Do you think this would be unethical?
Under the User subscription model, would it be unethical to share my sheets with external email addresses of colleagues instead of our internal domain address to get around having to pay for a license? It seems like a huge loophole and our sales rep said it was not against any Smartsheet terms of use but I wonder if there would be downsides to doing this from either an ethical or security standpoint?
Comments
-
Hi Ted,
Weighty questions of ethics aside, youβre absolutely asking the right question regarding security risks. While it may seem like a convenient workaround, sharing Smartsheet assets with external email addressesβespecially free personal accounts like Gmailβcreates significant security, compliance, and governance risks that most IT and security teams would strongly discourage.
1. Data Leakage Risks
External sharing bypasses internal security controls, making it difficult to track who is accessing, modifying, or redistributing company data. This increases the risk of accidental leaks, unauthorized downloads, and loss of sensitive information to unmanaged devices or unapproved users.
2. Compliance & Legal Risks
If your organization is subject to regulations like SOC 2, ISO 27001, GDPR, or HIPAA, external sharing can create gaps in access controls, audit trails, and data retention policies. Security audits may flag this as a compliance risk, and in regulated industries, improper access could expose the company to legal liability or financial penalties.
3. Increased Exposure to Security Threats
External accounts often lack enterprise-grade security controls like Single Sign-On (SSO), Multi-Factor Authentication (MFA), and conditional access policies. If an external recipientβs email is compromised, an attacker could gain access to critical company data, increasing the risk of phishing, credential theft, or data breaches.
4. Non-Compliance with Security Policies
Most organizations restrict sharing to approved domains and managed identity providers to enforce security and governance. Bypassing these policiesβeven if not explicitly restricted by Smartsheetβcould violate internal security guidelines, industry best practices, or contractual obligations.
In closing, this isnβt an area where Smartsheet policy should generally be the biggest consideration; security risk and increasing your organizationβs vulnerability to threat actors is the primary reason why weβd strongly discourage this practice.
-
@Daniel Medved I have a similar scenario that I need to know is acceptable practice. For my case we have consultants who are assigned to projects at external clients and are often provided an external email to work on the project. It's not a gmail or any generic email like that. It is an official client email address, like JohnSmith@ClientCompany.com. Can I use that external email address to allow my internal consultants the ability to update their tasks for that project?
For any projects that don't provide the email addresses, I'd opt for the Viewer role and have the PMs use the update automations.
Is that acceptable practice?
Thanks!
Chris
-
@ChrisStrube - The scenario you have outlined is an acceptable practice as long as the domain you are referring to isn't a recognized domain on your account. You could always contact your account team or Technical Support through the βHelp iconβ in-app if you wanted to confirm.
