Hackers in Your Workspace: The Risks of Collaboration Tools and How to Mitigate Them
Hackers have a new favorite target: your work chat.
Collaboration tools – we all use them. Slack, Microsoft Teams, Asana, Trello, and others have exploded in popularity since the pandemic. Teams, for instance, experienced a 93% increase in adoption between April and September 2020 alone!
This surge in popularity shouldn’t come as a surprise. Collaboration tools make work a heck of a lot easier thanks to their simple organization and communication features. For many office workers, opening their organization’s preferred collaboration platform is how the day begins. These tools are how we share files, solve problems in real time, and get to know each other. They are, in a very literal sense, like a second office.
But with this ease of use, this sense of familiarity, comes vulnerability. Consider your online chats with coworkers. Conversations happen fast, with messages bouncing back and forth all day. In this way, online chats mimic actual, face-to-face conversations. But there is one crucial difference: chat groups aren’t as secure as face-to-face conversations in a physical office. What’s more, sharing sensitive information in these chats can pose significant security risks.
So, how do we keep our chats safe? Let’s talk about how to keep bad actors out of our chats, out of our businesses, and out of our lives.
Chatty Mistakes
Employees should feel comfortable in their work environment, and that includes their collaboration tools. But what happens when someone asks for sensitive information?
According to The Veritas Hidden Threat of Business Collaboration report, 71% of remote office workers globally admitted to sharing sensitive, business-critical data through collaborative tools.
Is this really so surprising? If your boss pings you over Teams asking for information, you’d likely respond without hesitation – the statistics support it, as does human nature. We’re social creatures, wired to acknowledge authority, to not be ‘difficult’ without good reason. Besides, it’s your boss asking – or, you know, a crafty hacker who has gained access to your boss’s login information (remember, social engineering can be incredibly hard to spot, which is what makes it so effective).
Our advice: before you reply to any request for sensitive information, ask yourself:
- Am I certain about the identity of the sender? (Is this really my boss?)
- Do I have access to a more secure channel of communication?
- Which details requested do I need to share?
- Are there signs that this is a phishing attempt
- Would sharing this information violate company policy?
If you doubt the authenticity of the message or the sender, have access to a more secure channel, or believe sharing to be in violation of company policy, politely explain why you don’t feel comfortable sharing the information in question, and find another way (e.g., a more secure channel). This will likely not come naturally, which is why security training is one of the most – if not the most – powerful security tools.
Let’s look at another risk inherent in collaboration tools.
All You Can Hack – A Bad Actor Buffet
Collaboration tools provide more than just chatrooms; they offer file sharing, storage, and perhaps most significantly, integration with other applications. These widespread features lead to a massive increase in your attack surface – essentially, all the potential ways a hacker can access your organization.
Because collaboration tools have their fingers in all the virtual pies, they offer tremendous utility. Unfortunately, this convenience often comes at the expense of security. Without proper security measures – like multi-factor authentication (MFA) – even a tiny slip-up can lead to a catastrophic data breach. Worse still, hackers don’t always need a compromised account to begin their phishing schemes.
Malicious tools like TeamsPhisher – a tool that allows hackers to send malicious messages through Teams – allow hackers to phish with ease. Companies that permit communication with external Teams users are at risk of falling victim to these malicious practices.
Hacker groups like Midnight Blizzard often send fake messages through Teams, posing as IT workers and requesting MFA confirmation. This tactic leads to credential leaks and eventually, data breaches. It’s a nasty form of social engineering that targets employees directly within their own tools.
With the deck seemingly stacked against us, how can we hope to stay safe?
Check, Check, and Check Again!
We wish we had a perfect answer – a silver bullet – to stop these attacks. But the truth is, it would virtually impossible to eliminate every single risk associated with collaboration tools. If you’ve read any of our other blog posts, you should be able to guess that protecting collaboration software involves many of the same practices as other aspects of cybersecurity such as multi-factor authentication, vetting your SaaS software, and keeping on top of password hygiene. But, how can you, the user, protect yourself from this army of advanced hackers?
The key is awareness.
According to Mimecast’s Collaboration Security Survey, 1 in 5 employees don’t verify the validity of messages before responding to private messages on business collaboration tools that include links or attachments. This lack of review can lead to clicking malicious links or downloading harmful attachments. This isn’t necessarily a sign of negligence but rather a lack of awareness – once more, we point back to the importance of security training.
Let’s run through a hypothetical scenario:
You’ve just received a Teams message from what looks like IT support. The chat pops up:
“Microsoft Identity Protection (External) wants to chat with you!” with options to Block and Accept below.
Note that this message is marked as external – remember messages sent through hacker tools like TeamsPhisher will originate from outside of your organization. It’s unlikely that your internal IT team would contact you through an external source.
But let’s say you have an external IT company (or you trust the sender), and you click Accept. The following message appears in Teams:
“We detected a recent change applied to your preferred Multi-Factor Authentication (MFA) methods. For your security and to ensure only you have access to your account, we will ask you to verify your identity by clicking this link…“
Seems legit, right? But before you click, take a moment to think it through. The link could easily lead to a malicious site. As we noted earlier, 1 in 5 employees will click a link or attachment without verification. So, before clicking, reach out directly to your IT team through a secure and reliable method, like a phone call.
A quick check-in with the sender can confirm whether the message is legitimate.
If the message requests sensitive information like a password, the same rule applies: contact the sender directly to verify their identity. Remember, stop and think before you act.
Even if the request ends up legitimate, avoid typing sensitive information into your chat. Teams, Slack, Asana, Trello, and other collaboration platforms weren’t designed to be places for your passwords or sensitive information. Instead, use secure methods, such as phone calls or encrypted emails. By keeping such details out of work chats, you reduce the risk of them being exposed in a potential data breach.
Remember, any chat requesting sensitive information or providing a link has the potential to be malicious. To take a page out of the zero trust security handbook: never trust, always verify!
Message Responsibly
As the old adage goes: “loose lips sink ships.” Be mindful about what you share in your group chats and collaboration tools – more cat pictures, fewer passwords, please! These tools aren’t going away, and as more collaboration tools become integrated, the risk of slip-ups increases. The most important takeaway is to stay alert, stay aware, and take a moment before clicking on anything in your chats.
We understand that this stuff can be intimidating. If you’re looking for some guidance, consider reaching out to The 20 MSP. We have tons of experience helping small and mid-sized companies get the protection they need, and we promise to explain things in simple language so you and your team have clarity and confidence going forward. Let’s get collaborating – safely!