October 12, 2020

Is your collaboration platform compromising your security?

Chris Harvey
Security Solutions Specialist at Data#3 Limited
The rapid and large-scale shift to remote working across many industries has raised new questions around the security of the platforms supporting virtual collaboration and communication. With broader adoption came reports of abuse and misuse: uninvited guests ‘Zoom-bombing’, misleading privacy policies, and lax encryption have all been well-publicised, shining the spotlight on the security inadequacies of popular collaboration platforms.

After significant scrutiny, many of these vulnerabilities have since been addressed. But the number of organisations exposed has shown that when deploying a collaboration platform, security must be a key consideration.

Here’s some of the top questions you should be asking from the onset:

Does the platform use end-to-end encryption?

Once upon a time, encryption wasn’t always used for data in transit. Zoom, for example, learned a fast lesson when they restricted encryption services to paying customers only. Following widespread outcry, encryption was swiftly delivered to all platform users1.

Encryption is also used to protect data stored on platforms (“data at rest”), which is vital to prevent unauthorised third parties, threat actors and even the service provider from accessing sensitive business information. This is just as important as safeguarding data in transit, however not all vendors offer this type of encryption.

There is a more secure way: end-to-end encryption. Take the added layer of security in Cisco Webex Teams and Cisco Webex Meetings: as well as encryption at rest and in transit, customer data is encrypted prior to being sent.

This means that content is encrypted immediately and remains so until it reaches the intended recipient, with no decryption key access provided to intermediaries unless explicitly granted. Even if one of the other encryption approaches fails, malicious actors still can’t access customer data.

It’s crucial you understand where your protection starts and ends. While vendors will be quick to spruik the inclusion of encryption, you may need to dig a little deeper to understand exactly what that means.

Can the platform support single sign-on?

Cloud collaboration platforms requiring users to create and store their login credentials on the service itself are attractive targets for attackers. The fallout from database leaks are amplified when you consider that people often use the same or similar passwords across apps, and the possibility of compromise is high.

Bypassing a Software as a Service (SaaS) platform’s door for identity and using corporate identity methods means you can:

  • Integrate single sign-on (SSO) with a corporate identity solution like Active Directory (AD), reducing the risk of password exposure as employees no longer need to write down or save multiple passwords.
  • Wrap multi-factor authentication into the sign-in process, delivering one of the most effective controls an organisation can implement to prevent an adversary accessing sensitive information.

Will the user have granular control to determine role-based permissions?

No organisation wants to fall victim to ‘Zoom-bombing’ trolls who gain access to share unwelcome images and links with event guests, or worse still, compromise private discussions and data. It’s important to be able to grant certain users privileges for events and control the settings of each meeting. With granular settings, users can easily manage the behaviour of both users and the system before, during and after meetings. This is particularly important for events with external customer and supplier attendees.

For example, Webex Meetings allows hosts to coordinate and control an event enabling security decisions for specific sessions. You can determine exactly who can share their screen, who can unmute themselves, and who can interact with content provided, among many other security provisions.

Role-based access control is all about allowing the right people to do the right thing – a basic concept, and critical consideration for any collaboration platform.

How does the vendor protect user data?

Let’s put this though the lens of ‘shadow IT’, which is third-party IT systems not sanctioned by the organisation. If a suitable collaboration platform isn’t provided, users tend to get impatient and head to the web to find their own, immediate, solution. To access this newly downloaded software, they must provide an email address.

This is likely the same email address used for work, paired with one of their regularly used passwords (poor password hygiene is prevalent – one study found 21% of people use passwords that are over 10 years old, and 47% use passwords over 5 years old2). Collaboration platforms are popular with hackers, so if that platform happens to be breached, user credentials may subsequently be made available on the dark web.

It all comes back to good IT hygiene on both sides – the organisation and the vendor. The organisation must avoid shadow IT by providing the tools required by their teams. The vendor must provide a secure, safe platform and back it up with clear information explaining their security protocols.

There’s a lot of unsecure apps out there: alarmingly, a study of 33,000 apps revealed that less than 1% had the built-in security requirements for regular business use, and 39% were not suitable for business use at all3. It’s also important to be on alert for a less than stellar track road of breaches or heavily ad-supported platforms. They might be an attractive low-cost choice, but with increased risk of attacks, not so appealing in the long run.

Chat to a Data#3 collaboration specialist

With deep expertise across Cisco’s portfolio, Data#3’s collaboration specialists can help you tap into the business benefits of a better connected and productive team. If you’re trying to find the best fit for your organisation, compare the key functionality of Cisco Webex Teams and Webex Meetings in our infographic.

To learn more and experience the power and ease of Cisco Webex for yourself, register for a demonstration or enquire about a free trial.

1.Zoom (2020), End-to-End Encryption Update. [Online] Available here

2.Entrepreneur (2015), Password Statistics: The Bad, the Worse and the Ugly (Infographic). [Online] Available here.

3.Symantec. (June, 2019). 2019 Cloud Security Threat Report. [Online] Available here