It’s 8 a.m. and you’ve just polished off a full cup of dark-roast coffee to jump-start your day. After booting up your PC, you instinctively open up Outlook, along with Slack or Teams or TeamViewer. While chatting with a co-worker, you recall that you need to send administrative credentials to her, along with a few sensitive documents, so you do that via the app — it’s so easy.
This all too common scenario illustrates how collaborating over messaging apps like these is simple and instant; users can seamlessly share any number of items simply by copying and pasting them. And unlike email, which can feel archaic at times, messages don’t get lost under an avalanche of other alerts; you know the individual on the other end is going to see a notification.
However — while these solutions are fun and offer ease-of-use to boost productivity (and are the norm for many workplaces these days), they often lack necessary internal security controls and visibility needed to fit in with enterprise risk management goals.
Collaboration apps currently lack granular controls, meaning enterprises can only do so much to restrict how they’re used. They also lack an auditing feature, which means in the event of a problem, it’s difficult to tell where the error was made.
Also, because of the nature of the chat functions in these platforms, watercooler gossip can take place inside these apps; conversations can stray and sometimes veer into having inside discussions and discussing sensitive data. Having this information exposed could be just as detrimental to a company as the fallout of a successful phishing attack.
Another reason these collaboration tools can be problematic is how easy it is to sign up for them with a simple email address. In heavily regulated organizations, new tool adoption isn’t something you could historically accomplish without a rigorous procurement and testing process. Cloud systems and business applications should go through the same processes, but instead, we often see individual teams downloading and using collaboration tools that suit their needs with little oversight from governance and IT teams.
Adding to the risk is the fact that these tools have proven to be targets for cybercriminals. Back in 2017, reports emerged that Slack had detected and patched a vulnerability that would have given hackers full access to chat histories, shared files and other features. In other words, any sensitive files a user transferred or messaged could have been lifted by an attacker. That’s a pretty scary thought. Just by using Slack, a user could have widened the attack landscape for the organization – without even realizing it. Slack also suffered a 2016 data breach that is still having ramifications today.
Microsoft meanwhile made headlines this past June after an internal report emerged in which the company’s employees were apparently dissuaded from using Slack. While it makes sense that Microsoft would want its employees to use Teams, its own software, it warned that Slack doesn’t provide the required controls to protect Microsoft’s intellectual property (IP).
TeamViewer, collaboration software that facilitates remote control, desktop sharing, online meetings and file transfer, has had its own issues. In 2017 the software had to issue an emergency patch for a bug that could have let attackers access users’ machines via desktop sessions. A separate social-engineering attack earlier this year used an illegitimate version of the software to trick users into surrendering access to their computer.
Preventing Unnecessary Exposure and Risk
Oversight should help limit the worst problems associated with these services, at least until the services themselves catch up with the need for enterprise segregation and security.
That means that businesses should detect and block these cloud applications until they’ve had time to assess them, after which they can be released in a controlled manner. Traditionally, a team or individual would get approval from a manager and IT for a new application.Why should Slack, Teams or TeamViewer be any different?
In the Wild West of collaboration, it might also be necessary for admins to mark all data as destructible when published on cloud services – a measure that would ensure that it can only exist for a short period of time. Data shouldn’t exist in perpetuity on these tools.
Data privacy and information-sharing practices also need to be addressed and instituted with these platforms. Companies need to be cognizant not only of the type of topics being discussed on the tools, but also how employees share documents and other files.
Organizations should also ensure that applications have end-to-end encryption – something that may never happen on Slack – and admins should make sure that any attachments uploaded to the service are protected, so that they can only be opened by the intended recipient.
Ultimately, collaboration tools are necessary and very useful today, but if a business is serious about protecting its data, they should be used in an enterprise risk-aware manner, where they’re an extension of the traditional application suite deployed and managed by IT. Not to put too fine a point on it, to prevent data loss, the tools should be governed strictly in terms of how they’re used and what data can be stored there.
(Tim Bandos is senior director of cybersecurity at Digital Guardian.)
(Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.)