Risk & Internal Communication in the Workplace
The recent vulnerability exposure of Slack, the American cloud-based team collaboration online tool provider, has raised renewed scepticism surrounding the safety of workplace communication platforms. With the assumption that internal networks like Slack, TeamViewer and Teams mean guaranteed security, attacks stemming from these platforms are catching companies vulnerable. Especially with those smaller companies who assume immunity based on their lesser size. In a time when no level of security is seemingly efficient, Slack’s bug proves that lax communication platform security are an undeniable risk.
Slack’s recent vulnerability was found in May through HackerOne’s bug-bounty program. David Wells, who originally found the vulnerability, discovered Slack’s Window Clients could potentially allow hackers to intercept file downloads. Whilst swiftly resolved, the vulnerability highlights the risk of workplace communication programs, especially when left unmonitored. This hack is not a one-off occurrence for Slack, hacks in 2017, 2016 and 2015 saw passwords, chat transcripts and shared files exposed and ramifications are still ongoing.
Phishing scams and consumer-grade internal communication platforms pose an even greater threat. Unlike subscription-based internal communication apps, these messaging tools are not created with data security front-of-mind and coincidently do not guarantee enterprise-level security. When platforms like WhatsApp are used in a work environment, the risk of sensitive enterprise data being leaked is even greater. One misjudged click or security vulnerability has the potential to infect an entire network and cause a snowball of damage.
Whilst these communication platforms have inherent and unavoidable vulnerabilities, there are means to safeguard against them. As without such communication tools, employees are left unconnected.
Initial best practice is the job of risk management to investigate your company’s chosen communication platform’s history. Are data breaches a common occurrence? What current security measures are in place? Do these methods align with your company’s security standards? These considerations include storage. Knowing where communication transcripts and additional data transmitted through the platform are being stored is vital. Is this information being stored on an external cloud server that is easily accessible to external threats? What protection methods are in place for external threats? Answers to each of these questions should be explored and continually reviewed.
Conversations on these platforms can also steer into personal. Watercooler gossip and lax consideration when sharing sensitive information on these platforms calls for detailed policies and company-wide training.
Exploration of the above is a starting point for ensuring robust security surrounds your workplace. Continual monitoring for changes to the platform is a priority for the IT department. Only with this knowledge can a company have confidence in their chosen internal communication platform.
One final consideration should be emails. Deloitte’s email hack in 2017 and Microsoft’s in 2019 prove that email vulnerabilities remain a risk whether it be in the form of phishing scams, malware or spyware. Protecting emails remains a necessity especially when considering the sensitive information typically contained in emails. Robust training on email best practice and sharing of the current scams circulating is a starting point for risk management.
These vulnerabilities have added a new diverse set of challenges for risk management. If anything can be drawn from these headlines it is that risk is diversifying. Technology is evolving the role of the risk team and broadening the scope of where risk vulnerabilities occur.