Are virtual collaboration tools a necessary evil for enterprises? How to mitigate the risk

Just ask yourself: Have you used WhatsApp, Zoom, Teams, Slack (or the like) today? 

For the majority of enterprise leaders — and their employees — the answer would be a resounding yes. 

In just the 2 1/2 short years since the onset of COVID-19, organizations have become reliant on such virtual collaboration tools. They are nothing less than vital for inside and outside collaboration, business continuity and remote work — and everyone within a company simply expects to use them.

But with their advent and explosion in growth, it’s been made abundantly clear that these tools pose significant security risk. Organizations face a conundrum in preventing data exposure and misuse while also diligently tracking communication and, in regulated industries, ensuring compliance. 

Most organizations are aware that many of these platforms aren’t secure or compliant — so why are they still using them?

Simply put, “the pandemic forced our reliance on video communication channels like Zoom, and now, we can’t expect the toothpaste to be put back in the tube,” said Shiran Weitzman, CEO of communication compliance platform company Shield.

However, he pointed out, “in today’s work-from-anywhere workplace, it’s likely that businesses, regardless of industry, are legally obligated to keep up with standards around securing customer data and keeping a record of internal communications and discussions.”

Sharing data, risking compliance

Employees spend an average of 2 1/2 hours every day on applications such as Zoom and Teams — and 27% of U.S. employees spend more than half the working week using them.

WhatsApp, for instance, has roughly 2.44 billion unique active users worldwide. Zoom has more than 350 million daily meeting participants. Teams is used by more than 1 million organizations as their default messaging platform. Slack has 10 million daily active users. 

In a survey by Veritas Technologies, 71% of office workers globally – including 68% in the U.S. – admitted to sharing sensitive and business-critical company data using virtual collaboration tools. 

The Veritas Hidden Threat of Business Collaboration Report polled 12,500 office workers across ten countries and found that 58% of U.S. employees are saving their own copies of business information shared over IM, while 51% delete that information entirely. Either approach, the report points out, could leave companies open to significant fines if regulators ask to see a paper trail.

Employees acknowledged sharing data such as client information, details on HR issues, contracts, business plans and even COVID-19 test results. And, sensitive data continues to be shared even though 39% of U.S. employees have been reprimanded by bosses — and 75% said they would continue to share such information. 

Similarly, “you can expect executives looking to cut deals, no matter the industry, are naturally quick to fire off a WhatsApp message to colleagues and business partners, especially once there’s an established relationship,” said Weitzman. 

In response in the banking industry, the Securities and Exchange Commission (SEC) is expected to announce a combined billions in fines because Wall Street’s biggest banks are using banned messaging apps including WhatsApp and Signal. Some experienced banking executives are even being fired just for using unapproved communication channels, said Weitzman. 

Traders and brokers have become “overly reliant” on electronic messaging tools to discuss investment terms, hold client meetings and conduct other business, particularly due to the pandemic, he said. 

Most problems arise when it comes to regulation because encrypted messaging apps prevent adequate monitoring. But, while they’re often used for nefarious behavior like money laundering, insider trading or data leaks, many are using them because clients or business partners prefer them.

Also, Weitzman pointed to non-encrypted services — video in particular — that pose significant challenges. “Analyzing video footage is a complex process that requires deep tech, and storing all those audio files is a logistics nightmare that cannot be achieved without exorbitant expense,” he said.

Ultimately, “once the SEC dives into the context of the actual conversations happening via electronic messaging platforms, it will be relevant to the broader enterprise because then we’ll actually get a glimpse of the nefarious behavior,” he said.

Managing BYOE

When it comes to preventing data exposure, the biggest challenge is enterprise control, said Patrick Hevesi, VP and analyst with Gartner. 

Organizations can only fully control virtual collaboration tools on managed devices and with enterprise versions of messaging apps. On a managed device, IT can implement methods to block sensitive data from being sent to unauthorized users, monitor communications and ensure secure application usage, he said. 

But, with more and more companies allowing BYOE (bring your own everything) — along with the lack of enterprise controls in many of the messaging apps — this becomes very difficult. IT can’t stop employees from using personal devices and downloading and using whatever messaging app they choose. 

Also, if a messaging app enables customer communication — and there is no enterprise version available — enterprises could lose money by not using it, Hevesi pointed out. 

The more popular tools — especially those with enterprise versions — have added more security and enterprise features for control. Also, some messaging apps were built from the beginning with end-to-end encryption, making them secure by default. 

As Hevesi noted, “it’s less about the company’s usage and more about the employees using the apps to get their jobs done.”

Proactive surveillance

In response to all this, the global messaging security market is experiencing significant growth. According to Mordor Intelligence, the segment will be valued at roughly $15 billion by 2026, up from just over $4 billion in 2020. This represents a compound annual growth rate (CAGR) of 24.5%. 

Hevesi called it a “very difficult use case to fully lock down,” but advised that enterprises provide a secure and managed alternative to personal messaging apps and require employees to use the enterprise-sanctioned apps. 

This will enable IT to use tools like Secure Web Gateways (SWG), Cloud Access Security Brokers (CASB), enterprise authentication, Mobile Threat Defense (MTD), Data Loss Prevention (DLP) and other tools to protect user and corporate data, he pointed out. 

Simplifying and standardizing electronic communication channels is also critical to productivity and security, said Weitzman. Those that are no longer needed should be eliminated to avoid application sprawl. And, tools that function across borders need to be compliant with each country’s protocols. 

Deep-tech monitoring

Businesses then must also strategize monitoring and archiving solutions that ensure data privacy while also mitigating risk, Weitzman said. 

The once-siloed approach simply no longer cuts it, he said. The sheer number of electronic communications channels is “driving a dire need” for workplace intelligence and monitoring tools that proactively surveil all communication channels and alert on all company conversations, reducing regulatory, reputational and information risk.

Monitoring systems that rely on artificial intelligence (AI), machine learning (ML) and natural language processing (NLP) can efficiently record and archive employee communication, regardless of encryption, he said (even though these don’t always have the capability to process video communication). 

Across the board, said Weitzman, “organizations should seek out deep-tech solutions that can tailor to their specific needs when it comes to archiving, transcription, ediscovery and more.” 

Originally appeared on: TheSpuzz