Team Collaboration: Weighing Security Concerns
How does security, privacy, and compliance factor into team collaboration decisions and use?
Team collaboration has been the hot topic in enterprise communications for at least the last couple of years, and we know from our 2018 Team Collaboration Survey that these tools are quickly making their way into the enterprise. In fact, 90% of 160 enterprise IT respondents indicated that employees within their organizations currently use one or more such tool.
As adoption of these apps continues to grow, whether through IT procurement or virally, it brings security into the spotlight. Our survey results bear that out, with 84% of respondents ranking the ability to meet corporate security, privacy, and compliance mandates as the top factor for evaluating team collaboration apps, as shown below.
While there's "definitely a money factor," security is critically important at Grand Canyon University, agreed Chris Smith, director of IT at the school. GCU, a Christian university with roughly 19,000 students on its Arizona campus and 75,000 online students, runs a hybrid UC environment comprising Cisco, Microsoft, and Zoom on-premises and cloud tools, and is currently evaluating Cisco Webex Teams and Microsoft Teams for team collaboration.
"Cisco comes to the table with security in mind -- and that's great," Smith said. "Too often security is an elective, so it's a nice consideration that helps the cloud transition go smoother." At the same time, Microsoft is showing with Teams that it's finally gotten the message that security can't be an afterthought, he added.
Digging into Security Features
Good thing, because as Irwin Lazar, vice president and service director at Nemertes Research, shared last month on No Jitter, his firm has found security concerns to be the biggest inhibitor to team collaboration adoption. With team collaboration, "enterprise-grade security" should include, at a minimum, encryption at rest and encryption in motion, Lazar told me in an interview.
In addition, Lazar said, enterprise-grade security features might include things like single sign-on to allow IT control access to that app for authentication and tracking log-ins; support for industry security certifications like FedRAMP, HIPAA, ISO 27001, and SOX, as well as for privacy regulations like GDPR; and the ability to integrate with a mobile client for mobile device management (MDM).
Whether dealing with more traditional forms of enterprise communications or team collaboration, "organizations don't have a good appreciation of what data they're collecting, where it's sitting, or what they're doing with it -- and that's where problems come up," said Andreas T. Kaltsounis, partner at BakerHostetler, in a recent interview. Earlier this year, BakerHostetler released its 2018 Data Security Incident Response Report, based on the analysis of more than 560 data security incidents that the firm worked on in 2017. Examining this many incidents gives the firm a lot of perspective into the kind of situations that are causing companies to experience data breaches, Kaltsounis said.
"People aren't thinking about how sensitive the data is that's flowing through their email system until they get hacked," Kaltsounis said. "Those same issues apply to the collaboration software. We've seen situations with developers sending back information on projects, passwords, and keys they are using for different things, and then they have to go back and think about what was in there. There are downstream effects."
One particularly valuable piece of insight the report unveiled is around the issue of third parties that are supplying services, he said. In one example, an email provider was accessed by an attacker, who intercepted an invoice in the email system and attempted to reroute it. Because the email system was also integrated with the IM/presence application, the attacker also gained access to chat and was able to circumvent attempts to authenticate his or her identity.
"If you are only controlling access with user name and password, they can get ahold of those credentials," Kaltsounis said. "It's critical that organizations think about how they're securing remote access to [collaboration] tools" as well as what's being integrated with what, he added.
Next page: Who's getting it right and what enterprise's want