18 May 2020
By Andy Downs – email@example.com
COVID-19 has led to an unprecedented workplace transformation in which working from home has become the new “normal” for millions of employees around the world. The transformation happened swiftly, and businesses are not likely to return to traditional workplaces any time soon. Many organisations had continuity plans in place before COVID-19, but few could anticipate the sudden and widespread impact of the pandemic.
As a result, organisations large and small have scrambled to set up remote work teams and to prepare their employees and infrastructure for the world of the home office. Workplace collaboration tools – like Zoom, Microsoft Teams, and Slack – have seen explosive growth as teams try to find new ways of collaborating, and to do so quickly. The numbers help paint the picture: Zoom claims 300 million daily meeting participants, Microsoft has 75 million daily active users on Teams, and Cisco saw nearly a quarter million sign-ups in one 24-hour period.
While these tools do enable communication, connection, and collaboration from home offices, they also open up a new world of potential security and compliance risks. This is true of any “authorised” tools that may already have been in place pre-pandemic, like Microsoft SharePoint, Slack, OneDrive, and Google Drive, but also for more “unauthorised” communication channels such as Facebook, WhatsApp, and personal email.
For many businesses, the first step toward a collaborative, yet secure home workplace is to navigate the known challenges these tools and platforms pose to your organisation – including cybersecurity gaps, data sharing, and compliance.
Challenge 1: Cybersecurity Gaps
Professional collaboration tools are not nefarious by nature. All are intended to help you collaborate and work more effectively, and most claim to offer a robust layer of security, as evidenced in both the default settings and overall product marketing. The challenge is that default settings can easily be compromised, resulting in software with major security vulnerabilities. Zoom, for example, emerged from the pandemic with an unwanted reputation for privacy and security lapses such as encryption weaknesses and Zoombombing.
Many collaboration tools have known weaknesses and, at the same time, promote features like end-to-end encryption to protect your business. Slack, for example, has shared known security risks, and it’s common knowledge that data can be intercepted or altered on Microsoft 365 or Google’s suite of tools by attackers with network infrastructure access. Even if the tool itself has robust security and is properly configured, there always remains the possibility of “shadow IT” in which your workers change configurations or misuse the tools (even if the intentions are good).
Many technology teams now find themselves struggling to navigate the cybersecurity implications of these new collaboration tools and platforms. There’s a balance to strike between selecting and configuring tools that are user friendly, flexible, and accessible while ensuring they are properly configured and used by your team. A good rule of thumb is to look for tools and platforms that adhere to security best practices and offer security controls that align with the National Cyber Security Centre’s (NCSC) cloud service principles.
Many problems are rooted in the basics, such as not enabling proper default settings, like strong password management. Ideally the user accounts of a collaboration tool implementation should be linked to a central identity service. However, if this is not possible, users should use a different password for each application to limit attack vectors and intrusion across other platforms (If you’re not already using a password manager, now might be the time to consider doing so.)
Challenge 2: Data Sharing
Another challenge with collaboration tools is data sharing. These tools are designed to create open communication and enable easier data sharing, which leads to more information being transmitted internally and externally, some of it sensitive and confidential.
According to a recent report from Symphony, 25 percent of employees say they share confidential information about the company on collaboration platforms. More surprisingly, the majority (78 percent) say they wouldn’t care if this information was exposed to the public. With more sensitive information being shared across these collaboration tools, organisations must take the steps to secure sensitive data and prevent data loss. When selecting a collaboration tool for your business, be sure to consider its data loss prevention (DLP) policies. For example, Microsoft Teams recently added data loss prevention capabilities to help admins identify, monitor and automatically protect sensitive information shared across chat and channel messages.
On the other hand, it’s also important to understand how your collaboration tools share your data. To return to the Zoom example, the tool was recently found to be running a data-mining feature which enabled some participants to view other users’ LinkedIn profile data without their consent. It’s also been reported that the company sold user data for advertising purposes. One report found that Zoom was sending data from users on its iOS app to Facebook for advertising purposes (though the company has since changed many of its policies and protections).
The problem isn’t limited to large companies. Small businesses face the same risks, as do smaller teams within larger organisations. In the Guardian, a CSO reports that one of the problems now is that individual departments at larger companies have been left on their own to find ways to work collaboratively, often at odds with the tools or processes being employed by other teams at the same organisation.
Challenge 3: Compliance
Another challenge around collaboration tools is ensuring compliance with industry or regulatory standards. The rise of data privacy legislation in recent years, like the GDPR, has left many organisations with increasing pressure to manage their data securely. A new remote workforce complicates this. For example, what happens when your team is obligated to retain communications for regulatory compliance, but this communication now happens in new channels, like Zoom or Slack? What does this portend for your data retention policies?
For example, it was just on 13 April that Zoom released a statement that it had updated its platform and practices to be compliant with GDPR. Some tools, like Microsoft Teams, support global, regional, and industry regulations (Teams claims to comply with more than 90 regulations and standards including HIPAA, GDPR, and FERPA), but many others do not. This can put your business at risk.
A survey of compliance professionals found that more than 60 percent of financial firms use collaboration tools to communicate, but 20 percent lack a written policy for these tools, like they would have for other more ‘traditional’ forms of communication, such as email. Of those that do have a policy, many lack a clear archiving process, which may lead to further compliance issues.
To some extent, the problem was magnified by the sudden and widespread adoption of these tools as businesses had to quickly adapt to new workplaces amidst COVID-19. Often, these tools needed to be implemented before technology, compliance, or legal teams could assess the risk and put proper measures in place. It is especially difficult to re-engineer a secure and compliant work environment if these guardrails did not exist in the first place.
If you don’t already have one, a proper collaboration governance model may be a smart investment right now. To begin, establish clear and simple guidelines to define collaboration at your unique business – what does collaboration look like, what does it consist of, and what, specifically, should your team be sharing or working together on (and, just as important, what should they not be collaborating on). From here, your collaboration governance policy can identify and connect the specific tools or platforms that your team will (and will not) need to implement to accomplish these collaboration goals, securely and compliantly.
Challenge 4: Educate & Training
Training your staff on how best to use these collaboration tools safely and securely can turn your people into a strength rather than a weakness. By providing your employees with clear, concise and comprehensive best practices, you can more easily mitigate the risk associated with collaboration tools and ensure your company’s data stays safe and secure.
At KA2, we can help you establish collaboration governance models and provide guidance and advice on selecting the best collaboration tools for your organisation. To help you better understand the security risks presented by your workplace collaboration tools, we offer a complimentary Smarter Collaboration Security Assessment, which can be completed online. Simply complete our short online questionnaire, and a KA2 security expert will assess your chosen tool against your business needs, as well as 68 key security and compliance metrics.
While COVID-19 may have rushed a transformation to remote working, it’s a trend that will most likely stay. So, whether you are currently using a collaboration tool or looking to implement one, we can help you select, configure, and implement the right tools to meet not just your security and compliance requirements, but also to ensure a productive and connected workplace as we all try to navigate a new way of working together.