As collaboration tools become more and more fundamental to team collaboration, and by extension, company success, alongside their benefits, cloud solutions for file storage and document or project management can cause many problems for IT departments.
Smaller businesses rarely invest in high-cost collaboration tools, opting instead for cheaper — or, better still, free — utilities. For better or worse, they have plenty of choices. However, failure to consider the security implications of using such tools can end up costing SMBs far more than they budgeted for.
In this article, we share some tips and best practices for making sure that your users can work as productively – and as securely – as possible.
Document collaboration tools
Many services allow small teams to edit documents simultaneously. They’re not just text tools, though; using them, team members can jointly develop graphical interfaces, diagrams, source code, and much more as well. It is handy, after all. However, before using such a service, it is worth understanding exactly how it works: how it stores your information, who has access to it, what security settings are available. Leaving work files publicly accessible is always a bad idea. Even if you are not concerned about information leakage, an intruder could gain access and make their own changes to your project documentation.
Google Docs or Microsoft Teams, OneDrive or Sharepoint provide the most vivid examples. People often share documents through those platforms, using a direct link without any restrictions. That means search engines can index them, and therefore pretty much anyone can see them. Complete strangers have found all sorts of confidential information in those docs: employees’ personal data, lists of customers including contact details, and even payroll records.
What to do: Use only services in which you can hide documents from prying eyes, or that at least give a clear explanation of how documents are stored. Do not forget to configure access rights — the ability to do so is a vital consideration. So, if you use Google Docs for work purposes, restrict access, granting it only to people you share documents with, and do not forget to revoke it if they no longer need it.
Cloud file storage
Another type of service that you should treat with caution is cloud file storage. Need to transfer a large amount of information? No problem — just upload it to the cloud and send the recipient a link. That neatly avoids any e-mail size limits. But many file-sharing services have no protection at all; and, again, files can pop up in the search results of random strangers.
Even if a service has protection, you need to turn security settings up to the max. People often sign up, upload data to the cloud, and forget about it. But passwords can leak. One hackers even stole passwords from Dropbox, not to mention smaller services.
What to do: Choose a reliable file-sharing service that supports two-factor authentication. Once you put data in the cloud, do not forget about it, and if you’re no longer using a file for work, delete it. Settle on one service for sharing files; using more than one invites confusion.
Overall, these platforms allow workflow participants to communicate, share files, and systematize projects. If you use one to discuss business strategies or transfer files, it is important to know not only who can see them today, but also who might be able to later. Some cloud platforms make everything visible to everyone by default. Users can hide items, but odds are they won’t remember to 100% of the time; the default usually stands. What’s more, if someone gets access to a project, it is likely they will gain access to the entire project history, which is not always desirable.
Companies often grant access to such environments to contractors or freelancers, who may be working for you today and for a competitor tomorrow. Not to mention dismissed employees, who might have time to download an archive before you revoke their permissions.
What to do: Regulate project access rights, restricting those rights to work-related files only, for all parties. Use separate communication environments for employees and external people (contractors, customers). And do not forget to revoke access for former employees and freelancers promptly.
Remember that all services may have vulnerabilities (which might be undiscovered when you start working with them). In addition, many services have client apps with their own problems. Therefore, we recommend that you stick to the following principles:
- Before you start working with a service, carefully study its settings and data processing rules, as well as read how people have reviewed it in the context of security.
- Your dedicated IT expert or team, if you have one, must clearly understand what services you use, how they are configured, and who is handling their administration.
- If you have no dedicated specialist, appoint a responsible party for each service to ensure that the client app is updated promptly any time a vulnerability is found, that passwords are changed in the event of a leak, and that access rights are issued and revoked as and when required.
- Any service used to share a link or file can potentially be a malware distribution channel. Therefore, every device on which these tools are used needs a reliable security solution.
What’s the solution?
With Kaspersky Security for Microsoft Office 365, your company can protect Exchange Online, OneDrive files, SharePoint files, and Teams files against malware, phishing, spam, and other threats.
Click here to view the full datasheet, or watch the short video below.
Want to find out more?
As Kaspersky Gold Partners, Complete IT Systems can offer you expert advice on the solutions and how they could be effectively deployed in your business.
To find out more please call us on 01274 396 213 or use our contact form and we’ll arrange a good time to call you back.