Maksim Kabakou - Fotolia

Security Think Tank: Proceed with caution using IP-based collaboration tools

How can businesses of all sizes ensure that employees are able to collaborate effectively without the risk of compromise to the company IT network or systems?

Staff collaboration often starts in the office kitchen, the coffee/tea area or by the water cooler. It is where people chat about the meaning of life (the number 42 figures in there somewhere) and their current projects. 

A big plus to this form of collaboration is that people from quite different areas of the company meet and talk, allowing synergies or connections to be made that otherwise might never happen and could lead to a unique product or product feature. The downside to this form of collaboration is that visitors might hear things they shouldn’t, but that is a feature of the water cooler, company kitchen or restaurant.

Collaboration goes well beyond personal interaction between staff in the office kitchen. Company meetings and events also play a role, as does email, teleconferencing, instant messaging and social media. 

Each method has its pluses and minuses and its own risk profile when viewed in the light of company data and intellectual property. 

While company meetings and events are well controlled and form a low risk, nevertheless when a meeting or event is held in an otherwise public place, such as a hotel or conference centre, there is a risk third parties (generally unauthorised) might hear or pick up sensitive information. 

Internal teleconferencing is low risk but the configuration of the conference bridge does need to ensure that unauthorised external access to the bridge is not possible.

Internal instant messaging, such as Microsoft’s Lync, is also relatively low risk, but it is often possible to configure connections to an external service, such as Microsoft’s public Skype service. 

While it might be felt a company-owned teleconference bridge or instant messaging system would be expensive for a small to medium-sized enterprise (SME), these facilities can often be bought as a relatively low-cost addition (often just a licence fee) to some of the newer IP-based communications systems. It should be noted, however, an internal instant messaging system can be expensive to implement and so might not be a good choice for the SME market.

Public social media services might look to be an attractive low-cost collaboration tool, but they are public services and even if a “private” chat room can be set up, its security cannot be guaranteed. Through staff awareness training the use of social media for business matters should be discouraged and made a disciplinary matter for misuse.

There are a range of commercial publicly available services interest to SMEs and other cost-conscious companies. The cost of renting a commercial conferencing service for a few hours will be far cheaper than bringing staff together at one location, but again the facilities available (voice, video, ability to share presentations, archiving, for example) and the overall sensitivity of the meeting’s subject matter need to be fully understood. 

A final few words on risk – the vast majority of conferencing and instant messaging systems, be they aimed at the SME market or large enterprises, are all IP based.

Therefore, great care needs to be taken in configuring the systems and the company’s network, including firewalls, routers and switches. It is also necessary to ensure maintenance on security patches for all the servers and devices on the company’s network is kept up to date. 

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Privacy and data protection