Speed is the business ethos of our era. Powered by the cloud, widely popular collaboration tools like Dropbox, Box, G Suite, Slack and others accelerate team and business speed. As a result, collaboration platforms have proliferated over the last decade.
These intuitive tools are easy to use and provide a high-quality customer experience. Working across desktop and mobile platforms, they’re great for productivity.
They can also be diametrically opposed to security by facilitating user behaviors that put organizations at risk. Fundamentally, security was not a primary focus for many collaboration tools; eliminating friction and focusing on the user experience were the key design considerations. Now we’re experiencing real tension between privacy and security; that's manifested in new legislation like the GDPR and the California Consumer Protection Act, where hefty penalties could result when customer data is misused.
Many people assume that because all leading collaboration tools use encryption to secure communications and data between users, then all data is secure. The challenge lies in what happens to the file when collaboration occurs.
Collaborators, who may legitimately access a file, are then empowered to do whatever they want with it? they now have full control to create a second copy, access it via a personal account, copy-and-paste its contents into a different document, or collaborate with others. Document lifecycle management is where the current generation of collaboration tools stops, and that leaves a big gap in controlling file access through collaboration privileges.
Examples of these gaps are widespread; a few real world situations spring to mind: a sales leader shares an encrypted list of target customers with a sales representative teammate. The sales rep appropriately accesses the file to do his or her job, but later accepts an offer to join a competitor, and takes this highly sensitive data as a parting gift.
Or consider Tesla’s recent lawsuit against Zoox, with former employees allegedly stealing corporate secrets. Or the rampant cases of economic espionage where a disgruntled scientist steals proprietary data and sells it to an unscrupulous nation state. Once a bad actor has the decrypted information, all bets are off.
These cases are increasingly commonplace, but what is even more prevalent are accidental and erroneous instances of data sharing. Consider one recent example like Facebook inadvertently exposing sensitive customer and corporate information. When such data is outside of corporate control, what do you do?
It helps to take a step back and explore root causes behind a vulnerable situation. Perhaps the business team has been waiting for IT to provision a system and it's taking longer than they want. Or they don't like the corporate standard platform and a team member has had great success using another tool, so they opt for guerilla-style adoption.
This is potentially problematic for IT, particularly if the adopted platform hasn’t been vetted for security considerations. In my experience, I’ve never seen the circumstance where IT is bent on having control of the tools in use for control’s sake; they want to enable the business. But it’s also their job to ensure that collaboration is done securely.
To help bridge the divide, a more productive approach includes all parties exploring the business requirement to be accommodated. Some structure will help:
- Clarify the specific business requirement. Discuss if collaboration needs to happen internally or also involve third parties like customers and business partners. Is information flowing domestically or across borders? Into areas where strict privacy rules with serious penalties are in place? Is the business team aware of the full IT services catalog available to them which might include secure, vetted options?
- Audit the applications and tools in use. What controls are in place? How are users accessing the system? Is multi-factor authentication in use?
- Set clear policy. Lay out acceptable use policies and rules. For example, what platforms are/not acceptable? What must be the delineation between business and personal accounts? Where can files not/go after being accessed? Make sure everyone involved knows the current standards.
- Monitor behavior over time. Check in with the business team to see how things are working with their adopted platform(s); what works and what’s lacking? How might IT close these gaps?
As organizations ratchet up the speed of business, the adoption of collaboration tools enables new opportunities while concurrently overlooking security risks. Focusing on the business requirements and ensuring that files are protected regardless of with whom and where collaboration occurs is a pervasive challenge.
Sophisticated organizations are employing new techniques and approaches to confront this situation, aspiring to find themselves on the right side of history and absent from the data breach headlines. How are you responding to this challenge?