The landscape around collaboration and communication security has changed in recent years, spurred by the shift to remote work as companies scrambled to bring video and team collaboration tools online.
That rapid change in how teams communicate internally as well as with partners, suppliers, and customers introduced new security challenges, says Irwin Lazar, president and principal analyst at market research firm Metrigy.
At CSO’s recent InfoSec Summit, Lazar shared his research into what companies that are successfully implementing emerging collaboration technologies are doing to ensure that they are secure. What follows are edited excerpts of that presentation. For more insights, watch the full session video embedded here:
Where we are today
When we talk to folks about communication and collaboration security, they are still often focused on toll fraud. They are concerned about attacks on their phone systems, attacks that might allow people to register onto their phone systems and make calls, maybe even exfiltrate data—like call records and so on—and they are concerned about attacks that would cause calls to be routed across malicious carriers or malicious points that might be able to overcharge or gather money based on generating call volumes.
What we have seen is that has rapidly changed now over the last couple of years as calling is still obviously very important, but other collaboration technologies have entered the landscape and have become equally, if not arguably, more important. And the first one of those is video.
The challenges, when you think about securing video, obviously a lot of folks have heard about unauthorized people [discovering] a meeting and [joining] it with an eye toward potentially disrupting the meeting or toward snooping on the meeting and listening in. And that has, fortunately, been addressed by most of the vendors.
But the other real concern that we have seen arise from a security and especially a compliance perspective is meetings are generating a lot of content. So, most meeting vendors today allow you to record the meeting. They allow you to capture transcripts. There are chats going on. There may be notes that are published out of the meeting.
And so where does all that live, and how do you control that within the context of whatever your regulatory environment is, whatever your compliance and your discovery strategy is, and just your overall security strategy.
What successful companies do
We conducted a study of about 400 companies in the third quarter of 2021…. [W]e looked at where are people spending their money from a collaboration standpoint—what areas of your budget are growing, and what areas are shrinking? And then we looked at identifying the differences in what we call our success group.
Successful companies—as we define them—are ones that have the highest ROI for their collaboration spend. So they look at the money they are investing in collaboration applications, and they are able to measure improvements in revenue, cost reduction, improvements in productivity, and so on. We had about 400 companies that were in our overall pool in this study. Of that, we had about 68 that we considered to be successful, based on those metrics.
We then looked at what are the successful companies spending money on. And we found that collaboration security was the biggest gap. The successful companies are about 20% more likely to be spending money on collaboration security than the non-successful companies…. [And] the successful companies are significantly more likely to have a strategy.
5 best practices for collaboration security
So let me share with you our five best practices. Here is what we saw were the strongest correlations with our success group.
- They use a security platform
There are a number of different vendors out there that offer collaboration security platforms. There are also a lot of controls available from the collaboration vendors themselves. But looking in a cross-vendor environment, having that ability to use a single platform that can enforce policies across different applications, can monitor those applications, can look for or react to threats of attack or actual attacks, we find is a correlation with success.
- They know who owns collaboration security
If you are a CSO, obviously you have ultimate responsibility for collaboration security. But you also want to work with the collaboration teams to either delegate ownership of managing day-to-day security operations to those folks or working with them to get input into what the risks are and what are the possible mitigation techniques.
- They look at emerging channels
A lot of the compliance and security and governance approaches that have been focused on email and maybe legacy instant messaging need to evolve to support the fact that not only might you have a team collaboration app but you might have more than one. You might be using federated capabilities or gateway capabilities to extend those team collaboration apps out to customers and partners and suppliers and so on.
- They continue to think about toll fraud
[T]oll fraud is still a big potential risk to organizations, not only as a risk of costs—of calls being intercepted or generated across unauthorized networks—but it is also a risk of reputation fraud if calls are coming from your organization and they were not calls that you intended to make.
- They implement secure access service edge and zero trust
There are a couple different aspects here with respect to collaboration security. One is you want to be able to secure your remote workers, to ensure that if they are accessing some applications directly via the internet or they are on internet-connected computers that you know what is coming across the VPN, you know how they are coming into your enterprise, you are controlling what applications they can access…. And then with respect to zero trust, we are seeing companies begin to apply that to their collaboration partners. So, treating your providers as untrusted.