4 Collaboration Habits That Open the Door to Security Breaches
Eighty-eight percent of organizations either encouraged or required employees to work from home in response to the COVID-19 pandemic according to Gartner. The rapid transition to remote work caused a spike in adoption of cloud-based productivity and collaboration tools. Microsoft Teams reached 44 million active users in March — more than double the 20 million users it had in November 2019. Competitor Slack added 7,000 new customers in the seven weeks beginning Feb. 1, which was more than it had added in the entire preceding quarter.
Tools like these helped organizations maintain and in cases improve communication and productivity for their work from home staff, and the tools will likely continue to be used after the shelter-in-place period finishes. Indeed, Gartner found 74% of companies will allow at least 5% of their previously onsite employees to work remotely after the pandemic. This means solutions to support collaboration among distributed teams will still have an important place in getting work done.
However, these cloud-based tools come with an increased risk of unauthorized access and data compromise. If you are unprepared for these threats, these solutions help you boost your business at the high price of making you more vulnerable to data breaches. Learning the risks is the first step in minimizing threats to data while maximizing your use of these collaboration tools.
The chats, channels and files exchanged by employees in collaboration platforms are often retained forever by default, which means all of this data is vulnerable in a cyberattack. Adding to this is the habit among many users of saving documents on their hard drives to simplify discovery down the line. Hard drives offer insufficient protection. Moreover, downloading certain types of files (e.g., customer data) is a violation of privacy laws, so it can lead to penalties.
Recommendations: First, choose your cloud providers wisely. Assess each provider’s level of data and system security, and check whether the provider is compliant with standards like ISO 27000.
Second, make sure employees have the tools they need to work with company data safely. Add security measures to reduce data exposure. For example, encourage your staff to use corporate G Suite instead of personal applications like Google Docs, and monitor user activity for suspicious behavior like spikes in downloads or unusual data access patterns.
Third, classify your data and educate your employees to be more attentive to information labeled “sensitive” or “confidential.”
Related Article: The Time to Reel In Ad-Hoc Collaboration Is Now
User Mistakes and Negligence
According to Ponemon's 2020 report, employee negligence or errors caused 62% of all insider breaches. One of the best examples is unauthorized data sharing, such as users exchanging passwords or sensitive data via cloud collaboration tools to expedite their work. Practices like these increase the chance of data compromise and compliance fines, especially if an employee accidentally posts business-critical information in a public channel, where you cannot control how many users see and copy it.
Recommendations: Make it as easy as possible for employees to access the corporate resources they need to do their jobs. For example, making credentials easy to retrieve from password managers will remove the temptation to ask someone to share the password via Teams or another platform, which violates security policies. Also, conduct regular training sessions to familiarize users with basic security practices like the rules of secure data sharing, and check in to make sure your employees absorbed these lessons.
Mondelēz: 3 Steps to a Data-Informed, More Proactive IT Department
How to build a new team culture dedicated to the proactive mindset.Watch Now
How to Create a Successful Hybrid Enterprise Using Slack
Learn the three steps companies should take to create a successful hybrid enterprise and enable better productivity.Watch Now
Insecure Personal Devices
When employees work on corporate laptops or computers, you can encrypt any data accessed and keep the device up to date with patches. But when workers use their personal laptops, you have little control over the device. Even a single infected or unpatched laptop can jeopardize your data and your business.
Recommendations: Audit your IT environment for spikes in log on activity, unusually high network traffic and other suspicious events to detect attacks in the early stages. Also, make hackers’ lives as difficult as possible by patching and installing endpoint protection tools on all corporate devices.
If employees use their personal devices, implement BYOD best practices that strike the right balance for your organization. Depending on your risk tolerance and other requirements, you can either recommend or require specific practices, such as regular software patches and operating system updates. You can also forbid access to certain assets from personal devices.
Related Article: Flexible Operating Models Only Limited by Rigid Corporate Thinking
When employees use unsanctioned and unsupported collaboration tools (aka shadow IT) it can undermine data security, especially if the person managing the tool has no expertise in security. For example, if a team uses Google Docs and the manager allows everyone with the link to access corporate files, this violates basic security practices and could lead to data compromise.
Recommendations: Work closely with other departments to understand their workflows and business needs to determine which tools they need. Providing the tools employees need and will use goes far in curbing adoption of unauthorized tools.
The increase in remote work has brought new security challenges, and you need to keep them in mind when you use cloud collaboration software. But the tools are not your enemy. By following the recommendations laid out here, you can reap their business benefits while minimizing security risks.
About the Author
Ilia Sotnikov is an accomplished expert in cybersecurity and IT management. He is vice president of product management at Netwrix, provider of a visibility platform for data security and risk mitigation in hybrid environments.