Devin is CEO of collaboration security and compliance startup Theta Lake, and a patent holding multi-time founder and public company exec.
Collaboration and videoconferencing, whose adoption accelerated in the 2010s with the rise of cloud computing, rapidly became business necessities as Covid-19 forced an abrupt transition to a distributed, digital workplace for organizations. This digital workplace largely revolves around the widespread adoption of team messaging and collaboration and videoconferencing technologies.
However, even many organizations that are well into their digital transformation journey have not updated security practices or technologies to account for new risks in workplaces dominated by information-sharing in collaboration tools.
A Shift In Risk
Traditional compliance tools focus on monitoring legacy text-heavy electronic communication formats, namely emails and documents. Yet modern collaboration has shifted to voice, video and image-heavy channels in which showing data and sharing documents is even easier than attaching one to an email.
Consider the shift in risk for a typical virtual meeting. Attendees join with cameras on, screen-shares ensure everyone is on the same page, whiteboards are used to brainstorm and cloud-based apps are simply shared in the browser onscreen. During the meeting, attendees send messages and files with the built-in chat feature, continuing conversations on a dedicated chat application like Slack afterward.
Within this single scenario, there are at least five instances in which sensitive information can be exposed:
• Cameras: Any time a camera is on, any visible information can be a possible compliance violation. Holding up an unpublished prospectus, showing account information on-camera or even client names seen in the background all expose sensitive information.
• Whiteboards: Whether physical or virtual within a collaboration application, information on whiteboards typically should not be broadly shared. In a virtual meeting, it is impossible to prevent a remote attendee from taking a screenshot of the whiteboard and later sharing that information with others.
• Screen-shares: Like cameras and whiteboards, it is easy to share sensitive information on screen-shares unintentionally or deliberately. Imagine an employee screen-sharing an account list with a competitor to purposely avoid an email trail or sharing a cloud-based HR app. Or an unwitting employee sharing their desktop with a Salesforce browser open. All scenarios can result in information leaks that can be difficult to detect, even if the meeting was recorded.
• Chat: A relatively informal communication channel, users rarely think of compliance consequences when sharing information on chat. Yet as a communication channel with persistent exposure on an asynchronous timeline, chat presents a particularly risky situation: anything, including files and images shared in chat, stays accessible unless deliberately removed.
What’s worse is that, given the broad set of members in chat groups and channels, information is often shared with unintended recipients.
• Meshed context: Human communication is complex and multifaceted. The meaning behind the spoken words, “Don’t share this with others,” changes substantially when a sensitive document is shown and accompanied with a wink at the same time. Without context and understanding the intent of a message across what is spoken, shared, shown and typed, it is nearly impossible to build an accurate risk profile of the situation, leading to either missed violations or false positives.
Best Practices For Reducing Risk
Given that the new normal of a workplace largely exists within communication and collaboration applications, how can organizations quickly reduce exposure to these novel risks?
The answer is not to shy away from technologies or to limit application capabilities. These communication tools are competitive advantages, if not necessities, in the current environment.
Rather, businesses should embrace these collaboration technologies and establish a combination of new processes and security stacks to reduce risk with the following three best practices.
• Establish new business procedures and provide employee training. While users may understand how to operate collaboration tools, do not assume that everyone understands how information can be exposed or its associated risks. Employee policies and training should be revamped for the new workplace inside of collaboration tools. That needs to include conduct policies and risk awareness training along with functionality training.
Most employees want to help, but they must be provided with clear rules on how to do their jobs securely inside of collaboration tools. This may mean processes need to be updated or explicitly clarified. Awareness and transparency also go a long way; letting users know their actions are being monitored and even recorded often helps with behavior modification.
• Adopt new security and compliance technology stacks. Legacy compliance and data leak protection (DLP) tools do not have the capabilities to adequately monitor or alert on risks arising from within new collaboration and communication methods. Security and compliance stacks need to be refreshed to address these gaps.
Solutions capable of detecting and surfacing risk in image, file, voice and video-based communication are a must. The technology should also minimize friction for administrators and end users. Ease-of-use capabilities for admins such as built-in policies and automated workflows streamline review processes, while seamless integration with common collaboration tools reduces business disruptions for end users.
• Leverage artificial intelligence to assist human experts. Capturing and accurately detecting risks with machine learning (ML) and natural language processing (NLP) is only part of the solution. A fast review and response process can reduce risks and prevent future exposures. Using ML and NLP to power an artificial intelligence (AI) review space greatly speeds up this process.
Manual reviews of video for security and compliance risks take nearly three times as long as the video’s duration, and that is without the added time to respond. AI-assisted compliance solutions can reduce hourslong reviews to minutes by automatically surfacing exact times and locations of potential risks in video and audio recordings.
As investment in media-rich collaboration tools continues, businesses need to be aware of the shift in risks this entails. Sensitive information can now be exposed in ways legacy compliance tools cannot adequately monitor, creating substantial security and compliance risks. By adopting new processes and tools, organizations can proactively reduce these risks while enjoying the advantages that modern collaboration platforms offer.