Predominantly user controlled, cloud-based collaboration environment presents new risks for many companies who are rolling out tools like Teams, Google Hangouts and Slack to meet the growing need for employees to collaborate while working from home during the global COVID pandemic.
"International Data Corporation (IDC) forecasts that, by 2021, the contribution of "digital coworkers" will increase by 35% as more tasks are automated and augmented by technology. IDC also predicts that, by 2024, enterprises with intelligent and collaborative work environments will see 30% lower staff turnover, 30%higher productivity, and 30% higher revenue per employee than their peers(1)."
The points below highlight the general risk considerations for all companies who are using tools like Teams, Google Hangouts and Slack to help their employees and partners collaborate online.
Incorrect Permissions or Team membership settings
Tools like Microsoft Teams leverage “membership” models for providing access to the various collaboration areas within them. Users are invited to join the collaboration “team” and are granted access to all the files and chat content.
With over 30% of all reported breaches to the Australian Privacy Commissioner from 2017 -2019 caused by human human error it is important to recognise that a single point of failure that could cause a data breach is incorrectly set permissions(2).
And while access permissions will control who can access a team or group in a collaboration environment it will not prevent employees from accidentally sharing a confidential document with everyone within the company.
External or Guest Users
An important benefit of collaboration tools is their ability to enable communication and information exchange with external customers and partners.
When combined with the risk of incorrect memberships (permissions) this capability can also present companies with significant risk.
By supporting the use of collaboration tools with the right design considerations early on in your implementation so your company identifies and gets the right security controls in place this will help prevent unsanctioned use of tools outside of the control of IT.
As more employees work from home en masse companies will see a sharp increase in usage of their collaboration tools.
For many companies who are rushing out collaboration tools to meet the demands of the business, bought about by the global COVID pandemic, it’s very easy for a new user to become lost in the rapidly expanding number of teams, groups or channels that they are invited to join.
Even for seasoned users of collaboration tools it’s not uncommon for a file or message to be posted in the wrong team or channel. In many ways this is like the accidental “reply all” or adding the wrong Karen in the “to line” within email.
Increased use and new adoption of collaboration tool in a short period of time is likely to be welcomed by employees with little experience in creating groups or channels.
As users happily create new groups or channels for collaboration, organisations are very likely going to see groups or channels being created and shortly after abandoned.
From an information security perspective this potentially leaves sensitive information in forgotten locations that, when combined with any of the previous risks, presents yet another possibility for an information leak.
Auditing and Oversight
By design a lot of the administration, from a collaboration and sharing perspective, of these tools is carried by super users or owners of the various Teams, groups or channels.
This presents a real oversight issue for from a centralised IT perspective.
The rapidly expanding number of information siloes spawned by these tools make it very difficult for IT to understand who has access to what information and the type of information being shared.
Given these key risk considerations companies will likely see new and increased risks around identity and access management and auditing and oversight than may have been previously present in their organisation.
Tips for security your collaboration environment
Business needs often overshadow security and compliance requirements in the collaboration platform selection process. Security and risk management leaders should both leverage and extend the maturing security features of those platforms to satisfy security and compliance requirements.
Support the use of collaboration tools with the right design considerations early on in your implementation so your company identifies and gets the right security controls in place
Like all security programs, security education and awareness is critical and this is even more so when you company is using a predominantly user controlled, cloud-based collaboration environment.