Countering the dangers of internal communication: what can companies do? | Panda Anku

In this interview for Help Net Security, Theta Lake CEO Devin Redmond discusses the risks of internal communications and what organizations can do to protect themselves.

The pandemic has severely altered internal communications within organizations, which combined with the Great Resignation has resulted in a higher risk of insider threats. Which sectors are most affected and what makes them more vulnerable?

In terms of insider threats, the most vulnerable sectors include the broader financial services (banking, wealth, insurance, etc.), healthcare, government, and technology/manufacturing sectors. Essentially, any sector handling sensitive information ranging from regulated personal data such as PII, PCI and PHI to material non-public information (MNPI), trade secrets and security-sensitive data such as passwords is at high risk.

With the ease of communicating, sharing and even creating this material in modern communication tools, it is even easier for people to accidentally or intentionally share the very information that can cause risk and harm. Think of the customer list shared in a Slack or Teams chat channel as a file or link, or the design document shared via screen sharing in a Zoom or Webex meeting, or the credit card or password shared in a chat entered or recorded in a call.

Then think how easy it is for the wrong person to download or screen that information, keep a record they perhaps shouldn’t, inadvertently disclose it, or use it inappropriately. Then you realize that yesterday’s security and compliance guardrails that most organizations rely on today are primarily email, traffic traversing a network or going to cloud applications or devices, versus direct integration with Zoom, Webex, Slack, RingCentral, Microsoft Teams and more to address the human interaction element of risk in the information sharing and communication behaviors that occur within communications in integrated video, voice and chat tools every day.

To what extent does communication specifically pose a threat to an organization?

In relation to the above, the communication tools themselves are typically secure, simply pose no threat, and are primarily responsible for better collaboration and cost-saving efficiencies. It’s the human element that brings real risk, where the increasing use of chat, voice and video collaboration technologies means people can make mistakes or misbehave. It shows that organizations are not prepared with complementary policies, procedures and guardrail technology for the variety of behavioral and information security risks that human users pose in communication within collaboration tools.

The disconnect between tools designed for email, network, cloud or device security and the reality of where communication and information is shared today has created a new, growing risk surface.

What tactics do organizations need to learn to reduce the risk of communications-related data leaks?

To reduce risk in the new digital workplace, companies must first establish well-documented policies and training on the do’s and don’ts in these new communication tools. This should be accompanied by regular policy reviews and spot checks along with actual policy enforcement. Then companies must move on to implementing purpose-built technologies that enable them to identify risk and take action against that risk in communication within their new communication tools. These security tools should be audited and certified by communication platforms such as Cisco, Microsoft, RingCentral, Slack, and Zoom.

By adapting security and compliance practices and using enabling technologies that communication tools vendors trust and are certified, customers can put in place the guard rails to best protect their employees, customers and data from misuse and abuse. As information is increasingly shared and our interactions in the workplace take place within and while collaborating, streamlining and ensuring compliance and security standards is a necessity.

What can companies do to raise employee awareness?

To increase employee awareness, clear policies and actual training on proper procedures should be posted, while at the same time implementing security and compliance technologies specifically designed for integrated voice, video, messaging, and chat tools . Just as technology is used by organizations for email security, network security, cloud application security, and endpoint security, there are technologies that help manage surveillance, automate risk detection, and empower people within chat, voice, and video communications to coach during monitoring and training Enforcement that users leave the right security settings enabled on the platforms themselves… The latter is a common place where users unintentionally disable the very powerful security features that companies like Zoom deploy in their products.

Second, technology can and should be transparent and make employees aware that it is being monitored to ensure a safe digital workplace. It should be viewed as a visible crash barrier, warning light and safety system that activates when needed based on risk. For example, the technology can remove a file or a link to a file containing customer information in a chat and replace it with a message indicating that the file has been blocked due to the need to protect that sensitive data. As another example, the technology can notify employees that a video conference is being recorded for compliance purposes, and users can be notified of risky actions in the meeting that they should avoid. In these scenarios, security and compliance teams would only be notified of risks versus irrelevant, time-consuming non-risks.

Finally, when compliance and security teams forensically review meetings, chats, and conversations that created risk, technology can be used to address the risk and alert employees. These types of visible crash barriers and warning lights can dramatically reduce the most common risks and make it easier to focus on the more difficult ones by reducing signal noise.

How can companies prevent the threat of disgruntled or resigning employees?

Aside from doing your best to treat employees fairly and creating basic disincentives for upset, the best approach to dealing with disgruntled employees outside the EU is to publicize the rules and implications of violations while also making them known that there is an advanced technology that can and will detect these violations.

By clearly establishing all policies for communication, the sharing of information, and the retention of information and communications, employers can mitigate the risk surface from the start. Here, compliance and security tools enable risk detection and pinpoint precise moments or instances of compliance issues in every collaboration interaction and conversation, whether it’s video, voice, chat, or the files shared within them. These rules and implications can be outlined and incorporated into the original employment contracts and the typical privacy and conduct rules that employees sign up for as part of their onboarding.

Leave a Comment