10 Security Issues to Address When Selecting a Collaboration Tool
10 Security Issues to Address When Selecting a Collaboration Tool
No doubt you are using some sort of business collaboration tool, perhaps even right now. If you utilize Box, Dropbox, Moxie, Salesforce Chatter, Microsoft Office 365, Skype, Outlook, SharePoint, Jive or any of the other myriad brands out there, then you are using an enterprise collaboration tool. If you are not using any of these, chances are quite good that you will at some point. But collaboration tools, by their very nature, come with security and data privacy cautions that often aren't realized—or may simply be ignored—by management. In this eWEEK slide show, using industry information from private cloud content collaboration software maker Accellion, we identify 10 potential issues collaboration tools bring to an enterprise.
Collaboration Tools May Allow Malware Into a Network
Depending on how their network security is configured, enterprises' use of collaboration tools may be inadvertently opening an insecure channel that can introduce ransomware or other forms of malicious code. It's critical to make sure content coming back from collaborators does not provide a path for hackers to gain access to the network and compromise sensitive data or personally identifiable information (PII). Two ways organizations can prevent malware from infiltrating the network are automatic antivirus scans on all file downloads and uploads to content systems.
Encryption: Who Holds the Keys?
Enterprises concerned about storing sensitive content in the cloud may believe that encryption will prevent unauthorized users from viewing those files. However, an important factor is knowing exactly who has the keys. If you're storing content in the public cloud, the cloud vendor likely has access to those keys—and therefore your content. As a result, your content may be subject to a subpoena—or worse, a breach—without you knowing (until it's too late). Some public cloud solutions offer optional key management services that give customers control over encryption keys but at an added cost. The bottom line is unless you have total control of your encryption keys, you don't have total control of your content.
2FA: Is a Password Good Enough?
Even if users put some effort into choosing unique usernames and passwords, a brute force attack can eventually guess these credentials and access a system. The better collaboration solutions use two-factor authentication (2FA) or multifactor authentication capabilities, such as a SMS text code, biometrics or security questions, to provide a second or third level of defense. So, while hackers may be able to guess your username and password, they won't have access to your mobile phone or know the name of the street you grew up on. The result is a collaboration system that is much more secure.
Mobility: Convenient, but What About Security?
Smartphones and tablets have proved to be transformational for enterprises because they have significantly enhanced information access, sharing and collaboration. At the same time, they have also created heightened risk for data loss. Mobile devices, for example, are particularly susceptible to data breaches from vulnerabilities in the device or operating system but also because of compromised WiFi networks and man-in-the-middle attacks. A collaboration solution should have several features that preserve sensitive content stored on mobile devices. Secure access to content systems, a mobile container that segregates enterprise information from end-user information, two-factor authentication, offline PIN, the ability to wipe content from the phone remotely and app whitelisting are just some of the key mobile security features CIOs should use.
Multiple Versions of Files Mean More Opportunity for Hackers
Many collaboration tools create duplicate copies of files in a public cloud storage location in order to provide sharing and editing capabilities, creating a greater surface area of attack. Eliminating extra replication can significantly reduce the risk of a breach, and in cases where information is compromised, these extra copies make it harder to identify exactly where a breach occurred. When working with sensitive content, keeping files in the system of record, and sharing those via on-premises or private cloud collaboration tools, reduces the chance files will find their way into the wrong hands.
Don't Confuse Secure Collaboration With End-to-End Encryption
An employer can—and should be able to—read your business communications after you leave the company. What an employee shares with a customer, partner or vendor while on the job is the company's business. The enterprise owns its content, even when it sits on a former employee's mobile device. This gets complicated when employees believe that using a secure collaboration solution tied to a password they have selected will prevent even their own employer from reading content. When communicating sensitive personal information, employees should not use their enterprise collaboration solution, and instead should encrypt end-to-end, utilizing a product they have control over.
DLP and Collaboration: Is Your Sharing Platform Potentially Leaky?
Many organizations have invested in data loss prevention (DLP) solutions to ensure end users do not send sensitive or critical information outside the corporate network. Typically, these solutions are configured to prevent content containing certain data from being transmitted via email or copied externally. An effective collaboration solution integrates with your DLP system to scan every file before it is made available for external access. In addition, the solution should have a central policy management system to ensure rules are uniformly enforced and files are consistently and efficiently screened with the same criteria, regardless of the method you are using to share content.
Keep Business, Pleasure Separated on Your BYOD Device
Bring-your-own-device (BYOD) policies can infringe upon employee rights when an employee leaves the company—for example, by triggering a mobile device management (MDM) solution to remotely wipe the phone to erase employer data and also deleting personal content in the process. Unless employees consistently and diligently keep work content separate from personal content, this can create a real headache for former employees and employers. A mobile-enabled collaboration solution should have secure mobile containers that quarantine work content from all other content, so that the employee's own device is not affected by the removal of company data.
You May Be Complying, but Are Your Employees?
Organizations spend millions of dollars on IT systems they expect their employees to use. However, in the interest of moving quickly or satisfying customer requests, employees may turn to consumer devices and applications because they find them easier to use, or simply because they are less cumbersome. While these shadow-IT solutions may enhance employee productivity, they put enterprise content at risk, or potentially out of compliance with industry regulations. Enterprise IT departments can limit this behavior by considering ease of use when choosing a solution and making an effort to simplify access by users.
Data Sovereignty: Will You Be Ready?
The deadline for compliance with the European Union's General Data Protection Regulation (GDPR) is quickly approaching (May 2018). Any enterprise collecting or processing personally identifiable information (PII) belonging to EU citizens will have to demonstrate strict adherence to an EU citizen's right to privacy. Failure to comply could result in steep financial penalties and lasting damage to brand reputation. For organizations subject to GDPR, or simply concerned about where data is being stored in case of a government action, it is critical to understand where a provider's servers are located (including redundant or backup systems), or to select a collaboration solution that can be deployed on your own hardware or a private cloud platform.