Standard virtual workspace security is improving but still not enough
The COVID-19 pandemic sparked a shift towards work-from-home or telecommuting arrangements, which many companies are saying they are likely to retain even after the pandemic. This new way of working or doing business has raised the demand for collaboration platforms and virtual rooms, which in turn create new cyber security challenges.
One recent flaw is referred to as a cross-site leak or XS-Leak and is linked to Slack's file-sharing feature. If exploited, malicious actors can potentially identify users outside of the workforce messaging platform. It allows cybercriminals to circumvent the web browser security feature called "same-origin policy," which stops browser tabs and frames of different domains from accessing each other’s data.
Reportedly, Slack had no plans of patching this vulnerability. The company reasoned that users have the ability to prevent attackers from taking advantage of this flaw by making sure that everyone in their Slack workspace is "trusted." It is this kind of mentality that makes it necessary for everyone to consider getting a supplemental Slack security solution or something similar for other platforms.
Slack and most other virtual workspaces are designed to be accessible on an invite-only basis. This, however, does not guarantee that users are assured of their privacy and security. In the case of Slack, in particular, there is a noted lack of data filtering, malware scanning, and other security features. It would be a stretch to presume that platform providers like Slack do not care about cybersecurity, but it is better to be safe by employing extra security solutions or measures.
Regulatory compliance is not enough
There are laws or legal requirements aimed at making digital workspaces secure especially at a time when remote work is becoming the norm. These include the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Electronic Communications Protection Act (ECPA), Computer Fraud and Abuse Act (CFAA), and the EU General Data Protection Regulation (GDPR). Depending on the location of a company or organization, following the regulations set by these acts and standards is not a matter of choice but compulsory.
It is not unusual for some to think that the steps in complying with regulations already constitute cybersecurity best practices. This is not true, especially for organizations that are new to embracing the digital work environment. To make it clear, governments do not have people continuously overseeing all organizations for their constant compliance with regulatory requirements. Compliance audits are undertaken only periodically. This means that most of the time, organizations may not have been following regulations and have been exposed to various cyber-attacks.
Of course, regulations and laws are not meant to be ignored, but their enforcement is a different matter altogether. Organizations that seek to be safe for their own good need to have their own strict security protocols or policies and religious observance of best practices. In the case of zero-day exploits, for instance, effectively stopping the threats depends on what organizations do in their daily activities. If they have compliant systems but their employees are not oriented about the risks of sophisticated attacks that leverage social engineering, their cyber defenses are likely to fail.
Best practices and specific security policies for certain industries are important. These include the following:
- Principle of least privilege -- This considerably staves off the chances of complex attacks from partially or fully gaining control over data or systems. Organizations may also use cloud-based access control systems for seamless operations.
- Regular software updating -- The need for prompt and regular updates is not only about the virtual workspace client software. It is also crucial to have security controls and operating systems regularly updated to make sure that they have the latest security patches. In bigger organizations, it is recommended to have a patch management system to ensure efficient software updates and eliminate instances of vulnerability.
- Using data encryption -- Always make sure that the data shared in virtual workspaces are encrypted. Avoid using systems that do not encrypt end-to-end data transfers. Advanced Encryption Standard (AES) and RSA security are two of the most commonly used and reliable encryption technologies used for online communication and collaboration platforms.
- Protecting connections with VPNs -- Virtual Private Network ads are quite common these days. Indeed, they provide protection for workspaces, especially for those who connect to public networks. However, it is important to carefully scrutinize VPN options. It is important to make sure that they do not only provide privacy protection but also guaranteed security for all data being transmitted between networks and online.
- Educating employees -- The threat of phishing and other social engineering attacks continues to hound organizations even with all the advancements in cybersecurity technology. This is because most people are still not that well-versed with good cybersecurity hygiene and effective cyber defense practices. Not many can sense that they are already becoming victims of a social engineering scheme. It is crucial for everyone in an organization who has access to digital resources to have adequate cybersecurity know-how to avoid becoming unwitting accomplices of cyber attackers.
The need to go beyond the basics
It is unfair to label virtual workspace platforms or online conference and collaboration services as inherently not secure, but the reality is that the security features they come with are often not enough. Some would even say that it is the responsibility of users to avoid certain configurations or use non-default settings to secure their sessions.
Google Workspace recently unveiled a new feature, an improved notification system, to help combat phishing attacks. Google now includes a commenter's email address in the notification to make it easier for users to evaluate the legitimacy of messages. Still, this is not enough to address all of the threats that impact digital workspaces.
Gartner recently released its 2022 list of top security and risk management trends, and it includes a number of points that relate to virtual workspace security. These include human cybersecurity weakness, digital supply chain risk, and expansion. All of these are still not adequately addressed by the built-in security features of most workspace platforms.
Image credit: AndrewLozovyi/depositphotos.com
Peter Davidson works as a senior business associate helping brands and start ups to make efficient business decisions and plan proper business strategies. He is a big gadget freak who loves to share his views on latest technologies and applications.