The Collaboration Dilemma
Friday, 20 March 2020, 10:39 IST
At the start of the day, after starting up your Computer, you instinctively open Outlook, along with Slack or even Teams. While chatting with a co-worker, you recall you need to send administrative credentials to them, along with a few sensitive documents. Unlike email, which can feel archaic at times, collaborating over messaging apps like Slack is simple and instant as the messages don’t get lost under innumerable alerts; you know the individual on the other end is going to see a notification.
While these solutions are fun and simple to use, not to mention the norm for many workplaces these days, they often lack the necessary internal security controls and visibility that email has. Administrators may traditionally password protect a document in an email before sending or send usernames and passwords in separate messages, but such features go out the window when using the latest collaboration platforms.
As we become more frivolous with the data, we share over collaboration apps, what’s in danger of being exposed – and how can companies better safeguard these apps to prevent unnecessary exposure and risk?
Back in 2017, as reported by Wired, Slack said it had detected and patched a vulnerability that would have given hackers full access to chat histories, shared files, and other features. In other words, any sensitive files a user transferred or messaged could’ve been lifted by an attacker. That’s a pretty scary thought. At the time, just by using Slack - without even realizing it - a user could have widened the attack landscape for their organization.
It’s easy to overlook the watercooler gossip that can take place inside these apps; conversations that can stray, and sometimes veer into the sensitive or inside discussion. Having this information exposed could be just as detrimental to a company data as the fallout of a successful phishing attack.
Microsoft made headlines in 2019 after an internal report emerged in which the company's employees were apparently dissuaded from using Slack. While it makes sense that Microsoft would want its employees to use Teams, its own software, it warned that Slack doesn't provide the required controls to protect Microsoft's Intellectual Property (IP).
It's easy for companies to lose IP by accident or negligence, but it's even easier on Slack and other collaboration apps when there's nothing to stop a user from sharing sensitive data.
TeamViewer, collaboration software that facilitates remote control, desktop sharing, online meetings, and file transfer, has had its own issues. In 2017 the software had to issue an emergency patch for a bug that could have let attackers access users' machines via desktop sessions. A separate social engineering attack last year used an illegitimate version of the software to trick users into surrendering access to their computers.
The root of the problem stems from the persistent tug of war between ease of use and security.
Collaboration tools allow users to seamlessly share any number of items simply by copying and pasting them. Documents are embedded, images are embedded. We find ourselves using these tools to share items with each other, but the point we seem to miss is that while ease of use can be a good thing, the less time we spend on something, the less attention we pay to it.
In a classic email, it took an effort to take a screenshot, save it as an image, and attach it to the email. While drawn out, the process gave us time to think about what we were doing and whether sharing that image was in the best interest of data protection.
Today, we can copy an item, hit a keyboard shortcut and there it is, embedded in a cloud service. Experience tells us that whatever we put on the internet will stay there and that can be worrying when it’s that easy.
Another reason these collaboration tools are so problematic is that they’re often deployed by the people most interested in their benefits and not their detriments. Think for a moment about how easy it is to sign up for these tools with a simple email address and to start using them to share ideas and data.
In heavily-regulated organizations, new tool adoption isn’t something you could historically accomplish without a rigorous procurement and testing process. Cloud systems and business applications should go through the same processes as apps designed to protect an enterprise from risk. Instead, we often see individual teams using collaboration tools that suit their needs with little oversight from governance and IT teams.
Businesses should detect and block these cloud applications until they’ve had time to assess them, after which they can be released in a controlled manner. Traditionally, you’d get approval from your manager and IT for a new application. Why should Slack or Teamviewer be any different?
Collaboration apps currently lack granular controls, meaning enterprises can only do so much to restrict how they’re used. Collaboration apps also lack an auditing feature, which means in the event of a problem, it’s difficult to tell where the error was made. Oversight should help limit the worst problems associated with these services, at least until the services themselves catch up with the need for enterprise segregation and security.
In the Wild West of collaboration, it might be necessary for admins to mark all data as destructible when published on cloud services- a measure that’d ensure it can only exist for a short period of time. Data shouldn’t exist in perpetuity on these tools.
Data privacy and information sharing practices need to be addressed and instituted with these platforms to safeguard against unnecessary exposure and risk. Companies need to be cognizant, not only of the type of information being discussed on the tools but how employees share documents and other files.
Organizations should ensure applications it uses have end-to-end encryption – something that may never happen on Slack. Admins should also make sure that any attachments uploaded to the service are protected so that they can only be opened by the intended recipient.
Ultimately collaboration tools are necessary today, but if a business is serious about protecting its data, it should be used in an enterprise manner where they’re an extension of the traditional application suite deployed and managed by IT. To prevent data loss, the tools should be governed strictly in terms of how they’re used and what data can be stored there.
The root of the problem stems from the persistent tug of war between ease of use and security.
Collaboration tools allow users to seamlessly share any number of items simply by copying and pasting them. Documents are embedded, images are embedded. We find ourselves using these tools to share items with each other, but the point we seem to miss is that while ease of use can be a good thing, the less time we spend on something, the less attention we pay to it.
In a classic email, it took an effort to take a screenshot, save it as an image, and attach it to the email. While drawn out, the process gave us time to think about what we were doing and whether sharing that image was in the best interest of data protection.
Today, we can copy an item, hit a keyboard shortcut and there it is, embedded in a cloud service. Experience tells us that whatever we put on the internet will stay there and that can be worrying when it’s that easy.
Another reason these collaboration tools are so problematic is that they’re often deployed by the people most interested in their benefits and not their detriments. Think for a moment about how easy it is to sign up for these tools with a simple email address and to start using them to share ideas and data.
In heavily-regulated organizations, new tool adoption isn’t something you could historically accomplish without a rigorous procurement and testing process. Cloud systems and business applications should go through the same processes as apps designed to protect an enterprise from risk. Instead, we often see individual teams using collaboration tools that suit their needs with little oversight from governance and IT teams.
Businesses should detect and block these cloud applications until they’ve had time to assess them, after which they can be released in a controlled manner. Traditionally, you’d get approval from your manager and IT for a new application. Why should Slack or Teamviewer be any different?
Collaboration apps currently lack granular controls, meaning enterprises can only do so much to restrict how they’re used. Collaboration apps also lack an auditing feature, which means in the event of a problem, it’s difficult to tell where the error was made. Oversight should help limit the worst problems associated with these services, at least until the services themselves catch up with the need for enterprise segregation and security.
In the Wild West of collaboration, it might be necessary for admins to mark all data as destructible when published on cloud services- a measure that’d ensure it can only exist for a short period of time. Data shouldn’t exist in perpetuity on these tools.
Data privacy and information sharing practices need to be addressed and instituted with these platforms to safeguard against unnecessary exposure and risk. Companies need to be cognizant, not only of the type of information being discussed on the tools but how employees share documents and other files.
Organizations should ensure applications it uses have end-to-end encryption – something that may never happen on Slack. Admins should also make sure that any attachments uploaded to the service are protected so that they can only be opened by the intended recipient.
Ultimately collaboration tools are necessary today, but if a business is serious about protecting its data, it should be used in an enterprise manner where they’re an extension of the traditional application suite deployed and managed by IT. To prevent data loss, the tools should be governed strictly in terms of how they’re used and what data can be stored there.
.jpg "Engeotech: Innovating Smart Ways to Offer Customized Water Treatment Solutions")
