How safe and secure are your employee collaboration tools?

Most businesses will use a range of tools/apps to collaborate across their business. This is probably okay as you will conduct due diligence before signing a contract and then make sure that during the roll-out people learn to use of it correctly.  However, there may be a range of tools or apps that employees use on a daily basis that are not known about by the business and therefore not subjected to the same level of scrutiny. If you disagree with this second statement, you have a bigger problem than you realise.

Are you data-aware?

“Shadow IT” is a fact of life and grows from a need to do something to facilitate the business or team goals when there isn’t a simple and effective corporate facility available. This can lead to loss of data, inappropriate sharing, and generally become a commercial disadvantage.

However, as a business, you are responsible for the data you hold, use, and share. Data protection is not just about data breaches, there are other aspects that you need to consider which include, access and disclosure, data collection (is it more than you need?), retention and disposal, availability, and security.  These aspects can contribute to a breach of the law even if there is not a data breach and there are still opportunities for the ICO to take enforcement action against you for failures in any of these areas.

The reason this becomes important is that using tools or apps that aren’t known about by the business and therefore not subject to the rigours of GDPR creates a risk for a business.

Here’s an easy test. 

Do your employees use a WhatsApp group for swapping shifts, exchanging customer contacts, advising of new start dates for employees, etc?  Not only is that data subject to Data Protection law but there are other risks. For example, when people leave your business are they always removed from the WhatsApp group? If not, there’s a good chance they are still accessing your data in their new role which could have an impact on your competitive advantage. And then, how do you make sure that information is removed once it is no longer relevant? How do you control the sharing of information within the group? 

The problem with social apps

We’ve already mentioned a few issues about the use of WhatsApp but there are plenty of other ungoverned apps that your people will use.  In January 2021, it was announced that WhatsApp was changing its privacy notice so that information could be shared with Facebook.  Are you still ok with your teams using What’s App?  It is surprising how many businesses continue to use unregulated apps including medical providers. The ICO regularly prosecutes people and companies for failing to protect their information and leaders within the business should be acutely aware of the penalties.

Security and compliance ordeal

An enterprise was hit by an attack from a game company trying to get employees to download a game which turned out to be an egregious form of Shadow IT. This gaming site subscription had full access to many company email inboxes, including senior leaders and all their sensitive contents.

“The most famous Shadow IT example is a so-called game developed on Android. The game developer was purportedly based in the Netherlands but was in fact a Russian company. This game accessed all the emails, not only the headers but the content of all the people installing that game. CEOs, CFOs, CIOs had all given permission to this game that was really a Russian company reading all your emails,” said Julien Denaes, Alpin co-founder and now CoreView vice president.

There is a better way

These basic messaging tools provide some small-scale sharing between teams, but they are not the real solution to employee collaboration.  Here are some ideas for a real tool for employee collaboration:

• Link the authentication to your Active Directory – this ensures that when people leave the business, they no longer have access to your data.
• Collaborative groups – make these open or limited to a specific set of users so your innovation/sharing is contained.
• Publish company updates – keep these limited to an internal audience and allow comments that only your company can see.
• Links to the right documents – avoid any phishing scams by providing the right links to websites, documents, and videos from a trusted source to protect your people from hackers trying to get to your data.
• Secure storage – preferably cloud storage such as Microsoft Azure with local backups.
• Mobile app – not just any mobile app but one that is designed to deliver all the above features and remain as secure as a desktop logon.

There are simple ways to deliver the required tools. People First Connect delivers all the collaboration tools you require and is fully compliant with GDPR. With rapid implementation, a business can quickly address any ongoing situation and give employees a secure environment.

By Andy Davies and Lesley Holmes