The adoption of online collaboration tools has increased after the arrival of COVID-19. With increased usage, security issues have also elevated. Collaboration tools like Slack, Google Docs, Teams, Zoom, and many others have gained enormous popularity at workplaces but with increased usage, concerns about new security risks for organisations are on an all time high. COVID-19 played a major role in making collaboration tools stand at the forefront of various organisations. Although these tools have been life-saving during the lockdowns, their foundation is not as strong as it should be to protect organisations from cyberattacks. If we talk about Slack, its foundation was laid by a few programmers for sharing ideas in a small department. But with time this application grew to become a prime platform used for sharing ideas in large organisations as well. Today, many big firms are using Slack as a messaging platform for communication among their teams. The problem lies in the design of these tools that were created for small enterprises and hence symbolises the inability of security teams to tackle the security issues that may present themselves in the future. Various collaboration tools are immature in terms of providing robust security and require a lot of effort from collaboration tool companies to establish clear policy controls to provide a secure network. The following tips can help security teams to secure their organisational networks.
Controlling Your SaaS trail
Results of research conducted by DoControl suggest that a 1,000-person company that uses software-as-a-service (SaaS) applications is prone to exposing its data to around 1,000-15,000 external collaborators. Shocking data revealed that around 3,000 companies had access to at least one other company’s data. Also, almost 20% of an organisation’s SaaS files are shared internally to anyone by just clicking on a link. Collaboration tools like Google Docs allow direct sharing of the link to a document which can be shared through other collaboration tools as well, apps like Slack accelerate the issue by making document accessibility easier. The situation worsens if the IT security team is not made aware of the tools being used in their organisation. It makes the scenario very confusing by establishing an uncontrolled environment. It is essential to make a company employee-friendly by providing them with the required tools by ensuring accessibility, but it is equally important to have control over these applications to ensure that all the higher authorities are patched through and have access. There should be a well-defined system for companies to manage documents periodically. For example, there should be checkpoints for every document shared externally to make sure that there is a real need for sharing the document externally. Also, the externally shared documents must be deleted when it is no longer required.
Deny Access When Employees Leave
It should be part of a company’s policy to delete all the data when an employee leaves the job. Access should be denied to all the shared data, documents, and accounts. Companies strictly must give their employees a company email id that can be deactivated whenever the employee leaves. This will also delete all the emails related to that account and hence denying access to the ex-employee. A practical piece of advice that should be followed is to deactivate all the links that were once in control of the employee. Or there should be a few days window to automatically seal all the accounts and documents related to an inactive employee. Some amount of restrictions is always better than leaving your organisation’s accounts unattended. Providing accessibility even after a person leaves may cause great security issues by making your information prone to be leaked to other organisations. Companies should be extremely careful in monitoring who has what information and keep an eye on the activity of ex-employees’ accounts.
Limit Personally Identifiable Information (PII) Exposure
PII is a term related to security environments. As the name suggests, it refers to the information that can be used by companies for contacting, identifying, or locating a particular user. Collaboration tools can pose risk to an organisation’s personally identifiable information (PII). The risk can be imposed in two ways: a) PII can be mishandled while sharing documents over a collaboration tool. b) risk of unauthorised access to insiders. The main issue pertaining to the collaboration tools is that they were not designed to provide policy controls to the admins. For instance, admins can not control sensitive information like credit card information from being shared over collaboration tools such as slack. The organisations should additionally install a data leakage prevention (DLP) tool to prevent the sharing of their sensitive information. Moreover, they should have a management system to enable immediate deletion of the information that is shared. There are several services that provide assistance to the security teams in setting application controls, such as GitHub, which allows you to continuously scan PII security and alerts the security teams to immediately investigate any issues.
Keep Changing API Keys
API keys are a medium of easy access to an organisation’s data. Generally, nobody focuses on changing the API keys, as a result, insiders and hackers can steal API keys with bare minimum efforts. The only way to secure API keys is to generate and circulate them regularly to make them accessible only for a short amount of time.
Protect Customer Data First
The arrival of the pandemic forced organisations to work remotely, which in turn has made data vulnerable and more prone to being stolen. Employees working from home do not follow a proper method of organising their documents, thus the documents are found scattered on their work devices and personal devices that are stored and shared without required risk monitoring. In such unprecedented times, companies should mainly focus on protecting their consumers’ data. Data is a critical factor that is exploited by hackers thus, customer data privacy should be a priority for any company’s security team. Checkpoints should be developed to understand where a user’s data is being used by the employees and through which collaboration tools.
Include Collaboration Tools in Security Awareness Training
Every time a message from your company network comes on your collaboration tools, it increases the risk. Exploitation by hackers over collaboration tools is a new method of attack, so many workers are not aware of the risks associated with it. Every time an employee gets a message over a collaboration tool, they think it is shared by their co-worker. Although we have been taught well over the years not to click on unfamiliar and malicious links, nobody suspects a message on collaboration tools. There is an increased need for training company staff on the working of collaboration tools because we are living in a world where time is money. And we will have to accept the intervention of advanced technology in our workplaces to make the work easier and quicker.