Common Security Mistakes in Collaboration Tools

Things to consider as you protect your enterprise

These six mistakes are glaring security holes that could be costly to your business.

It's no wonder why collaboration tools like Slack and Hipchat have become widely used across organizations today - they reduce reliance on email, increase conversations between teams, and provide an easy way to share information with colleagues.

But unfortunately, there are many gaps where security settings can fail, and corporate IT is beginning to take notice.

If your company cares about security - and every company should - ensure your collaboration tool doesn't fall prey to these six mistakes:

1. Web browsers

Most collaboration tools these days are deployed through the web browser, and sadly there are countless vulnerabilities in this approach that can threaten your security. From malware, to cookies, to a Man-in-the-Middle attack: when you install a browser plugin, it's like a Trojan horse, you don't know what's inside it.

Even if your own online activity is done with security in mind, if just one team member is slacking on their privacy settings, the entire organization’s data is compromised.

The only way to protect your organization from this is to make sure your collaboration toll can be fully downloaded to a device instead of existing on the web.

Don't slack on privacy.

Semaphor is our fully encrypted solution in the collaboration market, a full application that communicates solely and directly with our servers. No extensions, no plugins or unknown browser cookies, no unknown source code can compromise that privacy. If you’re curious what’s going on in our application, go review the source code yourself. (Ask Slack if you can review their source code.)

2. Passwords

Despite many websites’ requirements for long, multi-character passwords, there are countless ways in which passwords can be compromised that have little to do with their complexity of length. Through phishing scams, spam and simple guesswork, passwords are an increasingly popular entry point for cyber criminals.

Not to mention – any company who can reset your password has the key to read all of your data. Yes, that means what is sitting on Slack and Hipchat servers. It’s a goldmine of e-discovery that most companies don’t realize could cost them their business.

(Look no farther than Gawker’s story: How Hulk Hogan Taught me to Never Use Slack Again.)

Businesses should ensure their applications use a recovery-key concept for lost devices instead of the more common and less secure password challenge model.

3. Email Digests

Many applications send you email digests at the end of each day as a way to recap the day’s conversations in the collaboration tool or to get teammates up to speed on company highlights.

The problem? Transport, delivery and storage of the email is far from secure today – all you need to do it look at the news for the latest email scandal (i.e. DNC or Sony hacks). The digests may be helpful for some, but any sort of digest should be featured within the application to maximize security.

There is certainly value in having a quick way to get back up to speed, and we plan to build a “While you were away” feature in Semaphor that gives users the same benefit without compromising the privacy of your conversations.

4. Integrations

Integrations are useful, highly-desired, and even fun. They allow content from external data sources to enrich your team’s conversations. Most integrations today are hosted by the collaboration tool vendor which means any data that passes through an application can be read by the vendor.

While this is harmless for integrations that ingest public content on the web, like a Twitter feed, it would have severe security consequences if that data source is private and/or requires authentication to be read online.

We are supporting Bots before integrations, but the truth is we might not ever support hosted integrations like Slack does. Slack impressively boasts both a marketplace and investment fund to get more integrations built for Slack. Most every Integration people use is hosted by Slack meaning every bit and byte that comes through an Integration can be read by Slack. (But I guess if you’re already using Slack heavily, you’re already okay with their ability to read every bit and byte of your communications).

NO KNOWLEDGE PRIVACY MEANS NO ONE BUT YOU CAN EVER ACCESS OR READ YOUR DATA.

Our No Knowledge commitment simply means we will not ever build something that allows anyone but YOU to read your data thus avoiding this sort of a “man-in-the-middle attack.”

Our first version of Bots will be open source and self-hosted on your own gear, so from our server’s perspective it’s just another user sending encrypted text into the system. We already have half a dozen bots running on our platform and are planning to release libraries with sample code here in the next few weeks.

5. Auto-Expanding Link Previews

When someone pastes a website link in most collaboration tools, the app by default will pull its metadata (like images, titles, source content, and icons) to include inline with the message thread. This is also true of fun features like Giphy.

Depending on its implementation, this automatic behavior can be very insecure: first because it automatically downloads the content on your device, and second, your device then sends internet traffic (and your IP address) back to that site, without your control or consent. There are countless sites online that many would not want their IP associated with, so this kind of activity should never be outside of user control.

While the auto-expanding link preview feature might make the timeline more visually interesting, because Semaphor respects your privacy, we just can’t offer this feature. We most certainly support clickable URLs, meaning you choose when you want to visit a site. But we believe the user should choose and have control over every aspect of their activity.

6. Presence

The “presence” feature allows users to know if another user is on or offline. Unlike the above features, we are giving serious thought to adding this feature to Semaphor — it is quite handy.

That said, it will most certainly be implemented in a privacy-minded way. Does everyone on your team want everyone else on the team to know they are online? Should this summer’s intern know the CEO of your multinational company is “In a meeting?”

This level of transparency has benefits, but it needs to be controlled by users. Defaults should be set to Hidden, and only the user should be able to opt-in to such a feature.

CONCLUSION

When it comes to privacy, we have our guard up and have found that most businesses who want to collaborate online will appreciate it.

ENCRYPTION IS A BUSINESS IMPERATIVE.

We believe that privacy is the best security, and encryption is a business imperative. For over a decade we’ve been proving this model with our suite of privacy products to help protect enterprises and individuals.

Don't be slack on privacy. Let us know how we can help you and your company. Contact our enterprise sales team at sales@spideroak-inc.com.