The Unintended Data Security Consequences of Remote Collaboration
Originally published 9th December 2020 in InfoSecurity Magazine. Read the full article here.
The benefits that collaboration tools bring are clear, and have become particularly apparent this year amid widespread and involuntary changes to business practices. Lockdowns, first nationally and now regionally, have forced organizations to adopt a level of remote working most had never experienced before.
While many of these changes were initially seen as a temporary way of ensuring business continuity, it has become all too clear that remote working and operational agility will be vital components of business going forward.
Most organizations are now at a stage of introspection; business leaders are taking stock of the many changes undertaken this year and planning the best route forward into a new year that promises as much uncertainty as the last.
For security teams, there are plenty of challenges to consider. While still some way off for many businesses, most security teams will be planning a return to the office and the daunting task of managing thousands of staff bringing unpatched, unprotected machines back to the corporate network.
For others, the more pressing issue is searching for technology solutions that will address the fact that employees have spent months rolling out collaboration tools like Microsoft Teams, Slack, Zoom and OneDrive in a hurry to support remote working.
The new way of working
A recent report from Aternity revealed the shift to remote working has seen a dramatic increase in collaboration application sprawl, with employees adopting numerous collaboration tools for internal, external and ad hoc communications. In most, and particularly larger organizations, this is the admirable result of employees taking the initiative on finding new ways of working. Whether that’s communicating with team members across different departments, or quickly adopting the preferred platforms of various clients, this extends the organization’s threat surface and has the potential to impact data governance in new ways.
For security teams, simply gaining visibility into the sheer volume of these new applications is challenging enough - effectively monitoring, managing and securing these platforms can be far more difficult.
Microsoft Teams has quickly emerged as the clear favourite amongst collaboration tools and has the potential for most organizations to replace the need for internal email. Digital collaboration outside of email is a new way of working – indeed it’s the new way of working – but it is not yet clear what the long-term implication of this will be on security. Once this is clear – there are lots of holes. The implications are likely to be significant.
How remote are the risks?
As with any platform used widely in business, bad actors are constantly looking to exploit vulnerabilities in collaboration applications. Earlier this year security researchers from CyberArk revealed that a malicious GIF had the potential to steal Microsoft Teams user data and ultimately take over an entire organization’s roster of Teams accounts. While the vulnerability was patched pretty quickly, it affected every Microsoft Teams version for desktop and web browser. While there is no evidence any bad actors took advantage of the vulnerability, the potential for widespread disruption was clear.
More recently, Abnormal Security researchers highlighted a multi-pronged Microsoft Teams impersonation attack where attackers were impersonating genuine Teams notifications to target employee credentials. With newly registered domains and multiple URL redirects, these attacks demonstrated levels of sophistication far exceeding those seen in standard phishing campaigns.
One of the biggest risks associated with these situations is a lack of awareness and vigilance among employees. With the widespread shift to remote working and rapidly increasing workloads being placed on security teams, there is a real danger associated with letting cybersecurity awareness training lapse.
The greater risk is not matching employee preparedness with the growing risk. Indeed, while the majority of IT leaders now realize they are more vulnerable than ever to phishing attacks, more than a third of people in the UK are not actively concerned about cybersecurity.
What’s more, research suggests the dramatic and widespread move to a reliance on collaboration tools is causing remote working fatigue. Employees are reporting loneliness, the inability to unplug, motivation and a lack of vacation time as key contributors to this.
In virtually every organization, the combination of these fatigue factors with a lack of awareness, understanding, and in many cases apathy towards security will be the primary concern for security teams moving into 2021.
Focus of the data
A renewed focus on training and employee engagement is more important than ever. While application vulnerabilities can and will surface from time to time, the more pressing issue for organizations across the board centers around data governance.
As organizations allow sensitive information to move off premises and into new collaboration platforms, they must ensure that employees are using and securing data properly. With data protection policies now pervasive, from the California Consumer Privacy Act (CCPA) to GDPR, now more than ever, organizations must ensure that collaboration content including chat and files in the platforms are being shared in accordance with information handling policies.
By design, it’s easy to share data in Microsoft Teams – both inside and outside the organization. Indeed, this has been one of the key factors behind the platform’s rapid adoption, but every Team or chat created is yet another potential exit point for sensitive data. Given the ease of creation, most organizations will see new Teams created every day, while others go dormant. Add to that the requirement to ensure confidential files are not accidentally shared with external guests or other unauthorized Teams users and it can quickly become a recipe for disaster.
While Teams does provide private channels, these are location-based and provide limited technical enforcement of information policies. They also do little to ensure files or messages are not accidentally posted in the wrong place.
Strong data loss prevention (DLP) policies and the application of a cloud access security broker (CASB) will be important tools for any security organization moving into an era of more permanent remote working and collaboration. These will provide both visibility into collaboration tool usage across the organization – on a user, device and activity level – as well as the ability to enforce granular security policies, for example on files or messages containing sensitive or restricted data. This will also extend both visibility and manageability to other third-party collaboration tools such as Dropbox.
Teams, along with many other collaboration tools, are open by their very nature. The inclusion of interoperable ‘App Stores’ in platforms such as Teams means it’s now incredibly easy for users to integrate corporate data resources into any number of third party cloud-located app and storage platforms, with little to no expertise. This unplanned and unfettered extension of corporate messaging tools into a new cloud ecosystem has happened at pace and, often, without forethought.
As we move into 2021, security teams need to be conducting full cyber risk audits - this is the only way to fully understand the new threat landscape. Beyond this, ensuring basic policies are adhered to remains crucial.
Requiring multi-factor authentication, enforcing least privileged access across the estate, properly classifying sensitive data and ensuring files cannot be downloaded to unmanaged devices are still important areas some security organizations may find have slipped in recent months.
More than anything, security teams should be reviewing the tools and business processes that have been put in place this year and rethinking how their organization is approaching security. The key focus should be understanding how employees are using them. This will help ensure any new security policies and protocols are supporting effective collaboration while also mitigating any potential security risks.
The goal should be to standardize security policies across the organization – gaining enhanced visibility that enables you to monitor and control file movement while preventing unauthorized users from accessing sensitive data.