Dealing with the risks of online collaboration tools [Q&A]
The shift to working remotely has led to businesses relying increasingly on collaboration tools like Slack and Teams. But while these undoubtedly increase productivity they also introduce some extra risks.
We spoke to Brian Mannion, chief legal and data privacy officer at Aware, to find out about these risks and how enterprises can address them.
BN: What are some of the biggest risks enterprises face when using collaboration tools?
BM: Now that almost every enterprise uses a collaboration tool, like Slack or Teams, to communicate internally, it's important to manage two critical risks: allowing the use of the collaboration tool so the company receives the benefits of its investment; and managing the risks associated with its use.
Firstly, collaboration tools allow for more effective internal communication than email. Unlike email, it's typically shorter, contains authentic tonality, and happens in real-time (making everything feel 'in-the-moment'). The user experiences of collaboration tools also drive more interactions. This results in a very high adoption with significant business value -- both obvious and buried.
The natural inclination of risk teams, such as legal, compliance, and information security, is to limit the use of these tools and delete the data as quickly as permitted. This approach does in fact limit the risk of the data created in the collaboration tools and is consistent with how email was managed during its initial utilization decades ago. However, this approach does not consider the drastically reduced return on investment for the collaboration tool the enterprise purchased and, more importantly, simply pushes the employee to create the data in unapproved collaboration tools -- typically several!
Secondly, unfettered use of collaboration tools is an impractical approach IT leaders try as well. Enterprise risk teams should focus their efforts on implementing three fundamental controls associated with almost all data regardless of the technology tool -- how long you keep it, what is in it, and how to find and preserve it for legal or investigation reasons. Generally speaking, collaboration tools were not designed as enterprise platforms where IT administrators could set security and granular records retention controls. Enterprises should have a clearly defined collaboration tool use policy that drives the type of data that should be in a collaboration tool and then record retention policies aligned to the business values of the data. Data Loss Prevention (DLP) tools should validate the data being input, and your search function should allow you to find and toll the record retention timeframe associated with data that is part of a legal or investigation process.
Lastly, collaboration tools are starting to be used to communicate with parties external to the enterprise. While this use is not as ubiquitous as email, collaboration tools do support these external communications and the demand for its use is increasing daily! Enterprises need to evaluate these communications and implement the same level of cybersecurity controls used in email.
BN: What are the most common mistakes employees make in terms of the data they share on collaboration platforms?
BM: Employees want to do their jobs and will use whatever technology is available regardless of how the technology was intended to be used. Companies processing credit card data, health data, financial data, or even confidential data associated with a merger, investigation, or legal guidance, can find this data making its way on to collaboration platforms via employee use.
Employees make mistakes in mishandling PII data when sharing documents over the collaboration platform. Front-line employees are simply trying to support their customers and need an easy-to-use alternative that is available. For example, employees are using the collaboration platform as a sticky-note during a customer call to record health information in lieu of writing it on paper when working at home.
To identify the type of data employees are inputting into the collaboration platform companies should implement internal data detection tools or look to their existing DLP tool. Simply telling employees not to do something without 1) validating it, and 2) leveraging the information to identify tools the enterprise needs, is ineffective.
BN: What safety tips would you give to employees who regularly use collaboration platforms?
BM: Enterprises typically have several collaboration tools, so the first thing an employee needs to do is to understand the purpose for a particular collaboration and the type of data you can input into that collaboration tool. For example, if credit card data is not supposed to be input into Slack, then do not use it for business activities associated with credit cards. Do demand technology teams provide you a tool where you can do your job.
Second, if you're connecting with external persons via your collaboration tool, then you need to leverage all the email training you have received. You also need to have those external communication groups/channels identified with a different color to remind you they are external. In the way you don't just click on email links or attachments that look suspicious, you should use the same precaution with Slack or Teams messages. Just because it's coming from a co-worker or someone in the department or company, it doesn't mean it's safe to open when communications include external parties.
BN: With the massive increase in remote and hybrid working over the last couple of years, how are IT teams able to effectively protect the deluge of sensitive information now being shared on collaboration platforms daily?
BM: Conversational platforms are a boon to business productivity and because of this they have resulted in a tremendous amount unstructured data and inconsistent guidance to employees on how to use the several collaboration tools the enterprise has implemented all while email is still being used by its leaders. These tools constitute a much broader and complex set of data types than most IT departments ever anticipated having to manage.
Firstly, IT teams should make it a point to learn how and why employees use the collaboration platform so they can better understand what types of sensitive information are being shared across collaboration platforms daily. This is critical to the continuous adoption and use of the tool as well as supporting employees in doing their jobs.
IT teams and risk teams -- yes, they should be partnering to address risk and increase utilization of the collaboration tools -- should develop clear guidance as to how collaboration tools should be used, the type of data that can or cannot be input, and then implement internal data detection tools to validate compliance with the communicated polices. Whether using an existing DLP tool or a new product designed for collaboration tools, it’s important to ensure the DLP is calibrated to work with the unique nature of this data set.
Once the type of data has been identified, take these two steps:
- Determine if the platform has the identified controls associated with the data already available or on their immediate roadmap. This is important so that appropriate risk decisions can be made.
- Determine why the data is in the tool in the first place since there might be a business need that is not being met, which is almost as important as the first step.
If the company uses a data control tool to identify and delete or even prevent the usage of the collaboration tool due to a particular data type with no approved alternative provided, then human behavior kicks in and the employee will likely use another unapproved tool or do something else like record the info on a sticky note.
BN: Are some collaboration platforms more secure? Does it ultimately come down to the end users and what they share?
BM: All modern collaboration tools are going to meet minimum security requirements. The question for each enterprise is whether there is sufficient granularity of controls either now or on the product providers roadmap correlated to the data permitted to be entered into the collaboration tool. More importantly, regardless of the tool used, the enterprise must understand how its employees will use the tool, develop the necessary policies, manage the data created rationally, while allowing for employee adoption, and have mechanisms to allow for quick identification and investigation for legal or regulatory matters.
Image Credit: Tischenko Irina / Shutterstock