Research from the ONS estimates that – at the height of the pandemic – a record 49.2 percent of employees worked remotely. It sparked widespread reliance on cloud-based collaboration tools like Microsoft Teams and SharePoint, which quickly became synonymous with the crisis. By the end of April 2020, Teams use had grown to 75 million daily active users, adding 31 million in just over a month. Today, as businesses start to emerge from lockdown, it is becoming apparent that the new normal will be a hybrid mix of home and office working. While advice for employers is to start bringing people back into the workplace where it is safe to do so, it is unlikely there will be a widespread return to pre-COVID levels of office-based staff.
The flux between home and office networks exposes new entry points for cyber criminals and, if access privileges are not managed carefully, it can leave organisations exposed to fresh security exploits.
As businesses now embark on a new phase where flexible working is standard, and our reliance on cloud-based collaborative tools looks set to continue, here are some steps that all organisations can take to fine-tune their security and avoid any business disruption in the months ahead.
With remote access comes risks
Remote working carries a variety of different security risks. Cyber criminals are aware of this and are quick to probe for weaknesses. Brute force attacks against VPNs, alongside credentials phishing and command and control-based attacks are commonplace. The likely success of these attacks is heightened by the fact that many more workers are accessing corporate resources from personal machines and devices that do not meet corporate cyber security standards.
Applications like Microsoft SharePoint and Teams have made sharing data and collaboration between colleagues regardless of location extremely easy. However, what most troubles security professionals is what happens behind the scenes. Establishing a new group on Teams automatically creates a new site for the company’s SharePoint for the whole group to access. At the same time, new Azure Active Directory (AD) groups are nested within the local groups, and a hidden mailbox is created in Exchange. One Drive is also used as a data store – any files shared within a Team chat is actually saved in One Drive a sharing link is created for the recipient(s).
All of this means that Teams users in the group can share and work on documents freely together, completely outside the IT department’s control. The owners of a group can also invite other users, even if they are external to the organisation. This all adds up to a happy hunting ground for threat actors. The risk is that malicious insiders and external attackers with stolen credentials may be given free rein to access sensitive data and exfiltrate it while neatly sidestepping several layers of security defences.
Sharing without compromising security
SharePoint and Teams have been indispensable for firms forced to temporarily abandon office-based working. The danger, however, is that with control over access to company data now in the hands of uninitiated users, weak links in the chain are almost inevitable.
It is possible to mitigate the risks associated with collaboration tools with a few basic security steps. Step one is to implement a least privilege policy. This ensures users only have access to information they need for their job. It’s a move that immediately reduces opportunities for external intruders and malicious insiders to access and exfiltrate sensitive data. A second step is to introduce a range of control measures – from rules preventing the transfer of company data to unauthorised devices to banning users from sharing links to company files without permission. Where individuals need to share sensitive company information with third parties, we recommend adding them as guests to Azure AD and granting them appropriate access from there. Another sensible precaution is to set an expiration date for all user-created links.
Finally, organisations should monitor SharePoint for signs of suspicious activity. Examples might be unusual folder or admin activity, or alterations to group membership. Anomalous SharePoint activity could be a sign that either an employee or an external threat actor is abusing the capabilities of SharePoint, Teams and other services.
In summary, best practice dictates that firms have a full inventory of sensitive data assets and know exactly where they are stored – whether on premises and in-cloud platforms. At the same time, the principle of least privilege, confining user access to the data needed for their job, should be applied. These simple steps can do much to compensate for the lack of visibility and control associated with cloud collaboration tools. In this way, companies can enjoy all the benefits of cloud collaboration while avoiding the chaos of unfettered data access.
Matthew Lock, Technical Director at Varonis, has 20 years’ experience in the field of Network Security, which includes extensive contracts with many global businesses, including BP and JPMorgan. Varonis offer software solutions that protect data from insider threats and cyberattacks. Matt specialises in risk assessment, risk management, policy compliance, security reviews and managing network behaviour anomaly systems, Matthew now leads Varonis’ sales engineering team in the UK, Ireland and Middle East, ensuring the team is helping customers and partners from a range of sectors in data governance projects, and organizing, securing and managing their unstructured data. Matthew is able to discuss a range of cyber security issues, including, Data protection, insider threats and GDPR.