Seven Tips to Securing Your Collaboration Software

Virtual workspaces such as Slack and Microsoft Teams allow administrators to choose which third-party apps – used to add time-saving features – can be installed by a user. Admins can change settings to pre-allow apps or review requests as they are made. In some cases, you may be surprised by the access these integrations request, so review them carefully before allowing users to install them.

According to Verizon’s 2019 Data Breach Investigations Report, 34% of attacks come from internal actors. The company advises monitoring internal use by logging who accesses sensitive data and being transparent about it: “Make it clear to staff just how good you are at recognizing fraudulent transactions.”

“2FA everything,” advises Verizon’s 2019 data breach report. “Use strong authentication on customer facing applications, any remote access and cloud-based email. There are examples of 2FA vulnerabilities, but they don’t excuse lack of implementation.” For example, you can set up Slack to use 2FA with either an authentication app or with text messaging. For Microsoft Teams, Office 365 global admins can set up multifactor authentication, including text messages or Microsoft Authenticator.

LogMeIn CISO Gerald Beuchelt recommends that your audio, video and screen sharing tools make it clear when screen sharing or recording is happening. He also advises never allowing meetings to be controlled from outside the app. “There's confidential discussions happening between providers and clients,” Beuchelt says. “It's really important to make sure that this access is properly locked down and [that] the outcoming recordings or artifacts that may be derived from that are properly secured as well.”

“Make sure systems are properly available,” says Beuchelt. “Obviously, from a communication perspective, availability plays a critical role in making sure that that the service can be used during an emergency or during regular business hours.” Vendors should be transparent about how they approach incident response, vulnerability management and forensics, he says.

Reports of attacks on collaboration software in the wild are rare, but cybersecurity teams have exposed notable potential threats this year. Security pros expect these cases to increase as offices look to move more of their data off email and onto virtual workspaces, where phishing attacks are less likely. Vulnerabilities in Slack were reported in May that could allow a hacker to manipulate links to download to the hacker’s server. The vulnerability was quickly patched. Earlier in the year, researchers discovered malware that could be used to steal data from Windows users of Slack and GitHub.

“Many breaches are a result of poor security hygiene and a lack of attention to detail,” according to the Verizon breach report. “Clean up human error where possible, then establish an asset and security baseline around internet-facing assets like web servers and cloud services.” Beuchelt stresses the concept of developing a culture of security across your organization. “We're obviously doing some offensive security, red teaming, as well. So [we’re] making sure that we have some adversary simulations and tests that exercise those kinds of muscles on a regular basis. But it's very important to look at people, processes and technology, but truly in that order. People have to be engaged.”

“Many breaches are a result of poor security hygiene and a lack of attention to detail,” according to the Verizon breach report. “Clean up human error where possible, then establish an asset and security baseline around internet-facing assets like web servers and cloud services.” Beuchelt stresses the concept of developing a culture of security across your organization. “We're obviously doing some offensive security, red teaming, as well. So [we’re] making sure that we have some adversary simulations and tests that exercise those kinds of muscles on a regular basis. But it's very important to look at people, processes and technology, but truly in that order. People have to be engaged.”