“Many employees are now working on unprotected home networks and possibly using devices or software that are not IT sanctioned, creating an extra opportunity for cybercriminals to exploit,” says Morten Brøgger, CEO, Wire in an exclusive interview with ITSecurityWire.
ITSWBureau: What are the major security and privacy issues with collaboration platforms for an enterprise?
Morten Brøgger: The scramble to provide solutions for the large spike in remote employees created a boom in business for collaboration platforms. Platforms like Slack, Microsoft Teams, and Zoom rose in popularity as they were a quick fix for maintaining productivity levels amongst dispersed teams through numerous integrations, easy connectivity and centralized tools. Unfortunately, convenience came at a price – the attributes that made these platforms quick and easy, also helped to create many vulnerabilities for cybercriminals to exploit.
A few key security and privacy issues found (just in this year) in collaboration platforms include:
Low barrier of entry to conference calls (e.g., single link click to join)
While this made joining calls easy, it also led to a spate of malicious users gaining access to and disrupting private calls. Platforms have now looked into adding additional basic security features like two-factor authentication and password logins.
Integrations for fun features creating backdoor security weaknesses
A key example of this was discovered in Microsoft Teams, where it was discovered that Gifs could be used to take over an organization’s entire roster of Teams accounts (this has since been patched).
Data privacy violations
More specifically, collaboration platforms were caught secretly collecting, storing and sharing personal user data through APIs.
Lack of essential security protocols and hygiene
Zoom was perhaps the most notable platform that made headlines this year for this. Not only was it missing basic protocols like two-factor authentication and password protection, but it was also found lacking in end-to-end encryption (E2EE), transparency and had questionable encryption key storage methods.
Read More: EY announces alliance with CrowdStrike to transform cyber risk management capabilities
This all points to a greater issue — most current collaboration platforms are not built upon proper security foundations, leading to the constant discovery of security holes during critical moments in time. The onslaught of cyber-attacks has made organizations more aware of the risk and more keen to find properly secure solutions (even going so far as to ban those that fail).
ITSWBureau: How can enterprises enhance the security of their digital assets?
Morten Brøgger: While security and privacy have certainly been top of mind this year, it’s important to note that this is not a new issue. Cybercrime has been such a continuing, rampant problem that it was forecasted to cost global businesses $6 trillion per year (3% of our global GDP) by 2021. This year was particularly trying in terms of securing digital assets because of the massive rapid shift to remote work.
The truth is, remote/mobile employees create a higher level of cyber risk because they operate outside of perimeter-based security (e.g., company firewalls, secure internet access). In fact, many employees are now working on unprotected home networks and possibly using devices or software that are not IT sanctioned, creating an extra opportunity for cybercriminals to exploit.
To better protect the integrity of their digital assets, companies must take a holistic, zero-trust approach to security. A zero-trust approach ensures that anything inside or outside a corporate network (including data, devices, systems, and users) must be verified before gaining access. A truly holistic zero-trust model applies to everything – policies, technologies and human behavior.
Read More: How to help Non Tech Board members understand Cyber Risks
Zero-trust policies have no default configurations and require companies to continuously monitor all network communications and all users all the time. This implements comprehensive system permissions and safeguards.
Zero-trust technology implements systems like end-to-end encryption, multi-factor authentication, identity access management, orchestration, analytics, and other system permissions.
Zero-trust behavior utilizes the same “trust nothing”/everything must be verified mindset. Employees that are properly trained will scrutinize everything that comes to them (links, domains, names, or subject lines) and make sure to authenticate every single thing to the best of their ability before engaging.
ITSWBureau: The collaboration platforms enable teams to stay connected, but it is also responsible for a decrease in productivity. What steps can an enterprise take to address this primary concern?
Morten Brøgger: A key weakness of dispersed teams is the absence of efficient in-person communications. Remote employees don’t have the luxury of walking over to their coworker’s desk to get a quick answer to a question or the ability to call an impromptu brainstorm to work through a problem. Instead, all communications – no matter how big or small – are pushed to asynchronous messages, resulting in an avalanche of distracting notifications. In this type of environment, employees can end up feeling isolated and overwhelmed with communication.
To compensate for this, companies can focus on carving out intentional digital spaces for team collaboration. At the macro level, this could mean that managers schedule more regular video team check-ins so that everyone is aligned on priorities, aware of any new changes, and has the opportunity to work through any challenges or questions in real-time.
Read More: Is the Popularity of Biometrics Further Escalating Privacy Risks?
On a more individual level, companies can encourage employees to set up “office hours” or dedicated blocks of time for collaboration or deep work sessions (where employees turn off notifications to work on longer-term projects).
ITSWBureau: Halting business communications when the network is compromised is a necessity which leads to a significant revenue loss. Is there any way, according to you, businesses can fix this?
Morten Brøgger: Yes – enterprises should ensure that they have a secure collaboration platform that is end-to-end encrypted, independent of your network infrastructure and invitation-only. A crucial (and often overlooked) element of a business continuity plan is the ability to communicate, plan and update teammates on what’s going on. If enterprises fail to provide a secure environment for critical/crisis comms, they can be can certain that employees will often find their own ways of talking and sharing information (especially when services like corporate email are unavailable).
Morten Brøgger is the CEO of Wire, an award-winning, enterprise-grade, end-to-end encrypted collaboration platform. Until recently, he was the CEO of Huddle, a content collaboration platform serving large professional services firms as well as the UK and U.S. governments. Morten has 20+ years of experience in the technology industry, as well as extensive go-to-market and SaaS experience spanning both the U.S. and European markets. In the past, Morten took leadership roles at Syniverse, MACH, Sunrise Switzerland, TDC Denmark, and ATEA.
