By Dr. Steve Marsh, Vice President of Product for Nucleus Cyber
Enterprise collaboration is changing rapidly. Driven by the Cloud and how we share information in our personal lives, social collaboration tools have made their way into the workplace. Where email was once king, we now have 1:1 and group chats, single click file sharing and the ability to seamlessly move between a chat, VoIP call and video group chat.
Just how pervasive are modern collaboration tools? Seventy-two percent of companies surveyed by McKinsey Global Institute are using social technologies to facilitate employee communication, knowledge sharing, and productivity. Microsoft, for example, touts Teams (its social collaboration tool), as the fastest growing business app in the company’s history.
These technologies have quickly become the cornerstone of modern collaboration making it easy for employees to interact with information, and each other, from anywhere in the world. However, they also reinforce old challenges, while presenting new ones that organizations must quickly address to avoid security compromise. For example:
- There’s a continued lack of visibility into where sensitive information lives within the enterprise and what is being done with it. A staggering 60% of organizations admit half of their data is dark, meaning they don’t know how to find or use it; or don’t know it exists, at all.
- Much like personal social tools, employees tend to be very open with what they share with a broader audience. According to a study, employee collaboration messages are 144% more likely to contain confidential information, 165% more likely to contain identification numbers and 6% more likely to contain passwords.
- The exposure of information to unauthorized audiences, and even the public, due to the misconfiguration of sharing settings is a pervasive issue. Marquee companies, including Apple, Box and Discovery Network exposed their sensitive corporate and customer data due to the incorrect use of public sharing links.
These changing collaboration paradigms, as well as existing and emerging challenges, underscore the need to adapt data-centric security strategies to protect assets from threats.
Sensitive data is more than what’s regulated
The data leaks that hit the headlines typically involve standard sensitive data types such as personally identifiable information (PII), protected healthcare information (PHI) or financial data (e.g. credit card numbers). However, after your employees, your organization’s information is your most valuable asset.
Sensitive data also includes information that is confidential or critical to the business, and would be damaging if leaked: IP, board documents, M&A documents, HR files, supplier information, etc. With that definition in mind, we can’t just leave concerns about data protection to the compliance department.
New data governance challenges
IT has struggled with knowing where sensitive business data resides within the enterprise. That challenge is getting worse with the rise of enterprise social tools that create new channels and “places of residence” for sensitive information to live.
Previously, IT attempted to define locations to store sensitive data, but the inherent nature of collaboration tools makes that approach archaic because users want to control how and where they share information with their team. They do not want to go to different data locations or use multiple tools to collaborate on multiple types of content. Everything must be at a user’s fingertips to maximize productivity and ensure adoption. As a result, our business data is now in an almost constant state of motion between users, devices and physical locations thanks to an increasingly mobile workforce.
Consequently, there are vast numbers of new data silos being created by collaboration tools that often have little, if any, insight or protections for sensitive data. Couple that with social technologies bringing chat, voice, video, and files together in one tool, sensitive data is no longer contained in files alone: it exists, literally, everywhere.
A false sense of security
When used properly, social collaboration tools improve teamwork, empower better decision making and increase productivity. An open dialogue of new ideas, best practices, and lessons learned are more valuable when sharing them across a wide audience, rather than staying locked within siloed email threads.
That same wave of positive community engagement does have a downside: the threat of being too open and unfiltered. Users can be lulled into a false sense of security when sharing information within a company chat or using a sharing link. They wrongly assume their company has anticipated all possible security issues when sanctioning a tool that employees are asked to use.
Or, consider basic user errors, like the addition of the wrong person with a similar name as the intended recipient, losing track of who’s in the chat group or replying to the wrong chat thread (we’ve all been there). Not to mention the risks of someone intentionally trying to expand a chat that is intended to be restricted to just a handful of colleagues.
While the ability to quickly share a file and comment or directly collaborate on it with colleagues is infinitely better than the version control nightmare of passing email attachments back and forth, the danger is the nature of sharing the link. In the aforementioned headline-making breaches, users at over 90 companies shared files, and in some cases an entire cloud storage folder, with a link that was open to the entire public internet.
Whether intentional or not, collaboration freedoms come with inherent risks that require methodical management beyond just user training.
Data is also the key to securing collaboration
Organizations must accept some fundamental data truths in order to truly protect it in the modern workplace:
- Data and users are almost constantly in motion.
- Silos of data and users are numerous and almost constantly changing.
- The silos and users now span organizational and geographical boundaries.
- Data is shared at the speed of light.
Collaboration solutions themselves are not completely failing to protect your data, they are just not adequately meeting the requirements for fully protecting sensitive content. As companies have moved to strengthen identity and access security with multi-factor authentication instead of just usernames and passwords, the same approach should be taken for securing sensitive content in social collaboration tools.
Ironically, the solution lies within the data. By applying data-centric protection to the content itself you can greatly mitigate the risks. Modern DLP, Rights Management, CASB and solutions that enable conditional access to sensitive content provide the level of protection needed to properly secure collaboration. If you’re using collaboration tools and not currently using (or even considering) these types of solutions, chances are the integrity of your data has already been compromised.
When considering these categories of solutions be aware that not all of them have been created equally. Several still apply protection based on the location or container with only a partial acknowledgment of the nature of the content and very little consideration of the user context.
Be wary of the marketing messages that make them sound like they are applying data-centric principles and still rely on (or have merely altered) location-based security practices. They also must provide proactive protection as opposed to only reactive remediation. A small leak can quickly turn into a flood of information with social collaboration. It may be too late to limit the damage by relying on detection and remediation alone.
The benefits of collaboration tools far outweigh the risks. Applying a belt and suspenders approach with proactive data-centric security ensures your organization can avoid common mishaps and fully reap the rewards of secure collaboration.
About the Author
Steve Marsh is the Vice President of Product at Nucleus Cyber and brings more than 20 years of product experience to Nucleus Cyber from Microsoft, Metalogix, start-ups, and academia. He drives product management and product marketing to deliver first-class customer experiences, strategic product roadmaps and key go to market messaging. Steve holds a Ph.D. in Microelectronics and Materials Physics and lives in the Pacific Northwest with his family.