Heads up y’all, hackers have entered the chat. The team chat, that is.
To enable remote and hybrid work during the pandemic, organizations have embraced team collaboration apps and platforms. To absolutely no one’s surprise, hackers have followed them there.
In February, cybersecurity firm Avanan warned hackers are using Microsoft Teams to circulate Trojan malware during chats and video meetings. According to a statement released by Avanan, its experts have “seen thousands of these attacks per month.”
Also in February, the FBI issued its own warning about videoconferencing scams that are so outlandish they sound like something out of a (bad) Hollywood movie.
As described by the FBI, the cyber crooks hack into an employee’s company email account, then send out invitations “requesting employees to participate in a virtual meeting platform where a criminal will insert a still picture of the CEO with no audio, or ‘deep fake’ audio, and claim their video/audio is not properly working. They then proceed to instruct employees to initiate transfers of funds via the virtual meeting platform chat or in a follow-up email.”
At the end of March, London police arrested members of the LAPSUS$ gang, which allegedly infiltrated the Slack channel of gaming giant Electronic Arts in a plot to hold EA source code for ransom. (This ought to make you feel old: the seven people arrested range in age from 16 to 21 years old.)
All of that made for a very timely panel discussion on team collaboration security at the most recent Enterprise Connect conference. The moderator was Metrigy Research president Irwin Lazar, whose own survey of 476 organizations indicated that in 2021:
- 68% had deployed team collaboration apps
- 54% were using or planned to use team collaboration apps to support B2B and B2C collaboration
- 41% did not have a proactive workplace collaboration security plan
Since many enterprises are still fine-tuning their collaboration setup, the panelists concurred that many questions about collaboration security simply do not have definitive answers yet. Here are highlights from the discussion around three of those questions.
Who owns collaboration security?
When Lazar posed that question in his survey last year, he discovered that:
- in just over 50% of all organizations, the CISO/CSO owns responsibility for collaboration security
- in organizations achieving the highest ROI for their collaboration investments, however, collaboration teams are most likely to own responsibility for this type of security
No wonder there’s uncertainty about where IT departments fit into this picture.
“It’s really tough for us to figure out ‘what is our role?’ Is it investing in organizational change management and training end users to use these collaboration solutions that we’re improving and providing? Is it figuring out what the differing security stories are for these different platforms? The platforms are kind of all across the board in terms of what they support and how we can secure them,” lamented panelist Brandon Long, director of product management at Unify Square.
Fellow panel member Niraj Gopal said collaboration security will probably have to become much more … well, collaborative. That includes business unit input.
“In order for us to deploy one of these modern collaboration applications, you’re going to see infosec CISO teams come together, you’re going to see the collaboration guys come together. Also, some of the people from line of business will come together along with the vendors, essentially,” predicted Gopal, head of product management for Cisco’s Webex platform.
Does UX trump security?
When it comes to collaboration, “I think we’re at a place now where user experience and security are butting heads,” declared panelist Ted Smith, global director of solution architecture and strategy at Oracle.
For example, encrypting collaboration sessions can disable other collaboration features or hinder their UX.
“I would say your voice and video collaboration session should always be encrypted. But then how are you going to do the (automated) transcribing and recording? You need to be able to deal with those things as well, so it certainly comes with some complications,” said panelist Walter Kenrich, senior director of product line management at Ribbon Communications.
To safeguard security, “some of the value-added features like transcription should not be disabled,” added Gopal. “But I think there’s an opportunity for the vendors to augment their capability so they give control to the customers, even though it’s end-to-end encrypted. For example, if compliance or DLP CASB are important to you, you own the (encryption) keys and you can empower the right applications to take that key update and apply your security policies.”
How do we handle shadow IT?
Collaboration is just the latest battleground in the ongoing enterprise war against shadow IT. Long suggested IT must do a better job of educating employees about how their company’s officially sanctioned (and secured) collaboration solution can provide the same UX they’ve found in shadow IT tools.
“What can I do to attract (employees) to those (sanctioned) solutions to meet their actual business needs? How do I clearly communicate to them that even though you’ve always used X solution for your team to communicate, we can actually do that with our solution, and here’s how you do it?” said Long.
By examining which shadow IT their employees are using, IT managers can actually gain a better understanding of the collaboration features their business really needs, said Kenrich.
“I would hope that the IT department would try to find out why they’re using the rogue tools in the first place. It’s got to be an application gap for them to subvert any of their supported applications on their network,” he said.
Some of the collaboration security tools and strategies mentioned during the panel included MFA, end-to-end encryption, DLP (data loss prevention), CASB (cloud access security broker), identity management, built-in antivirus, zero trust, SASE, SBCs (single board computers), blocking certain IP addresses, blocking certain file sharing and deploying advanced analytics to spot suspicious anomalies.
In other words, IT is still figuring out how to secure this new era of enterprise collaboration. In this early stage of that journey, the most important first step is to ask the right questions.
“In the past, a meeting happened and it went away, right? It was very transient,” Gopal said. “Now you have recordings. All that data is getting generated—and it’s all over the place. How do you secure it and how do you protect it?”