Is Your Business Data Safe in Slack and Microsoft Teams?
Much discussion about the digital workplace in recent months has been about tools and platforms organizations should put in place to enable the millions of workers now obliged to work remotely.
However, with so many people across the organization using them, their weak points, as well as their strengths, are becoming more clear. Not least of these tools are popular communication and collaboration platforms like Teams, Slack and Google Workspace (formerly called G Suite).
While these tools did indeed help workers meet business goals, enterprise leaders have begun to question whether privacy settings are enough to protect company data. This has become particularly important as Teams and Slack, amongst others, have enabled users to communicate with people outside of the company.
Protect Data in Microsoft Teams
With COVID-19, many organizations have seen their information and privacy risk profile change dramatically without corresponding mitigations, said John Hodges, senior vice president product strategy at Jersey City, N.J.-based AvePoint. Because of their high usage, Slack and Microsoft Teams tend to be ground zero for the risk that derives from the collection, storage, access, usage and disposal of information containing personally identifiable information (PII).
The good news is organizations can significantly mitigate this risk through a combination of native and third-party solutions. This is a much better outcome than not using the tools at all or disabling external sharing settings, which will only lead to employees using unauthorized solutions. “Organizations should be proactive so they have insight into their users' sharing and have control once data leaves the system,” Hodges said.
But it is not all that straightforward. Microsoft Teams has more robust control for privacy and external sharing, but it creates complexity. For example, there are five types of settings that can impact external sharing in Microsoft Teams including AAD, Office 365 Security and Privacy settings, Group settings, SharePoint settings and Teams settings.
These settings are mainly tenant-wide and difficult to maintain in a modular, granular fashion. Once the organization has right-sized the sharing settings appropriate for them they also must determine their system of automatically onboarding and offboarding guests who have access to the environment. No native solutions exist.
Another common misconception regarding privacy and information security in Microsoft Teams is that the membership of the Team determines who has access to the files within that Team. Microsoft makes sharing easy in Microsoft 365, which is a good thing, but that means organizations also need to be aware of the SharePoint settings that underpin the team and the access provided by the sharing links from the document itself.
“The goal for organizations shouldn't be to impede external collaboration or sharing, but rather to put an emphasis on monitoring the external sharing of sensitive information," Hodges said. "To do this effectively requires a third-party solution or you will be combing through thousands of lines of multiple, siloed reports.”
In sum, while it’s possible to mitigate the information and privacy risk of using Microsoft Teams, companies need to have proactive strategies and develop solutions for common challenges such as external guest users and external sharing of sensitive information.
Related Article: How Edge Computing Will Transform the Digital Workplace
Protect Slack Channels
Using an online service does increase the risk to an organization but the ability for employees and managers to work effectively greatly outpaces that risk, said Ryan O’Ramsay Barrett, founder and CEO of ORAM Corporate Advisors, an IT solutions and cybersecurity company based in Boston. To combat the new security threat landscape of an online service, his company implements layers of security to monitor and prevent a large scale intrusion.
“We use technologies such as two-factor authentication for each user and offer a least privilege access approach,” he said.
He cites the example of Slack and its use of many channels. Some have to do with HR, some accounting, while others are employee rated. When an employee comes on board, they can only access to the channels needed to do their job and that access is limited to a certain number of days.
"For example, after seven days, if you’re using it on an app, or on your phone, or a browser, or on a computer application – the app will automatically log out that individual after seven days, just to make sure we don’t leave any resident applications logged in with access permissions," Barrett said. "This user must go through and re-authenticate all their applications to make sure and verify that it is that person using the service is appropriately."
There is one other solution worth mentioning here. Mobile device management platforms make sure that online applications do not share or back up data. Policies can be set so users would not be able to copy files and text from a managed application to another non-secure application on the device.
Security Takes a Back Seat to Collaboration
Favoring connectedness and ease of use to drive adoption are, understandably, placing security and other more boring considerations on the back burner, said Rich Hale, CTO of Washington D.C.-based ActiveNav, a data protection company. The aim is to hook a community of users that will drive a purchase decision but also secure the product's stickiness within the business. The problem, of course, is that none of this has anything to do with the capabilities needed to exercise meaningful data stewardship. No end user wants to worry about that. Those features inherently restrict the functionality that drives adoption.
Organizations need to recognize that these applications exist and must include them in their governance and privacy programs. This goes for other products which are driven by user sharing such as sync and share, instant messaging, social platforms and others. “This area of data represents the wilderness of stewardship and governance and so, needs a different set of tooling and practices to govern," Hale said. "These tools and practices should not be isolated to each application and need to be reviewed consistently to identify patterns of practice and the design of responses needed to deal with them."
Those practices will ebb and change, he said. "End-point protection and data loss prevention will help to an extent by bolting the doors but mapping and monitoring how data is used within these applications must complement those measures," Hale said. His company is extending the reach of data monitoring to encompass these platforms and include them in the scope of unstructured data mapping, monitoring and governance programs.
Can You Guarantee Collaboration Security?
Collaboration software has given way to a new attack vector because it is a widely deployed internal tool that is accessible via the internet. "We are increasingly seeing 'credential stuffing' as one of the most popular techniques to gain entry," said Mike Puglia, chief strategy officer at Ireland-based Kaseya. Simply put, attackers can gain credentials through phishing or by purchasing them from the millions of records for sale on the dark web and then testing (i.e. credential stuffing) those credentials on popular collaboration tools sites.
Malicious attackers are betting their targets are using one or more popular tools such as Microsoft Teams, Slack, Google or Zoom. With a success rate between 0.5% and 2%, it is a low effort way to gain access to enterprise tools.
To combat the threat and protect employee credentials, organizations should implement multi-factor authentication (MFA), simulate phishing attacks to train employees and monitor their domains on the dark web.
With work teams scrambling to create better channels of communication while working remotely, is there a guarantee on the safety of our sensitive messages online? Don't bet on it, said Stefan Smulders, CEO of Netherlands-based Expandi.
“The bottom line is, there really isn’t,” he said. "Messaging platforms have access to all your messages and a breach in their security systems is enough to have your neck on the line. While new privacy features continue to be rolled out, there is no room for complacency about the data we share in these channels."
The truth is workers cannot avoid using these platforms so be careful in handling data instead. Encrypt and lock files, especially editable ones, and make them available only to certain people who need them. Use PDF format as much as possible to prevent copy-pastes and other manipulation of data. Set privacy settings and accessibility according to employee rank to make sure staff only have access to the data they need to access and no more.