If your teams weren’t already using popular collaboration tools such as Slack, Microsoft Teams, Zoom and Google, chances are they are now. The sudden widespread directive for most employees to work from home due to the spread of the COVID-19 virus means many IT and security teams have had to scramble to figure out how to support massive growth in remote employees in the last few weeks. One way they have done that is by directing them to turn to convenient, online collaboration tools.
The demand for these products has grown so enormously that many are now offering their services for free for a period. For example, Zoom is offering its videoconferencing app for free to free to K-12 schools in the U.S., according to Forbes. Slack is offering the paid version of its chat app to anyone working on COVID-19 research, response or mitigation. Microsoft is including its premium version of Teams as part of a six-month trial offer for the Office365 E1 payment plan.
But as Aaron Turner, president and CSO of HighSide, points out, Slack, Microsoft Teams, Zoom and other collaboration platforms aren’t very secure, and neither are shadow IT apps such as WhatsApp. Their sudden and widespread adoption is a recipe for security disaster.
“I’ve been focusing on cybersecurity for nearly three decades, and I’ve never seen a moment in time where so many businesses across so many regions have been at such risk,” said Turner.
HighSide is offering its own collaboration solution free to any organization through Sept. 1 as part of its response to what the company views as a critical need for secure tools during this time.
Data Security, Compliance Issues, Insider Threats – Oh, My!
With many businesses highly unprepared to secure the tools their workforce is now turning to remotely in the name of productivity, what is at stake?
“If a bad actor is able to compromise a user account, they have powerful access to get behind company defenses,” said Otavio Freire, CTO & co-founder of SafeGuard Cyber. “In the current WFH (work from home) paradigm, this risk is made more real because computers and devices are now at home and do not have all the firewall and network protection found inside the corporate networks. Once inside a collaboration platform, a bad actor can pose as a trusted employee to share malicious docs or files to move laterally into other devices. Depending on how the platform is configured, they may also be able to move into file-sharing apps such as G-suite or Sharepoint to gain access to sensitive data.”
And the threat isn’t just from the outside, noted Freire.
“Insider threats include data exfiltration from malicious insiders,” he said. “Paranoia aside, there are also compliance and data risks posed by virtualizing an entire workspace: inappropriate messaging, harassment, bullying, sharing of PII. Some of our customers are producing 40,000 to 70,000 Slack messages per day. You need a way to surface risks quickly, both in direct messages and in channel discussions. We’ve heard of HR teams needing to shut down channels where conversations were centered around estimating local coronavirus death tolls!”
And legacy security and data loss prevention (DLP) tools that have been in place for years to handle on-site collaboration and work environments simply will not cut it in this new remote working environment with Google, Slack and Dropbox now part of daily operations, said Jadee Hanson, CISO at Code42.
“Security teams still running traditional DLP tools won’t see activity happening in these cloud environments,” she said. “And traditional data loss prevention tools block collaboration, which stands in stark opposition to what workers need to do to stay productive from their home offices. Today, security organizations can’t afford to fly blind to the cloud and block users, especially with fully remote workforces.”
Recommendations for (More) Secure Collaboration
As is always the case when it comes to risk mitigation, nothing will protect an organization 100% from breach or cyber attack. But security managers we spoke with made some suggestions for securing workers while they collaborate remotely.
Implement Multi-Factor Authentication
The increase in remote work is causing a sharp spike in phishing attacks attempting to capitalize on COVID-19, according to Gerald Beuchelt, CISO of LogMeIn. To reduce the potential impact of phishing attacks, which steal user credentials of employees working from home, add multi-factor authentication (MFA) for remote access for employees.
“Organizations can’t just rely on strong password authentication,” added Lucas Wojcik, CISO at Productsup.“They need to use two-factor authentication wherever supported to avoid unauthorized access and ensure permissions are appropriate, based on the principle of least privilege and regularly reviewed.”
Provide User Awareness Training
“Organizations need to train their employees on company policies and procedures for data usage and make them aware of any potential risks,” said Wojcik.
Beuchelt agreed. “Often creating a stronger ‘cyber smart’ security culture takes time and lots of education, but under the current circumstances we all need to play our part more immediately.”
Be Conscious of Shadow IT
“Those managing remote teams need to be conscious of ‘shadow’ IT, which means employees downloading their own apps and software instead of the company’s recommended applications and collaboration tools,” said Beuchelt. “People do this because they’re familiar with the app or the company’s option is hard to use, but this presents new vulnerabilities. IT and security teams should be prepared to closely monitor user behavior and network activity while ingesting current threat reporting on COVID-19 scams and threats.”
Define Information Classification and Handling
“Companies need to classify information sensitivity across their organization, such as public, internal or confidential information,” said Wojcik. “Once classified, they need to define rules for handling the various types of information across their collaboration tools, like rules detailing specific access control or encryption requirements. Companies can then leverage built-in features, like watermarks, auto-detection or forwarding restrictions for mail, to handle the different information classes.”