Who doesn’t love Notion? This easy to use project management and collaboration app has taken the corporate world by storm, making it simple and intuitive for employees to share and organize workplace knowledge all in one place.
There’s just one problem—and it’s a big one.
Here’s what you need to know about the security risks in Notion, and how to protect your sensitive information from a costly data breach.
Is Notion secure?
As a platform, Notion stands up pretty well in terms of security. It’s certified to SOC 2 and ISO 270010—two excellent security standards that demonstrate Notion takes security seriously.
However, Notion is a software-as-a-service app, and this means it falls under the cloud’s shared responsibility model.
Essentially, while Notion is responsible for securing its underlying infrastructure, you—as the customer—are responsible for implementing the right configurations, user identities and the data that resides within the platform.
And that’s where things become tricky. Notion, after all, is used across a wide array of industries and settings—and many people use it to store sensitive information like personally identifiable health information (PHI), company passwords, keys and much more.
Left unvetted, Notion can easily become a potent breeding ground for inappropriate data sharing, loss and even insider theft.
Here are the top risks to be aware of.
Countless healthcare professionals use Notion daily for actions like note-taking and cross-departmental collaboration. Often, these notes include PHI and PII, which comes under the jurisdiction of compliance mandates like HIPAA and the CCPA, depending on the region in which the company operates.
Now, imagine if a medical professional accidentally shared their notes with a third-party app via Notion, or input their notes to a public-facing page. This would be an immediate and costly compliance violation.
Unfortunately, these kinds of issues aren’t hypothetical either. The accidental insider threat is the biggest cause of data security incidents, meaning errors like this are happening in Notion right now.
On top of that, Notion doesn’t have native enterprise-grade data classification and data loss prevention (DLP) capabilities built in, either, meaning it’s impossible for security teams to put a stop to this problem—unless they invest in the right external tools.
One of the top use cases for Notion is a company wiki, with administrators sharing how-to guides that include credentials information for different internal systems. Again, these kinds of use cases trigger a number of security issues.
If access to these pages isn’t controlled properly, unauthorized users could discover and abuse the credentials that have been shared. This is the risk of the malicious insider—an employee who misuses their corporate privileges to steal information.
Another risk relating to the above is that of credentials compromise, which happens when a malicious actor manages to break into an employee’s Notion account either by guessing their password or having bought it on the dark web. Given that there are currently more than 24 billion passwords up for sale on the dark web, this threat shouldn’t be taken lightly.
While Notion does offer multi-factor authentication, countless data breaches recently has shown MFA is not fool-proof, suggesting that organizations need to go above and beyond this mechanism to confidently secure information their cloud apps.
According to Gartner, 99% of cloud data breaches will be caused by misconfigurations by 2025. A misconfiguration occurs when an employee incorrectly sets permissions for a page or database in Notion, enabling unauthorized employees—and possibly even the public—to view the information stored in their workspace.
Should a malicious actor find one of these pages, they could steal sensitive information swiftly and easily—and the security team would be none the wiser until it’s way too late.
Notion enables you to integrate with a host of third-party tools. Unfortunately, though, not all of these tools are legitimate—and you need to be careful of the settings that you click when agreeing to an integration.
A faulty or malicious app could gain visibility into all of your files in Notion, putting data security and compliance at risk.
3 steps to fortify data security in Notion
While these risks might make you nervous of using Notion, it’s no a wise idea to prohibit access to the app. After all, employees heavily rely on SaaS-based tools for productivity, efficiency and collaboration. If you ban them, they’ll only find a workaround, which will create an even bigger shadow IT problem.
The answer, then, is to consider how you can fortify Notion’s security.
Here’s how to do it.
- Regularly review user permissions
The beauty of Notion is that it facilitates effortless collaboration between employees, clients, freelancers and the like. However, revoking access is just as important as granting it. So, when an employee leaves or a project ends, make sure to review who has access to what within Notion—and revoke access rights for individuals on a need-to-know basis.
- Invest in specialist SaaS DLP
As mentioned, Notion doesn’t come with in-built data loss prevention (DLP). Luckily, we recently partnered with them to bring best-in-class data classification and protection to Notion. Our tool, Polymer DLP for Notion, autonomously detects, classifies, and remediates sensitive data exposed in Notion.
Harnessing the power of natural language processing (NLP), our no-code tool plugs straight into your Notion and gets to work right away, scanning your databases at speed and scale for evidence of sensitive information like PHI, PII, credit card data and more.
Depending on your needs, Polymer DLP can either redact sensitive data immediately or implement granular controls over who is able to access your sensitive information. The result? The risks of data exposure drop dramatically without interrupting employee workflows, so you can feel more confident in your employees using Notion.
- Focus on real-time education & training
Beyond safeguarding your data in Notion, we also believe in helping organizations to build a culture of security. To that end, Polymer DLP comes in-built with psychological nudges: a form of real-time employee training that educates users when they violate a compliance or data security policy with a helpful pop-up—as well as redacting any sensitive information.
Our nudges have been proven to reduce repeat offenses of accidental data sharing by over 40% in just two weeks, empowering organizations to effortlessly enhance security awareness, without having to invest in costly training away days.
Safeguard your sensitive data in Notion
We’ve designed Polymer DLP with flexible, ready-to-go templates for critical compliance policies like HIPAA, SOC 2 and CCPA. With our tool, you can start protecting sensitive data in Notion in just minutes.
Ready to get started? Find out more today.