Back before enterprises embraced the cloud and its many benefits, software was released every two years through a formal change management process or organizations would introduce new software into their business on a scheduled basis. As a result, chief information security officers (CISOs) had an infinite timeline to make security-based decisions.
Today, organizations roll out capabilities automatically, putting new applications into the hands of users instantly, and forcing IT and compliance departments - not to mention the CISO - to constantly play catch up. Attempting to manage these apps reactively, rather than proactively, adds additional stress to IT and security departments. Further complicating matters is the fact that the most advanced, cutting edge and well-adopted collaboration platforms are marketed to, used by, and frequently even deployed by end consumers. IT and compliance departments must continue to adapt as the lines between enterprise and consumer technology continue to blur.
This issue has only been exacerbated by the almost overnight shift to work from home in early 2020. Most organizations accelerated a decade’s worth of digitization in just one year, from remote teamwork and learning to sales and customer service to critical cloud infrastructure and security. This meant businesses were frantically downloading and purchasing new products to help. The rapid deployment of unified communications (UC) and collaboration platforms during the past year and a half drove a new set of challenges for IT, security and compliance teams. As we continue to embrace hybrid work, CISOs and compliance teams are wading through and in some cases even overlooking many different areas related to collaboration security. We’ve highlighted the top three areas of risk in this post which should keep CISOs awake at night. The remote workplace continues to evolve at lightning speed, and so too should CISOs – or risk sensitive materials ending up in the wrong hands.
1. A Battle for the Ages: Security versus Usability
If it’s true that no good deed goes unpunished, then CISOs aiming to balance security with usability are feeling the heat. For some, risk prevention wins out: hospital systems or financial institutions might endure limited product flexibility in favor of their tight security. For others - like a commercial real estate company - usability in the form of easy and fast communication wins.
No matter where an organization falls on the usability and security scale, CISOs must stay proactive and involved when it comes to making security, governance, and business decisions. Both sides of the coin can be a miss depending on the type of business, so successfully evaluating risk prevention and collaboration needs is essential to building an effective business strategy.
The ability to record a meeting is one of the greatest potential productivity improvements, but many organizations have failed to deliver on its benefits. Instead, organizations have chosen to take the easy way out, simply disabling the feature in lieu of putting in the work to build a comprehensive lifecycle management and security policy around meeting recording and internal and external sharing. This lack of effort can also force an employee’s hand to utilize other, less secure means of recording.
While successful CISOs can straddle both security and usability needs, they don’t have to be mutually exclusive. Instead, they should be encouraged to tap outside help - preferably, a team that can combine real-world best practices with an objective voice - that guides an organization to the middle of the security and usability Venn Diagram.
2. Throwing Guest Access Policies - and Caution - to the Wind
In the first half of 2020, as large numbers of enterprises were scrambling to onboard new UC and collaboration platforms, additional levels of security - like guest access policies - weren’t a major priority. But now, as we enter the second year of predominantly working from home, incorporating solid guest access policies are crucial to prevent an enterprise from falling victim to a hack or breach.
That said, CISOs face another delicate balance when it comes to guest access policies: balancing restrictiveness with ease of use. With email no longer serving as an organization’s defacto communication tool, employees may turn to shadow IT in lieu of overly restrictive policies. Instead, CISOs must implement flexible and secure guest access policies that appeal to the needs of both internal and external stakeholders.
A good example of this is what Microsoft recently announced during Ignite: a new channel sharing feature for Microsoft Teams. Now there are two options for secure collaboration with people and organizations outside of your own - Teams Connect and Teams Guest Access. And while this channel sharing feature has many benefits, it too opens an additional security hole for CISOs and compliance teams to manage.
3. No Structure, and Many Naming Crimes
Like guest access policies, the idea of formalizing cross-functional naming conventions across teams and platforms seemed daunting in the early months of 2020. Organizations that continue to avoid implementing a consistent naming convention not only risk losing valuable documents or programs, but create slower, more complicated workflows for their employees.
An integral part of finding the Venn Diagram balance between security and usability is having different collaboration policies across regions and technologies. A good way of signalling the policy to users is through naming conventions – for example, Teams and Channels with guest access enabled should have a prefix (EXT) to indicate their guest access policy, like “EXT_US_Marketing Project.”
It’s critical to craft consistent naming conventions across platforms, prioritizing discoverability. CISOs must also work directly with mid and senior-level management to identify conventions already being commonly used and launch a strategy to encourage compliance company wide.
The Highest Risk is Often from Within
Risk can originate from several platform starting points including files, chat streams, comments, and meeting transcripts. But the truth is that current and former employees are a massive high-risk area that is often overlooked.
24% of employees are unaware of their company security guidelines. Further, millennials are twice as likely to install apps not approved by IT. The result? 43% of data breaches (half of which are accidental) stem from employees.
Let end users run free, and it’s only a matter of time before something is shared with the wrong person. As an InfoSec or IT professional, you’re continuously evaluating and assessing security risks and now is the time to establish the critical security and governance controls needed to reduce the risks inherent in mainstream collaboration platforms.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.