SafeGuard Cyber CTO and Co-founder Otavio Freire, and Mastercard Senior VP and Deputy CSO, Alissa "Dr. Jay" Abdullah, PhD, joined Cybercrime Magazine to talk about unsanctioned business collaboration tools and the various risks they pose to enterprises.
Below is a recap of the highlights from the discussion.
What Are "Unsanctioned" Business Collaboration Tools?
A recent survey from SafeGuard Cyber revealed that 52% of companies believe the biggest security and compliance challenges they have are unsanctioned applications and business collaboration tools.
Otavio explains that "unsanctioned" doesn't mean employees are violating some sort of stated policy; they're just using business collaboration tools that are not accounted for in terms of security.
"You have to think in terms of that employee: they're at home, they want to get their job done, as fast as they can, because they've got another thing to move on to," Otavio points out.
Case in point: if one were to send a customer an email, there's a high chance the customer won't be able to read or even see it. The average open rate of emails in 2020 was 18%. "However, in WhatsApp, 40% of communications are read," Otavio adds. "The security team is then stuck in this dynamic where they can't impede business, but they can't, at the same time, turn a blind eye."
Much like email, these unsanctioned apps, no matter how useful they may be, can become a means for bad actors to get into an enterprise's perimeter and straight into their network.
How Bad Actors Impersonate You
When asked about her concerns around employees using unsanctioned and unsecured apps, Dr. Jay elaborates on two kinds of risks that they bring: user impersonation and application impersonation.
"I can log in on LinkedIn and have all of these followers, and I can pat myself on the back and say, "Yay! I have all of these followers, and I feel so good!" But we know for a fact that there are no integrity checks for the followers," she elaborates.
What this means is, there is no way to verify that your followers are "real people." So there could be five different accounts with your colleague's name and background on them, but only one of them is real; the other four are impersonations.
With application impersonation, a bad actor might target an entire company in an attempt to access your enterprise's backend.
"Say you use your Gmail [account] to authenticate into Facebook or some other application. Once you do that, you're giving that application a token, and anyone who has access to that token can impersonate you and potentially gain access to every other thing in your enterprise's backend," elaborates Dr. Jay.
Using your corporate email address to authenticate into a social media platform, or any platform for that matter, you've given that platform a persistent token that includes details tied into your account or device.
"And if there's someone bad on the inside of that social media company, they can really look back into everything that my enterprise has," she adds. "That's why application security is really important."
What Enterprises Often Overlook
Social media sites can become a pitfall of risks because it's relatively easy to pull off social engineering scams there. But, as Otavio points out, we often overlook the security of consumer-based business collaboration tools. These tools have become privacy grey areas, in a sense that customers and employees use them for both personal and business matters.
"Hackers know this and take advantage of these privacy grey areas to openly breach an enterprise, such as what we saw on Operation Sharpshooter or Pegasus, and so forth. So you have to think of them differently because they bring to the table different concerns that the CISO has to take into consideration," Otavio explains.
Dr. Jay emphasizes the importance of having a management process to deal with the use of unsanctioned business collaboration tools.
"As a CSO or a security leader, you have to make sure there is a process in place to ask, 'What are the requirements [of these apps]?' and 'What are you trying to solve that these applications that we've already provided you have not solved?'" Dr. Jay explains.
She also stresses that the process shouldn't be lengthy because that's what gets people to get into unsanctioned apps. Cybersecurity professionals have to be a little more timely in approving these applications, putting controls around them, and enabling them from a business perspective.
At the same time, employees also have the responsibility to at least try and utilize the business collaboration tools provided to them. "Our employees, too, have to say, 'Well, instead of using this app which I know and love at home, my office uses this app. I can settle on this one as well since it has some security measures around it.' There's got to be some give and take."
Watch the Entire Conversation
There is a lot more to learn in this interview. As Dr. Jay pointed out near the beginning of the video:
"There is no industry, no sector, that is immune to cybersecurity and ransomware attacks… [Bad actors are] finding different ways and means to get to us but, when we start peeling this 'onion,' I can almost bet you there are some basic cybersecurity tenets that we may find we need to continuously address."
If you want to learn more about:
- Why only 18% of companies consider cybersecurity a board-level concern;
- How companies plan to budget to secure their tech stacks and business collaboration tools; and,
- What the future of cybersecurity looks like, post-pandemic;