A majority of U.S. and global workers have come to rely on instant messaging and collaboration tools to accomplish their jobs. Unfortunately, many employees admit to sharing business critical data in these less than secure environments. Employees are hooked on these apps, so security departments must create plans to mitigate the risks of collaboration tools.
How Are Workers Using Collaboration Tools?
A survey showed that 71% of workers globally use collaboration tools like Slack and Teams every day. The average user spends 2.5 hours per day on these apps. Employees like the casual feel and ease of collaboration. And employers like them because their workers are happy and productive.
Online collaboration is how work gets done in the 2020s. Collaboration tools and instant messaging platforms can make working remotely seamless. Employees develop camaraderie with each other and with clients. Unfortunately, the casual nature of the tools also leads to the casual sharing of information. Employees often view agreements made on instant messenger as binding. They take orders for products or services and move forward with fulfilling them.
The trouble is that all conversations may not be saved (or not saved permanently) on tools like Slack. The upside to the lack of an archive is that there is less data for a hacker to steal. The downside is that there’s no paper trail for anything.
What is Business Critical Data?
Business critical data includes all of the information that makes your organization functional. Proprietary product information and intellectual property are potentially interesting to hackers. Human resources data like complaints and medical records–even Covid-19 test results–is considered critical to your business and potentially theft-worthy.
Purchase orders and other forms of agreement to work are commonly shared on collaboration tools. Client data on purchase orders may contain names linked to email addresses, phone numbers, and payment details/card numbers. All are very interesting to hackers.
What Kind of Security Risks do IM and Collaboration Tools Pose?
Users are familiar with the risks associated with email. They generally know what a phishing message looks like and how to report suspicious messages to IT. Collaboration tools are so new that most users don’t know the warning signs.
Phishing, malware, and data leakage are all possible on collaboration apps. Both Teams and Slack are configured to send users an email when they are away and miss a message. These types of emails can be easily spoofed and used to deploy malicious code.
Collaboration tools have become popular in part because they are easily integrated with third party apps for marketing, calendars, video conferencing, etc. These integrations can expand the attack surface for your company and should be carefully investigated before installing.
Many collaboration tools and apps allow guest access for non-employee communication. This functionality is useful when sharing documents or setting up meetings with vendors or clients. But it is also a vector for cyber-threats and potential data loss.
How to Mitigate the Risks of Collaboration Tools
Don’t fight it–fix it. The first step is to accept that your employees are going to continue using collaboration tools. You need to develop a protection or compliance plan to cover them.
Reign in the number of tools that your company is using and provide what is necessary at the enterprise level. This should include any plugins or third-party apps that different departments request. Then create and implement a policy for how to use collaboration apps. This policy may explicitly state that orders or agreements must be executed via email. It should also contain details on how to report potential threats.
Data generated over collaboration tools needs to be managed as well as data generated by email. Develop a way to incorporate this information into your overall data management strategy.
And, as always, take the standard precautions required for every digital tool. Back up data; update devices and patch software regularly; implement multi-factor authentication; and educate and train your employees.