Don’t Cut Corners on Information Security as You Rush to Adopt Collaboration Tools
The novel corona virus pandemic is changing the world and for many of us, that includes the way in which we work. Many companies are suggesting or, in some cases, mandating work from home policies in order to protect employees and try to slow down the spread of the disease. As a result, collaboration tools for meetings, calling, chat and file collaboration have seen a significant increase in usage over the last few weeks. However, as organizations rush to ensure the safety of their employees by deploying these collaboration tools, they need to make sure that they are not putting another important asset at risk – their business data.
The mobile apps for Microsoft Teams, Zoom and Google Hangouts have all shot into the top 10 charts for app downloads for both Apple and Android devices with Slack also seeing significant rises in the number of downloads. In addition Microsoft, Google and Zoom have increased the capabilities of the free versions of their tools and in the case of Microsoft and Google are providing premium versions of their products for free for a period of time. Microsoft announced it saw a 500% increase in usage in China alone over the past few weeks. This has certainly tested the scalability of their solution which will undoubtedly be tested further in the coming days and weeks.
Gartner Offers Advice
There is no shortage of guidance appearing for organizations as they grapple with the reality of the impact of the novel coronavirus. For CIO’s Gartner has provided 3 points for maintaining continuity of operations in the short term.
- Source collaboration tools with security controls and network support
- Engage customer and partners through digital channels
- Establish a single source of truth for employees
While all of them are relevant in the work from home world it’s the first point that I’d like to spend time digging into. In particular the “with security controls” part of Gartner’s guidance.
A good place to start is the security controls that Gartner mentions. In the technology world security is becoming a very broad term covering a lot of areas of IT and a lot of scenarios. Organizations need to ensure they cover all the relevant aspects of “security”. For the collaboration tools that power working from home organizations certainly need to ensure that they are secure in the traditional IT sense. Of course, you only want the authorized employees to be able to access these tools but in the collaboration world the risks extend beyond merely accessing the tool. Arguably a greater risk to information security comes from authorized users making mistakes when using these tools. And this is where a possible security gap can occur depending on how the tool has been deployed.
Some time ago I wrote a blog on how the different perspectives of IT Security and Information Security, while having the same overall objectives, can produce entirely different results. A Dark Reading quote summed up why the different perspectives result in different priorities, “IT priorities are adaptability, technical features, and efficiency; infosec priorities include confidentiality, integrity, and availability.”
It’s important that organizations bear this in mind and don’t end up sacrificing the safety and integrity of their critical business information as they rush to go live as soon as possible in order to maintain business continuity. Remembering to look at any roll out plans from both perspectives will make it easier to recognize and mitigate against information security risks.
Where are the Most Common Information Security Risks?
It’s important to note that the tools themselves are not inherently risky. Rather it is the very nature of a predominantly user controlled, cloud-based collaboration environment that is our metaphorical petri dish for growing risks. The following issues that are common under normal circumstances, let alone the accelerated roll outs that many organizations are launching to support their workforce at home.
1. Incorrect Permissions or collaboration team memberships
Tools like Microsoft Teams, Slack and Google Hangouts leverage “membership” paradigms for providing access to the various collaboration areas within them. Users are invited to join the collaboration “team” and are granted access to all the files and chat content. However, a quick internet search will uncover many instances of where the single point of failure in a data breach was incorrectly set permissions. In essence this approach to information security relies on access permissions, and while it will control who can access a document, it will not prevent HR, customer or corporate legal information, for example, from being accidentally shared with everyone within the company.
2. External or Guest Users
An important element of these collaboration tools is their ability to enable communication and information exchange with external customers and partners. When combined with the risk of incorrect memberships (permissions) it’s no surprise that for many organizations this capability is also seen as a major risk. The push to work from home will likely put IT organizations under great pressure to allow this capability. Failure to properly address this risk could either result in driving users towards using shadow IT tools (unsanctioned tools outside of the control of IT) in order to collaborate externally or accidentally leave internal information available to external parties.
3. Accidental Oversharing
As Microsoft’s 50,000 Seattle area employees started to work from home en masse the company saw a sharp increase in usage of their Teams solution. For a company that was already, understandably, a heavy user of Teams their users very likely took this in their stride. However, for an organization that is rushing out a collaboration tool like this it’s very easy for a new user to become lost in the rapidly expanding number of teams, channels or hangouts that they are invited to join. Even for seasoned users it’s not uncommon for a file or message to be posted in the wrong team or channel. In many ways this is like the accidental “reply all” or adding the wrong Steve in the “to line” within email.
Adoption of tools like Slack and, in particular, Microsoft Teams was already on the rise before the novel corona virus hit. Increased use and new adoption of tools like this in such a short period of time is likely to lack the governance that should accompany deployment. As users happily create new channels for collaboration, we are very likely going to see duplicates or very limited use Teams being created and shortly after abandoned. From an information security perspective this potentially leaves sensitive information in forgotten locations that, when combined with any of the previous risks, presents yet another possibility for an information leak.
5. Auditing and Oversight
By design a lot of the administration, from a collaboration and sharing perspective, of these tools is carried by super users or owners of the various Teams or channels. This presents a real oversight issue for from a centralized IT perspective. The rapidly expanding number of information siloes spawned by these tools make it very difficult for IT to understand who has access to what information and the type of information being shared. If the organization is within a regulated industry then this not only presents an information security challenge, but also a potential compliance breach.
Tips for Mitigating Risk
During these extraordinary times there is sometimes an argument for cutting through red-tape in order to respond to the emergency faster, however organizations must ensure that it doesn’t expose them to a different risk. Unfortunately, this is the dilemma that many organizations are now faced with; the need to roll out or increase adoption of collaboration tools at a significantly faster rate than planned versus the need to maintain business continuity as much as possible. And that’s the clue to the first tip – as much as possible.
1. Expect Some Hiccups
The reality is that even if your organization has a contingency plan for the situation, we now all find ourselves in we should remember an old military adage. To paraphrase; “No plan survives first contact with the disease”. Everyone is working under the same difficult scenario. Both users and IT just want to get their jobs done to the best of their abilities. But this is new territory for many and there will likely be some disruption and some mistakes are going to be made. It’s therefore very important that business leaders accept this and reassure both employees and their customers and partners that everyone is doing their best to minimize the disruption. Thankfully, based on various news reports this appears to be the tone being set by some of the largest companies in the world and is the de-facto standard that we should all adopt.
2. Solutions to These Collaboration Issues Already Exist – Leverage Them
There was already a growing trend to adopt tools like Microsoft Teams prior to the pandemic. Organizations doing so have already considered the same risks above and the potential issues created by the different perspectives of IT security and information security professionals, therefore solutions for these information security issues already exist. It has been widely recognized that a data-centric approach mitigates against many of the risks discussed here. Instead of relying solely on Team or channel permissions, which are a single point of failure and frequently incorrectly applied, organizations should look to secure information based on additional properties of both the data and the user accessing it – regardless of the location in which it resides.
3. Help Your Users to Adapt
In a recent Insider Threat survey many organizations were predominantly planning to rely on user training to protect their information. In the compressed timeline that may not be an option. Even if there was time, it is rarely a strategy that is good enough on its own. As mentioned above there are data-centric tools that can help to reinforce any training and actively prevent users from accidentally oversharing information. However, it’s important to remember that users are looking for easy ways to collaborate from home. Any training or security tools that make it too hard for employees to use company sanctioned collaboration tools risks driving shadow IT as users look for easier ways to get their jobs done.
We’ll Get Through This Together
It’s at times like these that it’s more important than ever for us to share our experiences and expertise to help others in any way. I hope that in my own geeky way I can help some of you navigate some of the IT and collaboration challenges in front of you.
To learn more about how to set-up your Microsoft Teams collaboration for success, download the eBook 8 Tips to Prevent Oversharing and Insider Threats in Microsoft Teams.