Maksim Kabakou - Fotolia

Security Think Tank: Keep it simple and risk-based to secure collaboration

How can businesses of all sizes ensure that employees are able to collaborate effectively without the risk of compromise to the company IT network or systems?

Collaboration is the process of working with others to complete a task and to achieve shared goals or objectives.  Alongside communication, it is one of the most important functions that a business needs to get right. Collaboration is an essential requirement for enabling businesses to survive and thrive in competitive and demanding environments.

Businesses of all sizes depend on their employees being able to collaborate, to communicate with one another and work together to get the job done and move the business forward.  

IT systems are rapidly replacing traditional means of employee interaction and collaboration. Why expend time and resources organising a meeting when video conferences allow participants to speak, work together and share ideas from thousands of miles apart, all with minimal effort and expenditure?

Shared working environments, including hosted services such as Dropbox or other cloud-based storage systems that provide a single environment where information can be stored and accessed from anywhere around the world, have changed the way many organisations work and allow employees to collaborate in ways that were simply not possible 10 years ago.  

Email has replaced the telephone as the preferred method of communication in many business environments, with some organisations implementing strict ‘email, not phone call’ policies, as they see phone calls as a less productive or efficient means of communication. 

So far, this all sounds pretty good, right? IT systems have made significant and positive advances in how businesses work and have created numerous cost savings in many functional areas. Employees are able to collaborate with one another and with external parties, such as customers, partners and suppliers, in a more effective and efficient manner. 

The savvy ones among you are probably thinking there is a “but” coming along here – and you’d be right.

Portable devices blur work-life lines

The average British worker spends 36 days a year answering work emails. London workers in particular receive close to 9,000 emails each year. As a result, work spills over into personal time.  

One recent survey revealed 80% of employers considered it perfectly acceptable to contact their employees outside of normal business hours. The fact that employees can access work-related material and be contacted on a portable device, including personal devices, anywhere and at any time, has blurred the line between what was once considered work-life and private-life.

This presents numerous risks to businesses, the first of which is a reduced level of visibility of what employees are doing. 

The advent of remote access allows employees the ability to work from home and to use their own devices, often with limited control, visibility or restriction. Equally, with an increase in bring your own device (BYOD), sensitive company information may be stored and processed on devices that are not configured or protected sufficiently to safeguard the information they hold, or are simply not secured in the home environment to the same extent they would be if they remained in the workplace.

The reliance on hosting and cloud-based storage systems also presents significant risk to businesses. What assurance does an organisation have from the third party? Where is the information, which may be critical to the business, stored? How is it processed and is it fully compliant with legislative and regulatory requirements, such as data protection and privacy laws?

So how do we address the risks that these working practices and the evolution of technology has brought to employee and organisational collaboration? What measures can businesses employ to ensure collaboration is still possible and all of the benefits are still achieved, while also minimising the likelihood of a security incident or the loss or compromise of information and information systems?

Steps to reduce risks

The first step is to identify and understand the specific risks the business is subjected to as a result of utilising the methods and technologies discussed above.  

These risks will be different for each organisation and must be carried out with consideration to aligning risks to specific organisational or strategic business objectives. Think in terms of, If that happens, how will it affect my business outputs or key business functions?”.  

Having identified risks, the process of analysing and then treating those risks should be carried out. The key to this process is proportionality. 

If the risk treatment becomes too expensive, in terms of time, resources or money, is it worth doing based on the risk? Equally, if the treatment makes doing the job, such as collaborating with a fellow employee, unwieldy and difficult, then the treatment has also failed. It may make the process safer in security terms, but has also made it more difficult and less efficient in achieving operational, business objectives. Security should enable, not inhibit and should always take into consideration the user experience.

While risk treatment of a system or process will always be different, there are common themes which form the foundation of a well-managed, and ultimately secure, approach. 

Having identified both the risks and system objectives, hardware and software should be configured to meet the requirements of the business. That is to say, users are allowed access to what they need and can carry out the functions they need to do to fulfil their role effectively. Anything beyond that should be locked down, or at the very least controlled to some extent with technical controls or user permissions determined by role or appointment.

With a properly configured system architecture, people need to understand what they can and cannot do. This is managed effectively through the production of clearly understandable policies and procedures that will assist employees rather than bewilder them. Processes should be short and simple, not lengthy, verbose and overly convoluted tomes so often seen cluttering up bookshelves in offices.

While it would be nice to be able to implicitly trust everyone in the business and have 100% confidence they would use the systems as the business intends, this is sadly not always the case. 

Protective system monitoring is commonplace and provides an organisation with a degree of assurance that employees are not misusing a system in any way. It is also a means of detecting external attacks and of notifying the correct people about potential security incidents or breaches. 

Threat of third-party collaboration

All of the measures discussed above are primarily aimed internally at employees of the business. However, business increasingly relies on third parties and outsourcing key functions and processes.  

With this relationship comes a potentially reduced level of control or assurance. These third parties exist outside of the direct control and influence of the business itself, yet there is still a critical need for collaboration and for working together, and therefore a need to manage the risks associated with this practice.  

Again, the first step is to understand the specific risks using a third party brings. If the cost savings are minimal, but the risks high, then maybe it is more effective to carry out that specific function internally, where greater control can be applied. If, having assessed the risk, the business is happy to outsource a service or function to a third party provider, the key message is “don’t assume anything”. 

A contract or a service level agreement (SLA) is the minimum that should be in place and this should state the needs and expectations of the business and detail explicitly how information will be managed securely. Increasingly, such agreements also state the business is entitled to carry out periodic reviews and external audits of the third-party provider to ensure processes are carried out as they should be and as the business requires.

The last point that applies in equal measure to both the business and to any third party or stakeholder with whom the business has a relationship, is education and the establishment of a strong security awareness culture.

Education and awareness are vital in developing a security culture where employees at all levels actively participate in the security of the business and any associated information systems. Without it even the most robust security measures can be rendered useless and the most insignificant vulnerability exploited by an adversary. 

A security-aware workforce will empower a business and enable it to achieve its objectives through strong collaboration, internally and externally, safe in the knowledge that information and IT systems are well protected through the application of proportional and sensible measures, all of which are underpinned by the people at the heart of the organisation.

The final point is nothing really to do with the security and integrity of IT systems, but with the human condition. 

Technology, in many ways, has reduced human interaction. It is easier and quicker to send an email or a text message rather than speak to someone. I have known many instances where emails are sent between two adjacent desks in the same room rather than the two parties looking away from their monitors for a few moments to actually have a conversation. Even when we do speak, it is often through a microphone or a web-cam. The seminars we used to attend are now delivered across the world as webinars. 

I just have to wonder where all this is going to end? Yes, we are collaborating and, yes, we are using technology to get the job done and to be super-efficient, but in doing so are we losing the personal touch? Ultimately, what risk and what impact will this have on our business? I’ll leave that one with you.

Mike Gillespie is director of cyber research and security at The Security Institute.

Read more from Computer Weekly's Security Think Tank about secure collaboration

Read more on Privacy and data protection