Tackling the dangers of internal communications: What can companies do?

In this interview for Help Net Security, Devin Redmond, CEO at Theta Lake, talks about the risk of internal communications and what companies can do to keep themselves safe.

The pandemic has greatly changed internal communications within organizations which, paired with the Great Resignation, caused a higher risk for insider threats. Which sectors are the most targeted and what makes them more vulnerable?

When it comes to insider threats, the most vulnerable sectors include the broader financial services (banking, wealth, insurance, etc.), healthcare, government, and tech/manufacturing sectors. Essentially, any sector that handles sensitive information across regulated personal information like PII, PCI, and PHI, and through to Material Nonpublic Information (MNPI), trade secrets, security compromising data like passwords are at high risk.

With the ease of communication, sharing, and even creation of this material in modern communication tools, it is even easier for humans to overshare through accident or through intent the very information that can create risk and harm. Think of the customer list shared in a Slack or Teams chat channel as a file or a link, or the design doc shared via a screen share in a Zoom or Webex meeting, or the credit card or password typed in a chat or recorded in a phone call.

Then, think of how easy it is for the wrong person to download or screen capture that information, store a recording they perhaps shouldn’t, expose it inadvertently, or use it inappropriately. Then, recognize that the security and compliance guardrails of yesterday that most companies rely on today, which mostly looks at email, traffic traversing a network or going to cloud applications, or devices, versus directly integrating with Zoom, Webex, Slack, RingCentral, Microsoft Teams and more to address the human interaction element of risks in information sharing and communication conduct that is happening everyday inside of the communications in integrated video, voice, and chat tools.

How do communications specifically pose a threat to an organization?

Related to the above, the communication tools themselves are typically secure, simply do not pose a threat, and are primary to unlocking better collaboration and cost-saving efficiencies. It’s the human element that introduces real risk where the increasing use of chat, voice and video collaboration technology is where humans can make mistakes or behave badly. It exposes that organizations are unprepared with complementary policies, procedures, and guardrail technology for the variety of conduct and information security risks that human users create inside the communications within collaboration tools.

The mismatch in tools that are designed for email, network, cloud, or device security and the reality of where communication happens and where information is shared today is where a new, expanding risk surface area has emerged.

What are the tactics companies must learn to reduce the risk of communications-related data leaks?

To reduce risks in the new digital workplace, companies must first put well-documented policies and training around the do’s and don’ts in these new communication tools. That should come with periodic policy audits and spot checks along with actual policy enforcement. Then, companies must shift to implementing purpose built technology that allows them to detect risk and take action on that risk in the communications inside of their new communication tools. These security tools should be vetted and certified by the communication platforms like Cisco, Microsoft, RingCentral, Slack, and Zoom.

By adapting security and compliance practices and using supporting technology that is trusted and certified by the communication tool providers, customers can put the guardrails in place to best protect their employees, customers and data from abuse and misuse. As information is increasingly shared and our workplace interactions take place inside and during collaboration, optimizing and ensuring compliance and security standards is a necessity.

What can businesses do to increase employee awareness?

To increase employee awareness, there should be clear posting of policies and actual training on proper procedures while implementing security and compliance technologies purpose-built for integrated voice, video, messaging, and chat tools. The same way technologies are used by companies for email security, network security, cloud application security, and endpoint security, there are technologies that help manage monitoring, automate risk detection, and coach employees inside of chat, voice, and video communications while monitoring and enforcing that users keep proper security settings enabled on the platforms themselves… The latter being a common place where users unintentionally disable the very powerful security features that companies like Zoom deliver in their products.

Second, technology can and should be transparent and set to alert employees that it is monitoring to maintain a safe digital workplace. It should be seen as a visible guardrail, warning light, and safety system that activates when needed, based on risk. For example, technology can remove a file or link to a file of customer information in a chat and replace it with a message noting that the file was blocked due to the requirement to protect that sensitive data. For another example, technology can notify employees that a video meeting is being recorded for compliance purposes and, in the meeting, users can be notified of risky actions that they should avoid. In those scenarios, security and compliance teams would only be notified of risks versus non-relevant, time-wasting non-risks.

Finally, as compliance and security teams forensically review meetings, chats, and conversations that have triggered risk, technology can be used to address the risk and notify employees. These types of visible guardrails and warning lights can dramatically reduce the most common risks and make it easier to focus on the trickier ones by reducing signal-noise.

How can organizations prevent the threat posed by disgruntled or resigning employees?

Aside from doing your best to treat employees fairly and with respect to put foundational disincentives in place for disgruntlement, the best approach to handling outlying disgruntled employees is by making the rules and repercussions for violation well known while also making it well known that there is an advanced technology that can and will detect those violations.

By being clear about all guidelines for communications, how information is shared, and how the information and communications are stored, employers can mitigate the risk surface area from the start. That is where compliance and security tools enable risk detection while pinpointing exact moments or instances of compliance issues across every collaboration interaction and conversation, whether it’s video, voice, chat, or the files shared within them. These rules and implications can be outlined and baked into the initial employment agreements and the typical privacy and conduct rules that employees sign up for as part of their onboarding.