In a cloud world, traditional security strategies can only get IT departments so far. Locking down company data behind firewalls just isn’t viable anymore. In fact, end user errors often present the weakest link when it comes to preventing data breaches, especially for unified communications (UC) and collaboration apps.
Estimates on the impact of user errors in data breaches vary. According to data from the UK Information Commissioner’s Office, 90% of data breaches in 2019 were caused by human error. On the other hand, broader analysis from the Ponemon Institute attributed 24% of data breaches to user error. However, sources agree that user error is a growing concern.
Within collaboration and communications, there are a number of ways end users contribute to security issues. Common problems often relate to misconfigured settings. Within UC platforms like Zoom, Microsoft Teams, and Webex Teams, these settings are often related to allowing unauthenticated users to join meetings.
On the collaboration side of Microsoft Teams or Slack, user error introduces issues with externally shared content. Often, end users are just trying to get their work done, not thinking about the security implications. Another example of this is inviting external guests to join collaboration workspaces and letting them stay on indefinitely.
Let’s take a look at some times user errors caused collaboration security issues and what IT can do to prevent these. Here are the most memorable UC and collaboration security snafus of 2020.
1. The Year “Zoombombing” was Added to the Dictionary
With organizations rapidly shifting to remote work, there were bound to be some issues. From companies to classrooms to communities, suddenly everyone was using Zoom. However, few took the time to configure security settings. Zoombombing took advantage of public links to meetings, allowing bad actors to join Zoom meetings uninvited. These participants disrupted meetings, often sharing inappropriate content.
One very common case of Zoombombing was in digital classrooms. Overwhelmed teachers created meetings using system defaults. Even worse, they often started by making these meetings more externally accessible as they struggled to ensure their students had access. That said, it never helps to have unruly teenagers publicly sharing out Zoom links and class schedules. There were even Instagram accounts that specialized in posting class links and urging would-be Zoombombers to drop in.
User error when configuring meeting settings presented the perfect avenue in for Zoombombers. End users might choose to use personal meeting IDs which are easier to discover than unique ones generated for each meeting. Not requiring passwords or waiting rooms made it even easier for Zoombombers.
However, IT admins did have the tools to prevent Zoombombing. Admins can prevent the vast majority of cases by configuring these security settings and locking them tenant-wide.
2. When Requiring a Meeting Password Isn’t Enough
Sometimes IT can do everything right, but end users still find a way. In one example of this, a Dutch journalist crashed an EU defense meeting. It turns out the Dutch defense minister had tweeted out the meeting login details. Even though the meeting had a waiting room enabled, user error trumps all, as the host mistakenly admitted the journalist to the meeting.
Properly configuring meeting settings only goes so far without user education. While being cautious with login details and double-checking participants in the waiting room are second nature to IT, it’s important to call out these basics to end users.
3. Content Collaboration Catastrophe: External Sharing Settings
Content sharing settings are often overlooked by end users. User error here is often as simple as someone who has trouble accessing the document, so they open it up to “anyone with the link.” Conversely, sometimes they choose to add guests to a secure workspace and fail to track activity and length of access.
This came back and bit one ad agency using Google docs to draft a proposal. Their competitor on the bid found the proposal using Google search and changed their bid for the project, beating out the agency. It was only after they lost the project that they realized their private information was easily found on the web.
These types of user errors are so common, yet easily preventable. IT must lock down these settings in the GSuite admin console. Google even offers a variety of options for doing so, including customizing permissions by department.
4. Webex Ghosts: This One Isn’t Entirely User Error
IBM discovered a flaw in Webex that allowed malicious actors to join meetings without showing up on the participant list. The end user might only hear an additional beep indicating the presence of a ghost user. If the host disabled the entry tone, the ghost could enter undetected.
While this flaw ultimately had to be resolved by Webex, there are a number of steps IT can take to prevent ghost users. The primary action would be to disallow personal meeting rooms, as this covers the vast majority of potential ghost access cases. Other steps include requiring meeting passwords and of course promptly deploying security patches.
5. When Shark GIFs Attack on Microsoft Teams
As if 2020 hasn’t been hard enough, now even GIFs are dangerous. A vulnerability in Microsoft Teams allowed attackers to steal information by sending malicious GIFs. A user only had to open the message containing the GIF to become infected, making it easier for the malicious GIF to spread. The most likely vector for this type of attack was through guests, as the original GIF had to be introduced into the Microsoft Teams environment.
The malicious GIF vulnerability was actually discovered by security researchers and it’s now been patched. However, it’s a reminder that IT teams should monitor guest access closely, as end users are unlikely to think carefully before inviting guests. As always, IT should also stay on top of security patches.
Connect with a Consultant
Don’t let information security concerns keep you up at night. Work with us to take the necessary steps to secure your workplace collaboration platform with our Security Rightrack offering.
6. Hello, Trello: Public Share Settings
Although Atlassian’s Trello is an important part of the Atlassian content collaboration ecosystem, Trello is also a very popular app on Microsoft Teams. Like many collaboration tools, Trello makes it easy to share content.
In fact, it’s so easy to change share settings that a small user error can publicly expose a Trello board. An incident at an office space company exposed performance ratings for its staff as someone accidentally set the privacy of a Trello board to public. This made the board publicly searchable on Google.
A simple step to preventing this type of user error is to properly configure settings on the IT admin side. Trello Enterprise administrators should use the setting “nobody can create a public board,” (especially given org-wide boards are an option). This is also a reminder to Microsoft Teams admins to monitor their third-party applications.
7. Slack Hack: Third-Party App Security
Microsoft Teams isn’t the only platform where IT should be concerned about third-party app security. Slack’s plethora of apps present a huge surface area of risk.
In fact, one company found this out the hard way. A hiring system was mapped to an HR Slack channel, creating an integrated workflow. Then, a resume that was an infected Word document uploaded to the system, which then pushed a notification to that HR channel. Without cautiously evaluating the infected resume, many employees opened the document at the same time.
While IT can attempt to educate users on evaluating risky files, there’s an added sense of trust when files are shared within collaboration platforms. The onus is on IT to carefully review all third-party apps to ensure they have proper security policies in place.
Collaboration Security & Governance is a Major IT Challenge
Securing collaboration and communications platforms is no easy task, and end users don’t make it any easier. However, with so much precious information, these platforms present significant new surface area of risk. It’s up to IT to forge a path forward in the emerging area of collaboration security and governance.
Tools like PowerSuite use advanced security analytics to help IT understand their collaboration security profile and discover ongoing issues. PowerSuite then offers granular policies to maintain the right balance between security and end user productivity. Flexible enforcement options help you customize policies for real-world scenarios, where more nuance is required.
Sometimes IT teams need a little more help. That’s why we created the Collaboration Security Risk Assessment Service. Our expert consultants will guide you in understanding where your top areas of risk lie. Then, they’ll aid you in creating a comprehensive plan for securing your organization’s UC and collaboration environment. From navigating issues around guest access to customizing admin settings, we’ll ensure you’re set for collaboration security success!