Key Privacy and Security Issues for Collaboration Platforms

Marc Gilman


June 24, 2021

Computer with a glowing lock superimposed over it.

Collaboration tools like Zoom, Cisco Webex and Microsoft Teams are solidifying their place as the foundation for remote work, with recent surveys showing that over 47% of organizations employ them as part of their communications infrastructure. Concurrently, the evolution of the office to a “work from anywhere” model is gaining ground, with 40% of organizations on pace to move to a fully mobile work environment. Of course, these new remote office dynamics and the collaboration technologies supporting them present unique risk management challenges for organizations of all types. 

Privacy and security issues related to the reliance on collaboration tools must be top of mind for risk teams. Understanding the scope and severity of collaboration risks will promote informed decision-making about deployments and considerations for leveraging supporting technologies to uplevel information security programs.

Collaboration tools bring together webcams, screen-shares, voice communication, file transfers and chat to allow for dynamic interactions between participants, replicating in-person meetings during the pandemic. While each of these features is critical to unlocking the value of collaboration tools and promoting engaged and meaningful communications, they also present idiosyncratic data leakage vectors.

Expanded Government Oversight

From a privacy perspective, California’s Consumer Privacy Act (soon to be the Privacy Rights Act), the EU’s GDPR and Canada’s PIPEDA, as well as sector-specific mandates in financial services and health care, require organizations to seek appropriate consents and protect the personally identifiable information (PII) they collect. While dynamic collaboration feature sets have supported a frictionless work setup during the pandemic, they also present significant privacy risks. For example, Social Security numbers, birthdates, email addresses, and account numbers could be nefariously exfiltrated during a screen share, shown on paper through a webcam, discussed in a chat, or shared in an Excel sheet via file transfer.

On the flip side, understanding where and when PII may have been legitimately shared is also important, as organizations receive requests to access, export, or delete information. From a data management perspective, it is the ability to comprehensively identify PII across the visual elements of collaboration conversations as well as its appearance in audio, chats, and files is critical. Tooling that centralizes collaboration conversations and allows for comprehensive search and retrieval, even across document text displayed over a webcam or PII flashed on screen in applications like Gusto or QuickBooks, is key.

Create a Strategy for Managing Workplace Risk

For risk professionals, considering these privacy issues and adopting supporting technologies to provide transparency into how PII is shared on collaboration platforms, as well as the ability to query and collect data, is critical. According to a recent Gartner survey, by 2022 over 50% of the world’s population will have their data protected by a GDPR-like regulation. Given the rapid evolution of the legal landscape, risk professionals must proactively plan to meet the oncoming deluge of obligations that will accompany new global privacy regulations. A sound, forward-looking privacy management strategy starts with the right supporting applications to manage collaboration application risk.

Risk professionals also must consider the security of collaboration tools as well. The proliferation of “Zoombombing” attacks, unauthorized meeting access and sharing of inappropriate or insecure data indicate a growing risk surface. The ability to apply security controls like encryption, meeting passwords and waiting rooms across collaboration platforms are crucial to mitigating these risks. Sophisticated technologies consolidate the management of collaboration security controls in unified administrative interfaces, allowing for centralized oversight by risk and cybersecurity teams.

Of course, a comprehensive risk strategy must encompass more traditional controls as well.  First, risk assessments should be updated to account for the new risks introduced by remote work.  Refreshing risk registers to reflect the adoption of collaboration platforms, remote access protocols, and potential information exposure will demonstrate the compensating controls you have developed to manage the modern business reality.  Similarly, updating relevant policies and procedures to include guidance on using home networks, provisioning access to systems to remote employees, and the use of "bring your own device" (BYOD) is essential.  Finally, reevaluating training programs and providing supplemental guidance, or replacing out-of-date details, will ensure that your workforce understands the real world risk implications of the remote environment. 

Overall, be proactive. A candid analysis of your organization’s potential vulnerabilities and areas for improvement across risk assessments, policies, training and technology will better prepare you for the emerging, persistent risk of a work from anywhere world.

Leverage Technology for Broader Insights

The physical environment of meeting participants is another threat vector. Webcams could facilitate the display of sensitive documents as well as inappropriate adult brand logos or offensive imagery in a home office. These display capabilities challenge traditional concepts of data loss prevention (DLP). Furthermore, the use of encrypted messaging applications like WhatsApp, Signal, Telegram, and Wickr to covertly share sensitive information is on the rise, so understanding if employees are discussing these platforms is critical.

Risk teams must incorporate modern DLP and security controls as part of their information security programs to align to the new threats posed by collaboration tools. The use of supplemental systems allows risk professionals to examine all aspects of collaboration interactions to protect their organizations. AI-enabled technologies can scan each part of a collaboration conversation to understand the context of conversations, identify risks, and allow review of potentially problematic communications, pinpointing where risks occurred to allow for efficient and effective oversight. With privacy regulators focusing in on the unique feature sets of videoconferencing platforms, risk practitioners must take note and protect their organizations accordingly.

Collaboration tools have facilitated seamless business continuity and growth during the pandemic, and usage rates show no signs of slowing. However, the novel privacy and security concerns related to collaboration tools requires risk management professionals to ensure that they are used safely. Learning about the features of collaboration systems, understanding the role that supporting privacy and security tools can play to help manage risk, and engaging early and often with stakeholders at your organization to develop and deploy a control framework is essential. Coordinated, interdepartmental risk efforts will lay the foundation for the successful and secure use of collaboration tools now and clear a path for their continued prosperity in a work-from-anywhere future.

Marc Gilman is a technology attorney, compliance executive, and adjunct professor of compliance at Fordham Law bringing 15 years of law, financial services, and IT experience to his leadership role at Theta Lake. Marc’s legal expertise focuses on global technology-related legal and regulatory issues, such as information management, software and product development, cybersecurity, SEC and FINRA regulation, GDPR, and electronic communications platforms. Marc is a certified information privacy professional with both the CIPP/E and CIPP/US credentials.