Don’t Let Collaboration Tools Become a Red Carpet for Black-Hat Hackers

维罗妮卡罗斯
作者: 维罗妮卡罗斯, CISA, CDPSE
发表日期: 2022年3月18日

In 2020, I was a panelist at a virtual conference, and boom – the platform we were using was hijacked and went on to show unsolicited and inappropriate content. I had to exit the call as soon as I could.

2020 was a unique year and most of us couldn’t wait to call an end to it for so many reasons, including the increased trends in cyberattacks – some of which targeted collaboration 太ls such as in the example I noted above. Attacks on specific collaboration 太ls (Slack, 微软团队, 变焦, 谷歌视频群聊, 引信, Lifesize视频会议, Skype, 等.) that trended back then included ugly incidents of cyber-hate, 社会政治摩擦, 数字种族主义, 等. Media accounts mostly showed the hijacking of online classes, 会议, conferences and the overall sharp increase in usage.

在上述工具中, 微软团队 and 变焦 were two of the only collaboration apps to make the list of the top 50 apps mentioned on social media during the pandemic in France. And according to a survey conducted by the CIO Association of India with 235+ respondents, 88 percent of companies used 微软团队, while 76 percent of users were on 变焦. The report showed that 微软团队 was downloaded most in the United States.

Even though 88 percent of 微软团队 users in the Microsoft 总计 Economic Impact study said that having all their applications for work in the same place saves time, black-hat hackers are turning this into a nightmare. The auditor in me starts to ask questions:

  • Do vendors have access to information shared both verbally and in chats?
  • Do collaboration 太ls contracts have non-disclosure agreements? (机密性)
  • What do the contracts say about privacy compliance? Are there privacy-enhancing 太ls embedded in collaborative 太ls? (合规)
  • Are all collaboration 太ls cloud-secure?
  • Are collaboration 太ls privacy-ready? (隐私-by-design)
  • Who should we care anyway – the vendor or user? (责任 & 问责制)

Oftentimes, we look at service providers as if they perform magic. 然而,, they are also organizations with employees like anyone else’s, whose employees’ accounts can be compromised by hackers. We tend to think as outsourcing companies that our employees know about the trends in the cybersecurity landscape, while the majority rely on internal security awareness programs – 其中一些并不健壮.

In this regard, we can consider the following:

  • Caution should be taken seriously before assuming that security and privacy are fully guaranteed from the service provider when it comes to data security and data privacy. Both the vendor and the outsourcing company need joint efforts.
  • Users should be on alert since black-hat hackers can easily slip malicious .exe executable files into conversations on one of the collaboration apps.
  • 网络安全 teams should train users to be more conscious and double-check an inbox from collaboration apps like Teams instead of assuming that they know who the sender is, just the same way users have been trained to notice a phishing email briefly.
  • Information system auditors should include an audit of collaborative 太ls on their scope while testing controls during their audit engagements or add collaborative 太l reviews in their audit plans.
  • Vendors should review their security policies, privacy notices and business continuity policies to ensure that they are addressing new risks with new controls.
  • GRC professionals conducting a risk-based audit should be keen on testing controls around new technologies, 沟通渠道, 远程工作平台.

While enterprise collaboration 太ls bring convenience to the evolving work landscape, 便利需要原则, 太.