Devin is CEO of collaboration security and compliance startup Theta Lake, and a patent holding multi-time founder and public company exec.
While most industries were steadily headed toward more virtual collaboration, no one was ready for the abrupt speed and scale of a global digital workplace adoption spurred on by a pandemic. Nor was anyone prepared for the risks.
As major corporations announce extended or permanent work-from-home policies, it is also clear the current collaboration-first environment will be part of the ongoing reality of information sharing and communication for organizations. In fact, the new workplace is really inside of the collaboration and communication platforms being used, and the risks are now inside these tools too.
There have been abundant articles addressing tactical measures to resolve recent security challenges from Zoom-bombing to over-sharing sensitive information onscreen, but given that the virtual workplace will remain in some form indefinitely, organizations need a long-term strategy to understand and manage these new risks.
Understanding New Sources Of Risk
New challenges and liabilities in the digital workplace can fall into three main categories. These categories are not new, but the ways the risk manifests are.
The widespread use of collaboration and communication tools has resulted in risks to and within the tools. The aforementioned Zoom-bombing and meeting hijackings are examples of security risks to communication platforms themselves. While each platform offers security controls to mitigate these risks and manage the meeting environment, security incidents that do happen may not be not readily visible to organizations unless users self-report them. And the reality of pervasive multi-platform usage means it is hard for companies to have centralized visibility, alerting and remediation for security and privacy settings across multiple unique collaboration systems.
Security vendors have built entire businesses on securing networks, endpoints and email. However, there is little visibility — much less protection — for security incidents that happen within collaboration and communication tools.
For example, the same malicious document or link that would have been stopped by the firewall goes undetected when shared directly by and with co-workers, customers and partners in a chat, video or even audio session. Chat threads are particularly tough as saved and searchable conversations, whereby URLs to compromised or risky sites are often not detected and stay persistent when users share them in that collaboration session.
Data Leak Risks
I have discussed in detail how easily sensitive information can get exposed through cameras, chat, whiteboards and other applications previously here, but the breadth of this risk bears highlighting again. Traditional mediums like email have restrictions on the file size or format (e.g., no executables as attachments) of information that gets shared. With collaboration tools and the low cost of cloud storage, there is virtually no size, format or time limitation when sensitive information gets exposed. Aside from the threat of what sensitive information gets shown, shared, spoken or typed in a meeting itself, someone else getting access to some or all of that meeting later is an ongoing risk. An entire hour-long “private” meeting can be wholly or partially captured by any participant. Claiming ignorance of sensitive data leaks may no longer reduce corporate liability, as it is easy for any party to a meeting to publicly produce proof.
Legal And HR Risks
Remote work with blurred distinctions between business and personal environments also raises legal and HR risks concerning abusive behavior, misconduct and harassment. Offensive content that’s visible on camera or inappropriate behavior in meetings and chats can be easily recorded, saved or shared.
The new workplace contained within collaboration tools ironically makes it easier for users to share offensive content, whether inadvertently or maliciously, while making it harder for HR teams to be aware of what is going on. Similarly, it is easy for users to record proof of misconduct while organizations themselves have little visibility into these events.
Organizations can face additional legal risk and reputation damages if these incidents are shared publicly or sensitive information is mishandled. Even if they are not admissible in court, they are always admissible in the court of public opinion. From a business standpoint, it is much safer to be aware of incidents and respond proactively than be caught off guard by a social media mention.
Strategies To Mitigate Modern Risk
Dealing with risks stemming from collaboration and communication tools presents unconventional challenges. Unlike more traditional single-system tools such as email, some organizations use multiple collaboration and communication tools, meaning they have a broader surface area for risk. Creating the right infrastructure to manage these risks effectively means investing in a combination of policies, training and technology.
First and foremost, organizations must establish a comprehensive and well-communicated policy on the three areas of risk mentioned above. This ensures all employees are aware of all sources of risk. Businesses should also be transparent with implemented procedures, making sure employees know how they will be monitored when using collaboration tools — even outside the physical office. Organizations should follow up policies with training using realistic scenarios, especially as not all risky situations are familiar to users.
Policies and training are standard, but businesses cannot gain the visibility and enforcement required to prevent risks without adopting a new technology stack with the capability to integrate with and monitor these new collaboration tools. Organizations cannot expect to use what worked in traditional physical offices and networks to work in today’s remote or virtual workplaces. Look for technologies that integrate with the video, voice and chat collaboration tools you use. A few examples of companies that offer these security technologies and features include my company, Cisco (through Webex Teams) and Microsoft (through Teams).
Enterprises have rightly invested in strong security and compliance technology to protect their infrastructure, endpoints and assets in the traditional office. With the remote workforce shift, it is time to focus on investing in appropriate policies and technologies to secure the collaboration-based workplace.