Security in Slack and Microsoft Teams: Collaboration Vs Risks
Over the past several months, two topics I have often seen discussed in the nonprofit Cyber Security space are incident response preparedness and data security in collaboration platforms such as Slack and Microsoft Teams. The two topics are closely related.
The bottom line is that staff use of collaboration platforms can often far outpace the ability of the organization to keep those platforms secure—because the very features that make platform user adoption and information sharing so easy also increase the likelihood of a cyber security incident.
- Do you use Slack or Microsoft Teams? Are you considering using these platforms?
- Does your nonprofit’s data security policy cover use of collaboration platforms?
- Have you had a security breach within one of these popular platforms?
- Have you assessed the risk of a security lapse against the benefits of an easy-to-use collaboration tool?
Prevalence of Data Security Violations in Collaboration Platforms
Collaboration platforms like Slack and MS Teams have taken business culture by storm. One reason for this is the fluidity of communication within those collaboration spaces. These platforms enable very free-wheeling collaboration and content sharing which can shake up hierarchical companies in positive disruptive and entrepreneurial ways.
However, this fluidity is in part enabled by lack of enforced data security and privacy policies, creating a sort of information sharing wild west. Studies have shown that 1 in 4 employees admit to knowingly violating IT data security policies for the sake of being able to perform their work more easily/fluidly.
Of late, these violations have occurred more and more by sharing sensitive corporate and customer data (including Personally Identifiable Information or PII) through collaboration platforms.
The Focus Isn’t So Much on Baseline Cloud Data Security Standards…
Both Slack and Microsoft claim that all data is encrypted both in transit and at rest. Microsoft has been more transparent in describing its security architecture in full, giving greater confidence in its assertions. And both have options such as multi-factor authentication to help secure the login process. (However, lax identity management practices can still scuttle the ship, as they could with any system.) For all but organizations with the most stringent data security policies, Slack and Teams will be seen to be roughly on par—at least on the surface.
…But Rather on Data Leakage
Data security analysts are mainly focused on “data leakage” in collaborative platforms, meaning data that is shared inappropriately either internally or externally. This data leakage can happen “manually” deliberately (e.g., to circumvent policy for the sake of convenience) or accidentally (such as sharing “internal only” information in a channel without realizing a third-party was a member of that channel). It can also happen “automatically,” such as granting data access to one of the hundreds of integrated third-party apps without realizing exactly what data is being transacted and how it is being stored by the third-party.
An Ounce of Prevention Is Worth a Pound of Cure
It goes without saying that written policies and end-user security awareness and training are major remedies. But what about policy enforcement?
Of the two major collaboration platforms, Microsoft has gone much farther in securing its platform with data audit/discovery, retention, and data loss prevention (DLP) administrative tools. The DLP tools are designed in large part to combat data leakage by allowing admins to create rules that identify and prevent the sharing of sensitive information (such as credit card numbers, social security numbers, and any other information that meets a certain pattern or uses certain words). These DLP policies are applicable to (and can be synced across) Teams, Exchange (including Outlook on the web and desktop), SharePoint, OneDrive for Business, and Office desktop applications (Word, PowerPoint, and Excel). Basic DLP is included at a lot of license levels, but an E5 or add-on license is required to take advantage of advanced enterprise features.
When Prevention Fails: Incident Response Preparedness/Planning
In general, the presumption of an incident response plan is that a breach will occur at some point. “Breach” is broadly defined to include an outside-in attack or an inside-out leak. As a part of its structure, the plan indicates the necessary steps to identify the source of the breach.
Security plans for your nonprofit organization need to include the collaboration platforms being used for business—whether by employees or contractors, and whether provided/supported by your organization or not. Otherwise, investigation regarding the source of a data leak will ignore critical and probable points of vulnerability—and these blind spots will prolong the incident response process.