4 collaboration security mistakes companies are still making
Before the pandemic, the business world took for granted that the vast majority of knowledge workers would be working in corporate offices most of the time. In the post-pandemic world, however, many employees can work from anywhere, at any time, and on any device with an internet connection.
When COVID-19 work-at-home mandates took effect around the world in early 2020, organizations rushed to adopt online collaboration tools. With capabilities ranging from voice- and videoconferencing to document co-authoring and project tracking, these tools helped teams communicate, work together, and share updates on various projects and initiatives from home or anywhere else.
While some companies are now encouraging or even mandating a return to in-office work for many employees, collaboration tools remain crucial for business operations. They’ve become a fundamental part of doing business with people working in multiple locations, both inside companies and externally with customers, suppliers, and other third parties, said Doug Glair, director of cybersecurity at technology research and advisory firm ISG. As such, companies need to ensure that their collaboration tools are resilient, easy to use, and secure, given their critical value to the business, Glair said.
But even though organizations have been using collaboration tools for several years, they’re still making the same security mistakes as in the early days of the pandemic, say experts.
One of the main reasons is that collaboration tools are often spun up within business units and not company-wide, according to Avani Desai, CEO of Schellman, a cybersecurity assessment firm. “Maybe I want to use Asana, and someone else wants to use SharePoint, and someone else wants to use Jira, and the executive team wants to use another tool — so user access isn’t granted on an enterprise level,” she said. “User access has been an issue for years, and it continues to be an issue.”
Gartner analyst Patrick Hevesi agreed with Desai’s assessment. “Let’s say your corporate standard is Microsoft 365, or G Suite, or whatever, but somebody else in the company wants to use Slack,” he said. “People are adding more collaboration tools without the authority of the IT security organization.”
What’s more, organizations that adopt collaboration platforms such as Microsoft Teams, Slack, Box, Dropbox, GitHub, Jira, Asana, and others are often focused on the productivity benefits. Securing these platforms, communications, and the data that they share is typically an afterthought — if it’s thought about at all, said Jay Martin, security practice lead at managed services firm GreenPages Technology Solutions.
“Making them more secure is essential to protecting the organization from threat actors seeking an entry point to proprietary information, financial data, intellectual property, and more,” he said.
Computerworld asked tech industry analysts, IT service providers, and security consultants to name the biggest collaboration security mistakes they still see organizations making today — and what to do about them. Here’s their advice.
If organizations don’t provide access to vetted collaboration tools, employees will likely find their own and use insecure solutions, said Sourya Biswas, technical director, risk management and governance at security consulting firm NCC Group. “Therefore, while it’s important for organizations to embrace digital collaboration, at the same time they should prevent installation and use of unapproved tools, via mechanisms such as restricted local admin access and managed browser solutions.”
Even when collaboration tools are vetted and approved, organizations must be cognizant of the different collaboration platforms that each employee is allowed to access in order to prevent sensitive data from being exfiltrated and avoid providing new attack vectors for bad actors, said Michael McCracken, senior director of end user solutions at SHI International, a reseller of technology products and services.
In addition, IT needs to maintain central control over these tools, said AJ Yawn, partner, risk assurance advisory at Armanino, an independent accounting and business consulting firm. “If somebody is terminated, do the people who do the offboarding know to remove access from these tools, or do those [former employees] still have access to [sensitive company data]?”
Many organizations use insecure methods for file sharing, said Schellman’s Desai. Two examples are unencrypted email attachments and the public file sharing that happens with collaboration tools that don’t have encryption built in.
“Using insecure file-sharing methods is a security concern because it can lead to data leaks,” she said. She advised companies to use only secure file-sharing platforms with encryption.
Organizations should also implement secure file-transfer protocols, Desai said. “So email should have what we call TLS [transport layer security], which is like encryption within the transfer.”
While the leading collaboration vendors offer robust security features, it’s often up to those deploying and managing the software to make sure it’s configured for maximum security. In many cases, especially in smaller businesses, organizations turn to IT consultants or service providers for these services. Despite the increasing awareness of collaboration security, consultants and service providers still end up making mistakes that put their clients’ data at risk, said Kunal Purohit, chief digital services officer at Tech Mahindra, an IT services and consulting company.
These mistakes include inadequate access controls, such as allowing password sharing or granting excessive privileges; neglecting to enforce strong authentication measures, such as two-factor authentication; and failing to update software and systems regularly, which can open vulnerabilities, he said. Another mistake consultants and service providers make is not encrypting sensitive information during transmission and/or storage. “Additionally, failure to conduct regular security audits and assessments further exposes organizations to risks,” Purohit said.
Organizations should conduct thorough due diligence before engaging any consultants or service providers, Purohit advised. This includes verifying that these third parties have proven histories of implementing robust security measures.
“Organizations should clearly define their security requirements and expectations and include them in the contractual agreements with the consultants or service providers,” he said. “Additionally, companies should conduct regular security audits and assessments to identify any vulnerabilities or noncompliance.”
Furthermore, organizations should enforce strict access controls, providing consultants and service providers with limited privileges based on their specific needs, according to Purohit. And above all, organizations should establish clear communication channels with them to report any security incidents or breaches promptly.
The ability to collaborate from anywhere in the world with an internet connection opens up the possibility of employees connecting to insecure wireless access points at public locations such as cafes and airports, thereby compromising any data that flows through the connection, said NCC’s Biswas. Virtual private networks, secure access service edge, and zero-trust network access tools address this risk, he said.
Rahul Mahna, managing director of EisnerAmper’s outsourced IT services team, agreed. “Now that everybody’s back to traveling, people are using the free Wi-Fi that’s available on the Acela, in their hotel rooms, and in conference centers to connect back to their collaboration tools,” he said. “And those are just fraught with security issues. I always tell people the most secure connection is by tethering to your phone, because your carrier’s security is so much better than any security you can get from free Wi-Fi.”
Collaboration is the currency that drives the workplace today, said Kris Lovejoy, global practice leader, security and resilience, at Kyndryl, an IT infrastructure services provider. The pandemic changed the way companies work, as increased digitization helped keep global commerce moving forward. But it also expanded the surface area for which potential cyberattacks could be carried out.
“Today, it’s not a matter of if, but when, bad actors will strike,” she said. “From a security standpoint, collaboration tools increase the threat landscape. This growing challenge presents an opportunity for enterprises to embrace a new way of thinking about threats. This is why it is critical to realign to a cyber resilient future.”