In 2020, I was a panelist at a virtual conference, and boom – the platform we were using was hijacked and went on to show unsolicited and inappropriate content. I had to exit the call as soon as I could.
2020 was a unique year and most of us couldn’t wait to call an end to it for so many reasons, including the increased trends in cyberattacks – some of which targeted collaboration tools such as in the example I noted above. Attacks on specific collaboration tools (Slack, Microsoft Teams, Zoom, Google Hangouts, Fuze, Lifesize Video Conferencing, Skype, etc.) that trended back then included ugly incidents of cyber-hate, social-political friction, digital racism, etc. Media accounts mostly showed the hijacking of online classes, meetings, conferences and the overall sharp increase in usage.
Among the above-mentioned tools, Microsoft Teams and Zoom were two of the only collaboration apps to make the list of the top 50 apps mentioned on social media during the pandemic in France. And according to a survey conducted by the CIO Association of India with 235+ respondents, 88 percent of companies used Microsoft Teams, while 76 percent of users were on Zoom. The report showed that Microsoft Teams was downloaded most in the United States.
Even though 88 percent of Microsoft Teams users in the Microsoft Total Economic Impact study said that having all their applications for work in the same place saves time, black-hat hackers are turning this into a nightmare. The auditor in me starts to ask questions:
- Do vendors have access to information shared both verbally and in chats?
- Do collaboration tools contracts have non-disclosure agreements? (confidentiality)
- What do the contracts say about privacy compliance? Are there privacy-enhancing tools embedded in collaborative tools? (compliance)
- Are all collaboration tools cloud-secure?
- Are collaboration tools privacy-ready? (Privacy-by-design)
- Who should we care anyway – the vendor or user? (Responsibility & Accountability)
Oftentimes, we look at service providers as if they perform magic. Yet, they are also organizations with employees like anyone else’s, whose employees’ accounts can be compromised by hackers. We tend to think as outsourcing companies that our employees know about the trends in the cybersecurity landscape, while the majority rely on internal security awareness programs – some of which are not robust.
In this regard, we can consider the following:
- Caution should be taken seriously before assuming that security and privacy are fully guaranteed from the service provider when it comes to data security and data privacy. Both the vendor and the outsourcing company need joint efforts.
- Users should be on alert since black-hat hackers can easily slip malicious .exe executable files into conversations on one of the collaboration apps.
- Cybersecurity teams should train users to be more conscious and double-check an inbox from collaboration apps like Teams instead of assuming that they know who the sender is, just the same way users have been trained to notice a phishing email briefly.
- Information system auditors should include an audit of collaborative tools on their scope while testing controls during their audit engagements or add collaborative tool reviews in their audit plans.
- Vendors should review their security policies, privacy notices and business continuity policies to ensure that they are addressing new risks with new controls.
- GRC professionals conducting a risk-based audit should be keen on testing controls around new technologies, communication channels, and remote work platforms.
While enterprise collaboration tools bring convenience to the evolving work landscape, convenience needs principles, too.