Skip to main content
Article

Collaboration technology – what are the unseen cyber risks?

Identifying underappreciated risks and mitigating likely harm

Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)
COVID 19 Coronavirus|Risk Culture

By Benjamin Di Marco | June 16, 2020

The use of video conference and collaboration services have become commonplace. Have you evaluated your cybersecurity and third-party risk?

The COVID-19 pandemic created an explosion in the use of software and the number of vendors providing video conferencing and collaboration (VCC) services. VCC has become a critical tool embraced rapidly by organisations promoting remote work and enhancing staff communication.

Few organisations however, have appreciated that VCC tools will create significant cybersecurity exposure and third-party risk unless carefully managed. Even the most sophisticated organisations are struggling to develop policies and processes that effectively mitigate the spread of cyber risks associated with VCC tools.

In this complex, developing area that can impact every layer of an organisation, Willis Towers Watson is providing guidance to clients helping them identify critical VCC risks and designing processes that mitigate potential harm.

The risk layers

Unlike some classes of risk, cyber by its nature is dynamic. Across organisations, risks can be drastically different depending on individual circumstances. Understanding contextual drivers within a business is key to effectively mitigating cyber harms from VCC tools. Some of these drivers include the size of a company, its IT footprint, industry, staff culture and regulatory environment.

While terms such as “Zoom-bombing” have become commonplace, the challenges associated with VCC tools are also multi-faceted and cross application security, user behaviour, location risk, data security, business needs, privacy obligations and vendor supply risks.

Focus on user behaviour

Contact Us

Examining VCC tools through the lens of user activity provides a good way to identify key risks. This approach also highlights the underlying tensions with VCC tools and how each company must weigh the legitimate business reasons for using these services (i.e. ease of use, communication and data sharing) against likely harms (for example privacy, security and confidentiality). An understanding of how the services are being deployed will also quickly identify inappropriate behaviours that must be restricted through policies and controls. Many organisations are beginning to develop specialist VCC policy documents to address the various harms VCC content can create across privacy, workplace health and safety, intellectual property and reputational risks.

One major concern for organisations developing a VCC policy stems from the ability to record such meetings, using either the platform or separate software on an end device. Recording may be taken intentionally by attendees, or inadvertently, as was seen recently when thousands of Zoom videos were left publicly viewable containing personally identifiable information, corporate data and sensitive conversations.

To manage VCC recording, processes should be developed to help staff determine what meeting or events can be recorded and guidelines and warning statements to set expectations before it takes place, and any recording segment begins. Policy documents should also help classify who the appropriate participants will be for recorded events, data storage and access requirements for recording, and deletion expectations. These issues can also overlay with statutory responsibilities, particularly for telehealth organisations.

An attendee’s physical location may also need to be scrutinised for any sensitive VCC event that involves confidential personal and/or corporate information. While a web camera view provides a limited glimpse of each attendee’s surroundings, unauthorised individuals may be present outside of the camera’s view, of whom the wider meeting group is not aware. In some cases, before particularly sensitive topics are covered, organisations may require that attendees move their camera devices to show their surroundings and demonstrate any room they reside in is a secure location. User devices and communication networks can also present points of risk.

Hidden data leakage

Another security difficulty arises when VCC users share files, work-screens and confidential data. Sharing actions can readily result in unforeseen data leakage and undermine wider controls put in place across the organisation. Data leakage often results in unauthorised transmission or exfiltration which can directly enliven privacy, contractual and regulatory exposures.

VCC events and data sharing may also undermine key privacy compliance processes such as data classification protections and application level controls. When a participant projects their screen or shares files, attendees may access records and information that would otherwise be locked down using identity controls and white listing. This can be a challenging risk to mitigate as it requires both a policy and staff training response to ensure poor VCC behaviours do not undermine the organisation’s wider data and privacy compliance programs.

Application layer security

Many high profile reported problems with VCC tools have arisen from poor configuration. For example, where an organiser can reuse the same meeting link, unintended disclosure could permit unauthorised third parties to join future events. Malicious third parties are also able to search for upcoming and re-occurring meeting IDs using brute force and predictive methods.

Simple configuration steps will significantly reduce the risk of unauthorised third-party access including the use of a meeting lobby, login processes, screen presenting restrictions, limited recording rights, notifications where attendees join, and mandatory passwords for designated VCC events. Basic software hygiene and patch management is also important for VCC software. Consumer VCC services that do not include strong administrative features should also be avoided where more secure enterprise offerings are available.

Vendor selection and management

The careful selection of a long-term VCC provider will also significantly reduce risk, particularly if good due diligence and vendor management is followed. The location of a VCC vendor, and where data is stored, is an important consideration as it influences privacy obligations across collection, access requests, deletion and de-identifications. IT procurement processes can effectively examine these risks, however our experience suggests many companies have not yet subjected VCC providers to full vendor checks.

VCC provider terms and conditions can also create unique risks. Analysis should be undertaken into whether the agreement with a VCC provider will sufficiently allow an organisation to comply with their own privacy and contractual obligations. Releases and indemnities regarding the use of, or inability to use services, and consequential losses will also have repercussions where a significant VCC incident occurs.

Cyber insurance and a holistic solution

As cyber incidents have become increasingly common, insurance is now a critical support to organisations responding to breach events and an important part of their overall cyber resilience.

Organisations who experience a significant cyber event due to VCC tools will be able to rely on insurance clauses within a comprehensive cyber insurance policy to cover incident response costs, investigations, third party risks and business interruption losses. Willis Towers Watson’s manuscript cyber insurance solutions also contain enhancements to address contractual risks, corporate data obligations, stakeholder harm and internet media liability that provide additional benefits targeted at reducing VCC cyber risks. Cyber insurance’s ability to support underlying liquidity and reduce downtime, is also a critical benefit in the current environment.

Insurance is however only one part of an effective strategy to reduce VCC risks. Our expectation is that organisations who develop a multi-disciplinary approach across technology, people, processes and awareness will obtain the best risk mitigation outcomes.

For more information, please contact Willis Towers Watson. If you have further queries on coverage or resilience options do not hesitate to reach out to:

Author

Cyber Specialist Australia and New Zealand - FINEX Australasia