The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Best Practices for Organizations to Mitigate Risks in Collaboration Software

by Juliana De Groot on Wednesday November 11, 2020

Contact Us
Free Demo
Chat

Many companies are requiring employees to work from home and use collaboration software to communicate. What are the best ways to mitigate risks in collaboration software? We asked 27 experts their best practices.

27 Security Pros Share the Best Practices for Organizations to Mitigate Risks in Collaboration Software

Most companies today, particularly those with geographically distributed teams, use collaboration software to facilitate communication and streamline project planning. While collaboration software is a boon for team productivity, it brings with it some inherent security risks. Discussing sensitive project details on third-party software can increase the risk of data loss, and sending or storing files containing sensitive data in these types of systems means giving up some of your control over your company's most sensitive information.

To help you identify and implement sound practices to reduce the risk of data breaches via third-party software like collaboration software, we reached out to a panel of security experts and asked them to answer this question:

"What are the best practices for organizations to mitigate risks in collaboration software?"

Meet Our Panel of Security Pros:



Read on to learn what our experts had to say about the best practices you should be following to mitigate risks in collaboration software.



William TaylorWilliam Taylor

William Taylor is a Career Development Officer at MintResume.

"The biggest risk with using an online collaboration software is…"

The risk of data leakage, as often such platforms are used to share information between various parties. But, it's possible to mitigate this risk and protect sensitive information by engaging a provider with the ISO 27001 certification. This certification means that the provider's security procedures have been tested to the satisfaction of an internationally accredited third party.

Bottom line: Seek out a provider with the ISO 27001 certification to mitigate data leakage risks.


Igor Mitic

Igor Mitic is the Co-Founder of Fortunly.

"My first advice would be using the paid version of collaboration software whenever possible…"

The free versions often don’t offer backup of files and messages, and sometimes it’s crucial that you can access all the communication history to mitigate any risks.

Also, have the tracking of changes option on Google Docs to enable access to all versions of the document, as well as to the information on who made changes.


Shayne Sherman Shayne Sherman

@techloriscom

Shayne Sherman is the CEO of TechLoris.

"I've found that one of the best ways to make sure our collaboration software doesn't open us up to risk is to..."

Make sure those using it (my employees) are fully aware of how much we’re logging access to the project files. This not only makes them be more careful out of awareness but also lets them know how important we consider security. We've found that having this in mind makes them less likely to email things they shouldn't or leave a computer unlocked and unattended.

It's also important to make sure the software you use offers multiple levels of access and control. When each collaborator can only access what they need to, the risk is limited to only small portions of the project with each person working on it.


Olga Mykhoparkina Olga Mykhoparkina

@olmykh

Olga Mykhoparkina is a Chief Marketing Officer at Chanty, a simple AI-powered team chat.

"When accidents happen with collaboration software, in most cases, it’s because of a breached password…"

You can educate your staff about the value of strong passwords for the company and their own security, but this takes too much time. Simply use password management software such as LastPass or 1Password. That way, no employee knows their password, and in case an account does get compromised, you can just restrict their access.


Julie Forsythe Julie Forsythe

@IglooSoftware

With over 19 years in the IT space, Julie leads the delivery of Igloo Software’s Digital Workplace platform. In her role as Vice President of Technology, Forsythe oversees all of Igloo’s strategic technology deliverables including Product Development, Customer Solution Development, Quality, and Release Operations.

"When employers fail to provide employees with a centralized set of collaboration tools, workers resort to using unsanctioned apps and software…"

The use of “shadow IT” causes sensitive or private information to be shared on unsecured systems, creating major security risks for companies. In a survey of approximately 2,000 individuals, we found that 50% of employees have used an app unapproved by their companies. Of those workers, 55% said they did so because it couldn’t be monitored, and 62% said it was because it was easier to use.

To prevent the use of rogue apps, employers should conduct a thorough audit of all the tools used by their employees. Not only does this help them understand how their workforce likes to collaborate on a daily basis, but it also provides visibility into any vulnerabilities. Once they have a clear understanding of the tools at use, employers should evaluate the effectiveness of the unsanctioned software. Asking questions like, “Is this more efficient?” and, “Is this easier to use?” can help determine if the app is worth integrating into the company’s tech stack. For any newly adopted collaboration tools, employees need to be retrained on how to use them securely to ensure everyone is on the same page and information is being spread safely throughout the organization.


Christopher Gerg Christopher Gerg

@gwdatarecovery

Christopher Gerg is the Vice President of Cyber Risk Management at Gillware. He is a technical lead with over 15 years of information security experience. Christopher has worked as a Systems Administrator, Network Engineer, Penetration Tester, Information Security Architect, Vice President of Information Technology, Director and Chief Information Security Officer.

"Ultimately, it depends on what data we're talking about… and what happens to it…"

If you will be sharing and collaborating with sensitive or business-critical information using this service, you need to ensure that users are authenticated robustly, they have access to what they need to work but no more, and that the service is appropriately available when it is needed.

Perhaps as important is performing due diligence on the software vendor's protection mechanisms and having responsibilities defined appropriately. If the tool is used to collaborate with data that needs to be kept secure, is it encrypted well when it is stored and transmitted? Does the vendor have a robust information security program? Does the contract outline strong service level agreements and responsibilities for maintaining the confidentiality, integrity, and availability of the data/service?


Antoine Vincent Jebara Antoine Vincent Jebara

@JebaraAntoine

Antoine Vincent Jebara is the Co-Founder & CEO of Myki, a leading password management software for consumers and enterprises. His area of expertise is around Identity & Access Management. Antoine is also known for finding vulnerabilities and phishing techniques in popular software applications.

"The best way to mitigate risks in collaboration software is to…"

  • Ensure that you are using strong and unique passwords. Strong passwords protect you from brute force attacks, and unique passwords protect you by limiting your exposure in case the service gets compromised and prevents collaborators from using the same credentials to access different services.
  • Ensure that you have Two-Factor Authentication enabled on the service in use. 2FA protects you in case the password that you are using gets compromised by adding a secondary time-changing password that needs to be supplied when authenticating after a long period of time, from a new location or on a new device.
  • Ensure the you are using a password manager to have visibility on who has access to the credentials that are being shared.

Apart from that, you need to make sure that you are revoking the access of people when you don't want them to have access to the software anymore (i.e. if they leave the company), you also need to make sure that the access level that they have isn't over their privilege level.


Greg Githens Greg Githens

@GregGithens

Greg Githens is an Executive and Leadership Coach and Author of How to Think Strategically.

"One best practice is to identify specific risk events and then estimate the probability of that risk event should it occur…"

Another best practice is for the highest priority risk events to conduct risk response planning, where you identify specific responses:

  • How do we avoid the risk event?
  • How do we mitigate the risk? (In professional risk management, mitigate means to take active steps to lower the probability of the event or its impact.)
  • How could we transfer the risk to another party? (insurance, contracting)
  • If we accept the risk, what is our contingency plan?
  • If we accept the risk, what are the consequences?


Ilia Sotnikov Ilia Sotnikov

@Netwrix

Ilia Sotnikov is an expert in cybersecurity and IT management and VP of Product Management at Netwrix, and a vendor of information security and governance software.

"In your own IT infrastructure, each change goes through strict change control, while…"

Collaboration software cannot be fully controlled by your IT security team. This poses risks to an organization’s sensitive data. For example, an employee can accidentally share regulated information in a project and make it available to employees or contractors that should not have access to it.

To reduce data security risks, the IT team should implement information governance workflows for each collaboration software’s project or site where sensitive information is stored. A member of the IT security team (e.g., CISO, CIO, CDO, IT director) should work closely with the project owners to ensure no sensitive data is overexposed.

First, they should discover what data is stored in each project and assess the project’s sensitivity and risk level. Basic questions to be answered are the following:

  • What kind of data is shared in this project?
  • How often is it utilized?
  • How many people have access to this project?
  • Can anybody besides employees access data shared there?

Second, project owners and security team members should conduct regular security assessments to check if only authorized users can access this project to detect privilege sprawl in time, ensure that all data stored there is relevant, and prune out sensitive files no longer needed to be kept there. They may run such assessments quarterly, bi-annually, or annually depending on how critical this project is.

Thus, the collaboration software environment will be better regulated by its owner who has better insights into what data is shared there and why and by a person who has more insights into how to better secure this data.


Kara Longo Korte Kara Longo Korte

@TetraVX

Kara is the Director of Product Management at TetraVX. With over 20 years of experience in the technology industry, she is passionate about the role technology plays in communication and collaboration in the workforce and sees Unified Communications as a Service (UCaaS) as the perfect way to connect the ever-changing workplace.

"We need to collaborate, it’s just that simple…"

We collaborate with others in our day-to-day lives with the aid of technology, and we expect the same in our workplace. The need for collaboration is so great that if an organization doesn’t offer a solution, employees will find other ways to collaborate.

Historically, some of the apprehension to providing corporate collaboration solutions has been due in part to concerns over security risks. However, the risk an organization runs without offering a solution that they administer, monitor, and configure is that uncontrolled collaboration makes their entire organization vulnerable – much worse than offering a solution and doing proper planning to ensure minimal risk.

While some organizations may have overlooked risks with an “everybody else is doing it” attitude, those that lagged in adopting collaboration solutions have benefitted, as collaboration solutions now offer more security measures than ever before. As a result, there are a variety of solutions that offer safe ways for employees to collaborate.

Different collaboration platforms offer different security measures, just as different organizations have different security needs. As a result, it is imperative for an organization to find a partner that will understand their unique needs and help identify a solution (both the application and the associated policies and procedures) to ensure their organization’s collaboration needs are met in a secure manner.

At the end of the day, no matter how many safeguards are put in place, there will always be a risk, but it is incumbent on organizations to offer employees the tools they need to do their jobs and ensure they are doing their jobs in a reasonably secure manner to ensure it doesn’t make their organization vulnerable.


Bryan Osima Bryan Osima

@uvietech

Bryan Osima is the CEO of Uvietech Software Solutions Inc.

"Some quick tips for mitigating risks in collaboration software are…"

  • Make sure that access to the system always requires authentication with administrator-provided login credentials.
  • Ensure that all users of the system utilize the strongest possible passwords and make sure passwords have extra hashing algorithms to harden them.
  • Make sure every user who is set up to access the system is given the minimum privileges and access levels they need and that any attempts to access unauthorized content or resources are immediately flagged.
  • Make sure the software system that is chosen can encrypt all communications across the network. This is especially necessary for cloud-based solutions.
  • Provide constant and regular training for all staff and users of your system for newly discovered threats and patterns of security threats so users are aware of the risks that exist while using the system and simple actions they can take. Train your employees on things they can watch out for to reduce the chances of exposing holes in your system and making it vulnerable to a security breach.


Huib Maat Huib Maat

@pairfum

Huib Maat is the in-house perfumer at PAIRFUM. His passion for perfume, beauty, and all things natural are the beliefs upon which PAIRFUM rests.

"One risk we came across was the blurring of the line between private and business life because of…"

People using their personal devices for both private and business life, and the use of private social media accounts and private email addresses when creating login details for collaborative software.

To reduce the resulting ‘privacy’ risks (e.g., GDPR), we insist that ONLY business email addresses are being used when creating login details. These business emails can be managed on a corporate level by admins (e.g., deleted when somebody leaves an organization).

For us, this has resulted in a much cleaner distinction between private and business life, and we believe that we have the GDPR issues of collaborative software much better under control.


Victor Fredung Victor Fredung

@Shufti_Pro

Victor Fredung is the CEO of Shufti Pro.

"The most common risks that come with collaboration software are data breaches, downtime, and malware attacks…"

Mitigating these risks is not difficult if the collaboration software is well managed and chosen wisely according to the needs of the organization.

To mitigate the risk of data breaches and malware or fraud, get customized software and add security roadblocks like real-time face verification to ensure that the real person is entering the system.

In case you are using some outsourced collaboration software, work on your employee training and continuously scrutinize their activity. Lastly, choose wisely and do not invest in software that offers more than you need, because it affects employee performance. You should also buy software that offers different levels of access for different hierarchical levels of an organization.

One pro tip is to not share the most confidential data on such platforms, especially if outsourced.


David White David White

@bestresponseuk

David White has been a project manager with BRM for 8 years now. In a digital agency, that means he wears a lot of hats – he's also a Business Analyst, Development Manager, and Account Manager. He can also prepare a nice cup of tea for his colleagues when he wants.

"The key to risk management is to have a…"

Proactive and holistic approach with which you can attempt to control uncertain events and environments. You need to identify risks, perform quality and quantitative risk analysis, plan responses, and think about monitoring and control.

Identifying risks should be an iterative one, as new risks can emerge and evolve as time goes on. Including as many stakeholders as possible is recommended, and you can use several tools or techniques to identify the risks, such as brainstorming sessions, root cause analysis, or SWOT analysis.

Quality and quantitative analysis allow you to prioritize risks by their potential likelihood and impact. This enables you to plan risk responses accordingly and make sure the correct effort is going into the risks that have the highest threats and effects.

Finally, you get to the monitoring and controlling process, which again should be an iterative process. It is vital that risks are tracked and, if necessary, new responses put in place if the risk is still present or if new threats are identified.


Tom Dolan Tom Dolan & Saleem Ahmed

@ExelaTech

Tom Dolan, CISSP, CISA, & CRISC, is the SVP of Information Security & Risk at Exela Technologies.

 

 

Saleem Ahmed

Saleem Ahmed is the Vice President, Business Strategy SME at Exela Technologies.

"Cybersecurity attack vectors are multiplying at warp speed…"

It’s an organization’s responsibility to stay current — on an up-to-the-minute basis — with regard to all threats, from those that are already well-known to those that are new and evolving. Collaboration software presents significant risks to an organization’s data (and the data entrusted to it by its customers, if applicable, as it is in the case of Exela).

An organization, through its security officer, its IT department, and otherwise must continually assess those risks. Best practices include ensuring collaboration software adheres to the most stringent security frameworks (such as NIST), has robust access controls applicable to all employees, and is secured (as per SLA) to ensure data integrity and prevent data loss.


Guneet Sahai Guneet Sahai

@MercerMettl

Guneet Sahai is the CTO Mercer Mettl.

"The best practices for organizations to mitigate risks in collaboration software are…"

Limited Access and Permission: Give limited access and permission to employees and third-party business partners on crucial projects and sensitive information like a customer’s database, proprietary infrastructure, and financial documents. Determine which team members are actually required to work on them and which section of collaboration software can be allowed and should be restricted from them.

Alerts for Violating Restricted: Check the level of permission the software tool allows you and the potential security risks. Test your collaboration software on these parameters:

  • Are there alerts for violating restrictions set for multiple users?
  • What kind of access do you have to override access by someone unauthorized to see your highly critical information?

Secure VPN Connection: To limit your dependency on the collaboration software’s security protocol and efficiencies, you could have your team members and anyone who needs access to access such crucial company data through a secure VPN connection. Ask your people to download an app which provides for having access to critical information by way of a secure VPN connection.

Security Credentials: Before bringing any collaboration software onboard and baring your confidential knowledge to third-party partners, any employee with bad intentions, or hackers, check for their security credentials. Does the collaboration tool you use provide you with secure encryption credentials and follow regulatory compliance from authorized agencies?


Emily Woll

@OsmondMarketing

As COO of Osmond Marketing, Emily Woll has streamlined production to deliver greater value to clients. She holds a bachelor's degree in dietetics from Brigham Young University and a master's degree in human environments from Utah State University. Emily is obsessed with healthy eating and loves to explore the world.

"I break down my best practices into two steps…"

One, do your research to find excellent software that also has comprehensive data security features.

Two, make sure you are taking full advantage of those features! Here are features to look for in collaboration software and how my company is making the most of it:

  • Ability to limit access to data: We use ProWorkflow (an online project management software) and Google Drive. Both allow us to limit access to data on an employee-by-employee basis. This is especially helpful as employees change positions in the company or come and go — it's easy to make sure data is only in the hands of those who really need it.
  • Ability to track financials: We were having issues with employees logging time without being clear about what they were logging time for. We used ProWorkflow to limit employee access to certain tasks. This meant a little more work for project managers, but it gave us great insight into the burn rate for our financials.
  • Cloud backups: Even if we delete something in ProWorkflow or Google Drive, we can restore it because data gets backed up in real time. We follow a precise version control/file labeling system so that if anything accidentally gets deleted, it's easy to find and restore.


Jacob SmithJacob Smith

Jacob is a graphic designer from Chicago and the Founder of Product Viz.

"When using collaboration software, organizations should decrease their risks by protecting their personal information…"

This would mean creating a separate work email to link their collaborative accounts to. Information isn't the only thing to protect; organizations should only show rough copies or samples of their actual work to protect their ideas from being stolen and used for profit without their consent.

Furthermore, organizations should also get in the habit of using VPNs to protect their locations from anyone else using the software.


Otavio Freire Otavio Freire

@SafeGuard_Cyber

Otavio Freire, CTO, President & Co-Founder, is a Brazilian-born American entrepreneur responsible for the creation of SafeGuard Cyber’s enterprise technology solution. He also co-founded OpenQ, a social media compliance platform, with SafeGuard Cyber’s CEO, Jim Zuffoletti, after they met at the University of Virginia Business School. Otavio is also a guest lecturer in entrepreneurship and engineering at the School of Engineering at the University of Virginia.

"As organizations look to increase productivity and streamline projects, collaboration software and platforms have provided employees with greater convenience and accessibility…"

However, many channels companies use, like Slack, also create an expanding attack surface that bad actors and malicious insiders can exploit.

Organizations need to think carefully about implementing access rights and user provisioning and de-provisioning when it comes to Slack and other workplace collaboration platforms. There must be a documented process for implementing security controls and mitigating insider threats. To reduce the attack surface, it’s particularly important to avoid giving employees access to workspaces and channels unless they actually need it. Revoking access rights to people who have left the company is merely the tip of the iceberg.

A robust and regularly updated training program is also crucial. Employees need to have a thorough understanding of what they can and cannot discuss and share in collaboration platforms. However, there will always be some degree of risk when it comes to accidental disclosure and malicious intent. To mitigate such risks, businesses need an automated solution that immediately alerts administrators to potential data leaks or security breaches and can remediate threats before they cause irreparable damage.


Vartika Kashyap Vartika Kashyap

@kashyapvartika

Vartika Kashyap is the Marketing Manager at ProofHub and has been one of the LinkedIn Top Voices in 2017 and 2018. Her articles are inspired by office situations and work-related events.

"Unintended privacy risks are common when using collaboration software…"

But these privacy risks shouldn’t stop you from using them; instead, use software that promises you secure, safe, and private data. There are tools that allow restricting your account access to only those IP addresses you select to avoid unauthorized access to keep your data secure. Also, setting custom access roles will allow you to choose who does, sees, and manages what. Thus, maintaining your privacy intact!


Robert Cruz Robert Cruz

@RobertCruz03

Robert Cruz is Senior Director of Information Governance for Smarsh. He has more than 20 years of experience in providing thought leadership on emerging topics including cloud computing, information governance, and discovery cost and risk reduction.

"We continue to hear from organizations that are in the midst of a…"

Revolution in how they communicate with their customers, and how they collaborate internally. A revolution is being led by new rich, dynamic, interactive tools such as Microsoft Teams, Slack, Workplace by Facebook, and Cisco WebEx Teams, which are allowing firms to build more intimate relationships with their customers.

At a fundamental level, the breadth, inconsistency, and complexity of today's communications networks should cause firms to re-evaluate decisions regarding the benefit of proactive capture of non-email sources versus the cost, hassle, and uncertainty of reactive collections when an e-discovery event, investigation, or regulatory inquiry is knocking on the door. For those choosing the proactive approach, there are a growing number of options to capture mobile and collaborative content – some better than others at withstanding the rigors of e-discovery and regulatory demands. In fact, many downstream e-discovery and compliance technology providers are busy cranking out simple connectors to new content sources, some of which are constructed as a professional service for specific matters or cases.

Ultimately, the effectiveness of e-discovery, compliance, and investigative work is highly dependent on understanding context. As organizations respond to the changes in their internal and external communications, they should quickly move their thinking beyond yesterday's world of static connectors and look toward the technologies that will allow them the rich, dynamic, interactive view into the data that defines today's communications revolution.


Don Mennig Don Mennig

@Don_Mennig

Don Mennig is the EVP of Global Marketing for Evolve IP. Don has 20 years of B2B technology marketing experience and began his career convincing people they needed something called a website versus a Yellow Pages ad. In addition to loving tech marketing, Don is an avid photographer and soccer player. He lives outside of Philadelphia with his awesome wife and two sons.

"As quickly as possible, businesses should unify their organization on a single solution to prevent shadow IT deployments from wreaking havoc on the company…"

The great part about these tools is that the data and projects live at the platform level, so everything is easily accessed, edited, and shared. The bad part is that the platforms are proprietary, which means that the same information cannot be easily forklifted and ported to a new service – if at all. The risk is that when a business wants to get everyone collaborating on the same tool, the data and projects from the other services will need to be re-recreated from scratch. If that's 10 projects, it's not a huge deal, but at 100 or 1,000, it becomes a nightmare scenario for IT and the business unit.

Unfortunately, this isn't just hypothetical. We have found that the average business already has over 2.5 collaboration tools inside the company, and 26% of them were deployed by the business units – not IT.


Karthik Subramanian Karthik Subramanian

@Karthik0102

Karthik is a content writer at Paperflite. He strives to master the intricacies of creating consumable and useful content that keeps customers yearning for more. His interests lie at the intersection of sales, marketing, and technology.

"Collaboration software is used for sharing documents, files, videos, audio files, images, podcasts, and so on…"

As a result, file security is of utmost importance. Collaboration tools allow users to protect their content in four different ways:

  1. One way of mitigating risk is by using passwords. Only people who have the password can access the content.
  2. The other way is by ensuring document expiry. For example, one can ensure the content cannot be opened after a certain date and time (MM—DD-YYYY and HH:MM:SS).
  3. The third technique (which is not completely risk-free) is by gating content. A user cannot view/download/forward content unless he provides an email id. Any malicious activity by the user can be tracked back to the user ID.
  4. The other technique that we are planning to implement is using a mobile number and one-time password (OTP). So, anybody who wants to access a file will need to provide a valid mobile number to which an OTP will be sent.


Devashish Sharma Devashish Sharma

@Flock

Devashish Sharma is the CTO at Flock, a real-time communication and collaboration app for modern teams.

"It is a known fact that successful businesses are built on…"

Collaboration and communication, hence it is very common for organizations of all sizes to use tools that facilitate connection between their employees. However, with the advancement in technological collaboration platforms, the risk level also goes up. Hence, the people who hold the authority to adopt such platforms must be aware of some hygiene practices to mitigate risks.

The first and foremost step is to build awareness among employees about the risk and repercussions of a security breach. For this, the top leadership has to educate themselves first about security practices. It is often a misconception that large enterprises are more at risk when it comes to data breach; however, small and medium enterprises should also take steps towards educating every individual in the organization. Additionally, it is extremely vital to empower the IT team to make decisions around security by helping them undertake trainings and courses that are relevant to their profile.

With the workspace evolving, a bunch of specialized roles are also cropping up across organizations. One such role is a CISO, which is Chief Information Security Officer, as the traditional IT team may sometimes be not aware enough of the various security problems. Bringing in such specialized roles will help to mitigate risks.

Another key standard practice is to ensure there is encryption. Businesses should always consider using encrypted rather than decrypted messages, no matter how sensitive the content, due to the higher risks associated with the latter. It does not matter if the information is of a confidential nature or not; the minor risk of being hacked can damage the reputation of not only your organization but also your clients, and in the process make them question how much you care about the data you hold.

When it comes to software, a collaboration platform should feature end-to-end encryption and multi-factor authentication. TLS 1.2 is the industry standard for encrypting communications over the internet, and providers of this level of service will typically advertise their compliance with this along with wider security certifications like SOC 2. Look out for information on their data center security, opting for trusted hosting providers like Amazon and Microsoft where possible. You can't go wrong with a company that follows Secure by Design principles and has a thorough privacy policy either.

Lastly, another important factor is data laws with large penalties for incorrect storage or sharing of information. Additionally, if one is using an encrypted messaging source, then the message should remain in an unintelligible format until it reaches the recipient, with decryption only occurring when opened by the intended person.


Michael Schenck Michael Schenck

@KaytusoMSSP

Michael Schenck is the Director of Security Services at Kaytuso. He’s responsible for leading the charge in delivering robust regulatory compliance and customized cybersecurity solutions to clients.

"Collaboration software has matured over the last few years, and…"

Microsoft is probably the furthest along with all the integrations of the Office suite built into Teams. The best practices for all risks, including the use of collaboration tools, start with the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF). Let's walk through the RMF regarding collaboration solutions.

The first step is to categorize the information system, which is to identify the components of the solution, what it does, and identify the potential risks. Obvious risks for collaboration software include data loss/theft, unauthorized access, change control management, availability, and lifecycle management of the solution itself, to name a few.

The next step is to design and select security controls for the solution under consideration for implementation.

Data Loss Prevention solutions – either native in the solution or third-party solutions – can effectively mitigate the threats of unauthorized disclosure. Backup, journaling, and change control management solutions should be configured to cover the content of the collaboration solution.

Availability to all people – both authorized and not – is an obvious consideration when selecting a collaboration solution. Proper configuration includes redundancy (clustered servers, on-prem vs. cloud, geo-redundancy for cloud, etc.) and adequate access controls that make for easy authorized access to work while preventing unauthorized access. The risk from software lifecycles is mitigated by selecting products from a major company that is going to be around for a while and are maintained.

Steps 3 through 6 address implementation of the mitigation and security controls, testing those controls, authorizing the solution (assuming it meets the limits of acceptable risks), and then monitoring and maintaining the solution and relevant security controls to ensure it remains an acceptable risk.

The RMF process is what builds the plan for mitigating risks in collaboration software. Implementing controls specific to each identified risk is the best way to mitigate the risks for anything. For collaboration software, it requires more information on the use case. Is it cloud or on-premises? Is it for internal use only, or are their cases where third-party collaboration is required? The biggest risk from a collaboration software solution is data loss – data theft or unauthorized changes (edits, deletions, ransomware). Implementation of a backup/journaling solution helps with changes, deletions, and malware encrypting the files, while Identity and Access Management with an additional Data Loss Prevention and encryption solution can help with theft prevention and unauthorized access.


Ben Griffin Ben Griffin

@CDL_RecycleIT

Ben Griffin is Sales Director at Computer Disposals Ltd – one of the UK's leading IT disposal companies serving both major companies and SMEs.

"Collaboration software is increasingly important in modern business, allowing various employees, suppliers, and partners to work together in real-time…"

And as necessary as it may be, it’s also fraught with risks if you’re unfamiliar with certain processes and practices.

From the outset, it’s a good idea to educate employees on the use of collaboration software through training. The information shared among employees is likely to be sensitive and important, so it’s essential they understand their responsibilities to accommodate secure collaboration.

Cybersecurity is a constant concern, with the potential for leaked data quite high. Using tools to provide secure online collaboration – particularly those with ISO 27001 certification – is highly recommended. Additionally, a system that manages access to sensitive information is useful if a large number of people are working on a project.

Downtime can occur, too, stopping projects dead in their tracks. When things can’t be completed on time and data loss takes place, that’s a major concern. A collaboration tool with a service level agreement that guarantees reliability will stand you in good stead here.

All in all, perhaps the most important thing to remember is the software must suit the business. If you opt for something with superfluous or redundant features, or something that will slow down things too much, then it’s not going to match the needs your projects require.

Tags: Cybersecurity

Recommended Resources


  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Juliana de Groot

Juliana is a Marketing Operations Specialist at Digital Guardian. Prior to joining DG, she worked at Dell and CarGurus. She graduated Bentley University with a Bachelor of Science in Marketing with a minor in psychology.