microsoft has fixed many of the problems that caused PSTs to self-destruct through corruption over the years.
Sharing PSTs is Bad
It seems like the message just does not get through. Experience gained from migrating PST to Office 365 projects shows many PSTs are not on local drives. Instead, they are located on shared drives for use on a group, departmental, or project basis. Our analysis of searches to locate PSTs show that around 55% of the files found during migration projects are on shared or home drives. We also found that the information held in these shared files is invariably more confidential and company-critical than the items stored in PSTs on local drives. Sharing behavior differs across industries, but our analysis shows that a company can expect to find at least a third of the total PSTs located during migration projects are on shared drives.
So as we’ve seen, organizations continue to use PSTs to share important information in an inappropriate way, but what does this look like? For example, a department could share confidential contract negotiation documents between ten users, all of whom merrily drag and drop items from their personal mailbox into the shared PST to make their co-workers aware of new information. Another common use is when a team uses a shared PST as a common archive for wire transfers made to other companies. Even law firms, who operate in a highly regulated industry, appear to lose sight of the potential problems of using this file type, with many known instances of casework and pleadings stored in PSTs.
Our next finding is perhaps even more concerning to corporate compliance officers – we also detected countless instances of PSTs found on removable USB drives throughout the organizations we analysed. High-capacity USB drives are available at extremely low prices, so it’s unsurprising that users consider these drives to be a good way to expand the local storage available to their PCs. What is unexpected, however, is the widespread use across all industries and types of companies. We found that 2% of the overall total of files were stored on USBs. 2% does not sound a lot, but when you consider that this relatively small percentage of your organization’s information is held by users in removable storage that cannot be controlled your company, even though the percentage seems small, the risk of data loss or leakage is substantial. After all, a single 2GB USB drive can hold over 10,000 messages, documents, spreadsheets, and other potentially-sensitive pieces of data – which is more than a little concerning.
Good reasons exist to create and use a PST on a USB for a single use case. For example, you might need to export some data to give to a partner or external consultant. However, no good reason exists for a USB to hold a PST file that is in constant use. This is an invitation for disaster through corruption or other forms of data loss, for example, an employee could take confidential material with them when they leave the company, intentionally, or otherwise.
The Office 365 Alternatives
There are a handful of legitimate business reasons for why people continue to use PSTs to share information with co-workers – this is why teams persist with them. The issue is that Office 365 includes plenty of perfectly good and fully supported services and features for teams to collaborate and share information. Take one of the examples we looked at. That ten-person team could easily use an Office 365 Group to share conversations, appointments, ideas, and documents in the mailbox, notebook, and document library belonging to the group. Even better, Office 365 indexes the information in the group to make the data accessible for compliance purposes, meaning that all items are discoverable, and an administrator can apply an in-place hold to make sure that users cannot remove or interfere with data. As contract documents, like the ones that this team are sharing, are often the subject of litigation, it makes sense to protect those files with the kinds of compliance features found inside Office 365.
If this team has a more interactive style of communication, they could use Microsoft Teams instead of Office 365 Groups, as this services is chat-based, including voice and video conversations, instead of email-based conversations. Teams, which was released last week, also supports document storage in SharePoint Online, so their contract information remains protected and secure. In addition, highly usable mobile applications are available for both Groups and Teams to allow people to access their data from iOS, Android, and Windows Phone devices.
Shared mailboxes can have shared archives, which solves the problem for our second use case example. All that needs to happen is to make sure that the tenant assigns an Exchange Online license to the shared mailbox, as this is required in order to enable in-place archive. Again, anything in the archive mailbox will be available for eDiscovery. Better still, a retention policy can be applied to the shared mailbox that will move items into the archive automatically to ensure compliance with data governance policies.
Exploit Office 365!
The reality is that many tenants pay good money each month for licenses that allow people to access all the collaboration features within Office 365. By not leveraging these services, users can put valuable corporate information at risk through their lack of knowledge and bad habits. It’s time for IT departments to step up and help users understand how they can work better, smarter, and more securely using supported, mobile-enabled, modern technology.
It is time to confront PST files, especially the shared variety. If you want to find out more about the issues that shared PSTs create, the first steps for solving file ownership mysteries, and the wide range of alternatives available in Office 365 – why not take a look at our Investigative Toolkit for Shared PSTs?