Understanding and Mitigating Risk in Collaboration
How to Mitigate Your Threat Exposure in Collaboration Tools Like Slack, Teams, Webex, and Zoom
Covid shutdowns took many IT leaders by surprise. Major enterprises had to roll out new tools and programs to facilitate a shift to remote work on just a few days’ notice. For organizations that typically follow careful roadmaps for implementing new technology, the digital transformation happened at unprecedented speed.
That doesn’t mean collaboration tools were unknown entitles in 2020. Yammer has been around since 2008, Slack since 2013, and Microsoft Teams launched in 2017. Many organizations used collaboration in at least some areas of the business. However, company-wide launch was still a long way off for most.
With remote and hybrid work firmly part of modern corporate life, the digital office represents a new frontier, where limited controls introduce greater freedom—and increased risk. Now organizations are waking up to the need to manage this new dataset, how can IT leaders mitigate the risks posed by collaboration tools without losing their benefits?
What is risk?
Risk is the potential for a negative outcome. Not all risk is bad—if it was, we’d never take any risks at all. But risk avoidance brings with it the danger of closing doors on new opportunities, greater innovation, and better deals. No matter how risk-averse an organization might be, it must have some amount of risk tolerance in order to thrive and grow.
Risk Avoidance vs Risk Mitigation
Risk Avoidance—Completely eliminating risk by refusing any actions with unknown consequences
Risk Mitigation—Reducing likelihood of negative outcomes to acceptable levels to benefit from positives
The risk of collaboration tools
The introduction of collaboration tools was itself a risk. Slack and Teams might be popular within your organization now, but their widespread adoption and positive impact on productivity wasn’t always a certainty. Risk-avoidant organizations resisted any use of collaboration tools, while others explored limited, controlled usage to mitigate potential downsides.
That all changed with the pandemic. Without giving employees ways to work together remotely, businesses faced the inevitability of complete closure or rampant use of unapproved, unsanctioned tools. The balance of positive and negative outcomes changed, and most organizations realized that risk avoidance was more likely to be detrimental to the company. Instead, they chose to mitigate the risks of remote work by providing managed, approved tools for employees to use.
For many, that’s where risk mitigation of collaboration ended. What IT leaders didn’t realize was how successful their new tools would be, or what new risks they would bring with them.
Risks in collaboration datasets
Collaboration data is unlike any other. It’s fragmented, informal, and uncontrolled. Conversations flow seamlessly from public channels to private groups and direct messages. In a click, employees can upload files, share restricted information, and invite external collaborators into the workplace environment. And unless you manually adjust retention settings or a user deletes their messages, everything entered into collaboration tools is saved forever.
Aware research shows that:
- Over 90% of Slack messages are sent in DMs or private channels
- 1 in 17 messages contains 3+ pieces of sensitive information like PII
- A 5000-employee workplace will share credit card numbers 271 times a month
Download the full report now
What have you done to mitigate the potential harm that dataset contains? What could a malicious insider or external threat actor take from your organization if they gained access to that environment? How many instances of confidential, protected, or regulated information have employees uploaded—and could you find and remove them all from the tangled web of data you now hold?
The simple truth is the tools that saved the workplace during the pandemic have introduced a massive amount of unmanaged risk that now threatens to cause unforeseen damage to the enterprise.
What do these risks look like?
Highly regulated industries like healthcare and banking are at the most obvious targets for data exfiltration, and at greatest risk of sanctions for failing to control collaboration data. The fines for regulatory noncompliance can run to hundreds of millions of dollars. Messaging on unmanaged tools cost the financial sector $549 million in August 2023 alone.
Even outside highly regulated sectors, all companies still deal with confidential information on a daily basis. Personal Identifying Information (PII) and Payment Card Industry (PCI) data are just two common examples. If your employees routinely handle customer phone numbers, addresses, or payment information, that data almost certainly exists somewhere in your collaboration messages, and introduces the risk of fines, penalties, and loss of consumer confidence if it ever comes to light. According to IBM, every stolen or leaked customer PII record costs businesses $180, and Aware research shows that 1 in 17 collaboration messages contains 3+ pieces of sensitive information.
This telecom provider used Aware to uncover 20k+ credit card numbers in their collaboration tools
Intellectual property also proliferates across collaboration messages. From teams working together on the latest business innovation to employees sharing insights, customer lists, and industry reports. What damage could that information do if it got into a competitor’s hands? The latest data shows that 12% of employees take IP with them when they leave a workplace, and the rise of collaboration applications that sync data across devices makes this type of exfiltration harder to identify and prevent.
The most innocuous workplace conversations can have negative outcomes for businesses if they become public. Threat actors have known for years that collaboration messages hold a treasure trove of information. And not only passwords, credentials, and code, all of which are commonplace in collaboration. Even idle chatter, office gossip, and interpersonal drama can provide opportunity for hackers and blackmailers if that information would be damaging if it became public.
Opinion: The Uber breach demonstrates why we built Aware
The challenge of mitigating risk in collaboration data
Faced with massive risk exposure, organizations must address mitigation as a matter of urgency. The enduring popularity of remote and hybrid work continues to make collaboration tools necessary to the enterprise, and employees are accustomed to using them. Simply revoking the tools is not an option. Instead, IT leaders must focus on imposing controls that mitigate the risks these tools represent.
The controls needed to do this aren’t new. They exist for all other forms of business communications. For example, email servers can block senders and recipients, restrict offensive language and monitor file attachments. From an organizational perspective, controlling collaboration messages is no more restrictive or intrusive than managing any other form of communication.
So what’s the problem? It’s the nature of collaboration tools themselves. They were designed to circumvent the checks and balances of traditional business communications and lack the functionality to apply those controls even when they prove necessary. And in the limited instances where business controls are available, they’re usually highly granular and/or limited to a single tool.
Given that over 90% of business use two or more collaboration tools, complete oversight of the total collaboration ecosystem quickly becomes complex to institute and expensive to maintain.
The benefits of collaboration are only worthwhile if you can mitigate the risks
The Aware AI data platform gives leaders the visibility they need to streamline governance and compliance, secure valuable business data, and address risk within the enterprise. Aware solves for top concerns across all major collaboration tools, unifying control of the entire ecosystem into a single, intuitive platform.
Purpose-built for the nuances of collaboration, Aware connects effortlessly to your existing tools through APIs and webhooks with no additional IT lift needed—and no impact on the end user.
Control collaboration risk with automated compliance monitoring using best-in-class natural language processing and sentiment analysis. Detect, flag, and tombstone unauthorized information sharing in real time, and automatically coach employees on acceptable use policies.
Take control of your collaboration dataset with Aware and discover how your organization can enjoy its benefits while mitigating risk.