Over the course of reading this article, you’ll probably get five resonant pings from your phone informing you of a Slack or Microsoft Teams message, a couple of emails, an upcoming Zoom or WebEx meeting, and a Box or OneDrive file someone shared with you. And while it’s wondrous what many of us have been able to accomplish while sitting at home with the help of these technologies, businesses are discovering that every resonant ping brings with it a potential for harm.
Data from 2018 found that the average company used 1,181 cloud services and that “the vast majority of those services weren’t completely enterprise-ready” from a security point of view. This is the tricky balance between productivity and security that most organizations have to strike. Employees access enterprise-approved and third-party apps, resulting in faster and more efficient business processes. But this easy access and collaboration has created a threat surface where cloud productivity applications — and the people using them — are vulnerable.
In this article, we’ll look at prominent security risks posed by the collaboration sprawl businesses face today and outline recommendations for organizations looking to protect their people and data in today’s age of cloud-driven remote work.
The Human Layer Challenge
As organizations continue bolstering their security defenses, no amount of upskilling or rejigging has been able to account for two persistent truths: 1) Humans are busy, and 2) humans (understandably) make mistakes. These innate parts of our nature mean that cybercriminals can always hope for compromise and that sending sensitive data to the wrong person is just a slippy finger away.
• Targeted attacks: Phishing attacks are well known in the email world, but other collaboration applications have quickly entered the adversaries’ crosshairs as vectors for inbound and lateral attacks. A digitally connected workplace usually has shared communication channels with vendors, partners and customers, increasing the likelihood of compromise if an external (but trusted) account gets taken over by attackers. File-sharing applications have been used to host malicious content in phishing flows. Attackers have also started tricking users into giving fake applications permissions to their account data, a practice known as “consent phishing.”
• Data loss: The danger of losing sensitive or confidential data to the wrong people — even accidentally — has long been fluttering around the edges of the industry’s consciousness. But with regulations such as GDPR and CCPA now rightly in full effect, compliance is not optional anymore. Even unintentional data violations can result in fines if it’s determined that the offending organization did not provide reasonable data security measures to protect its customers’ personal information.
Securing the Communication Sprawl
As organizations realign their priorities in the face of digital and decentralized work, investing in processes and technologies that are purpose-built to protect the human layer should be a priority. Here are a few things to keep in mind:
• Take a use case-led approach to protection: Facing the true extent of protection required can be overwhelming, but there’s no need to execute everything in one fell swoop. Build a reasonably fleshed-out list of use cases that outline exact needs, both now and in the expected future (e.g., data visibility and threat protection now, and data loss prevention in the future). Checking every potential security investment or process overhaul against these use cases will help organizations stay disciplined while also allowing for wiggle room if priorities change.
• Strike a balance between integrated and third-party approaches: Integrated DLP measures are natively included in some collaboration applications and provide good initial visibility into how users interact with sensitive data. However, this visibility is often limited to their native applications, failing to take lateral movement of data into account. Integrated security for collaboration apps also doesn’t provide mature threat protection (e.g., someone sharing a zero-day phishing link on a cloud-hosted file or over a shared messaging channel). Organizations should invest in third-party solutions that augment — and don’t duplicate — native security measures.
• Empower end users to be part of threat and data decisions: Relaying every security alert and data loss violation directly to the security team leads to burnout and anxiety, culminating in alert fatigue — a term that’s, sadly, synonymous with cybersecurity today. To protect the human layer without overwhelming the security team, hand off some protection responsibilities to end users. Warning banners on suspicious emails with multiple calls to action can enable end users to reduce the security team’s triage effort while also being more informed about unsimulated real-life threats in the process.
Looking at it through a data lens, end users should have to explicitly confirm whenever they share sensitive data (e.g., social security numbers, bank account details) with unauthorized recipients to reduce the number of alerts. To protect confidential data (e.g., pre-IPO documents, industry blueprints), business teams should be included in some, if not all aspects of setting up, governing and enforcing access to that data.
• Keep an eye out for different protection approaches: Security vendors have historically geared their development cycles to protect systems, physical infrastructure and data isolated from context. So while organizations might think their current security stack is enough, they should regularly examine the vendor landscape for products that are purpose-built to be more “empathetic” to how users behave, communicate with each other and use data.
For instance, advances in computer vision have made it possible to flag zero-day credential phishing attacks resembling login pages of popular brands. Natural language understanding models such as GPT-3 have enabled security products to reason with text like humans would, providing security teams with effective AI that stops socially engineered attacks across communication channels.
Conclusion
As the modern workplace gets more digital and distributed, attackers are achieving compromise by exploiting human trust or by exploiting business applications that are critical to every employee’s work. Organizations should protect the human layer by defining clear use cases, utilizing both integrated and third-party security controls, bringing every employee into the process and being on the lookout for different protection approaches.