Are you worried about rolling out Microsoft Teams? Are you concerned that users may accidentally share the wrong information with Team members? Your concern is justified with 56% of insider incidents caused by employee or contractor negligence at a cost of $484,931 per incident (2022 Ponemon Cost of Insider Threats Global Report). Understandably, rolling out yet another collaboration tool where data can be accidentally shared with the wrong party or parties, misused or even stolen for personal gain can be daunting. We’ve identified the Top 5 Microsoft Teams security concerns and what you can do to empower users to collaborate freely without risking sensitive data shared on the platform.
The Top 5 Microsoft Teams Security Concerns
While Microsoft Teams adoption reached over 270 million active daily users in 2022, highly regulated industries and government organizations are still hesitant to deploy Teams or limit its usage due to information security concerns. Financial services, life sciences, pharmaceuticals, government and defense organizations often express concerns over controlling access to confidential information and sharing it in Teams. These concerns are echoed by departments that handle highly sensitive information including customer data, human resources, legal, intellectual property (IP), R&D, financials, M&A, military information, etc.
Here are the Top 5 Microsoft Teams security concerns we hear from customers looking to ensure their sensitive information remains secure when using the platform for collaboration.
1. Information Barriers (Ethical Walls)
Sometimes, users within an organization cannot exchange certain types of information with colleagues due to legal or regulatory requirements. The financial services industry, mergers and acquisition teams, and law firms all have scenarios where information sharing between internal groups is prohibited. For example, the SEC prohibits any security transaction that is carried out by a person who has seen or has access to non-public information. The last thing any financial services company wants is to inadvertently facilitate accidental sharing that leads to an insider trading incident. While there is an ‘in-box’ solution in Microsoft Teams for setting up Information Barriers, it is very binary – groups of users are completely prevented from sharing or communicating with other groups. The concern with this all-or-nothing approach is that the latter is prone to accidental insider breaches and the former will very likely result in Shadow IT. Completely cutting off communication will force people to look for alternative tools, even if it is just to facilitate innocent interactions, resulting in increased compliance risk.
2. Preventing Sprawl and Breaking Data (or Information) Policies
By design, it’s very easy for a user to create a new team, add members and start collaborating. The ease of use has helped to drive Microsoft Team’s viral adoption. However, just as we saw with SharePoint, organizations are concerned about wasting resources and other implications due to sprawl. Teams are created and then abandoned after a short period of time. Duplicate teams are created, again resulting in an abandoned repository once users gravitate towards one team over the other. Redundant teams not only waste resources but also create a scenario where the lack of oversight and life cycle management can result in valuable or sensitive information being at risk due to incorrect or outdated sharing settings that break information protection controls.
3. Sensitive Data Protection
With multiple new data privacy laws including the California Consumer Privacy Act (CCPA) and sweeping GDPR regulations, organizations must ensure that collaboration content, including chat and files in Microsoft Teams, is being shared in accordance with the information handling policies laid out in these regulations. Organizations need to also ensure that confidential or sensitive information is not accidentally shared with external guests or unauthorized Teams users. While Microsoft Teams offers Private Channels, it is a “location-based” approach that has several limitations as there is no technical enforcement of information protection beyond permissions access to the channel. Private Channels do not address customer concerns about files or chat messages being accidentally posted in the wrong team or channel. As Microsoft Teams adoption and use grow the accidental sharing risk increases as users may lose sight of team membership and not realize that they are exposing confidential information to the wrong group.
4. Empowering Teams Owners
The highly requested Private Channels capability in Microsoft Teams gives Team Owners much-needed control over the granularity of protection they apply within their teams. Team Owners are better positioned to understand the specific sharing and data protection requirements of a team, as they know the nature of the content and team members the best. At the same time, there must be a balance between Team Owners and IT to ensure that corporate-wide policies are being properly enforced. Typically information protection policies and application access controls are defined and applied at the tenant level. While this works for enforcing organization-wide policies, it often leaves a security gap. The dynamic nature of the collaboration process requires Team Owners to be equipped with the right tools to ensure that any information security gaps within Teams are appropriately plugged. Without this capability the concerns about Information Barriers, secure collaboration and sprawl will impact the success of any Microsoft Teams rollout.
5. BYOD Access
Microsoft Teams is great for collaboration on the go. It can be accessed from the Teams app or web browser on your PC, laptop or phone. However, that also means sensitive data in Microsoft Teams is accessible on personal devices, posing a serious security and compliance risk if not managed properly. Company-issued devices have security software and policies applied before they are given to employees to ensure they are secure. Organizations that support BYOD must consider implementing robust policies around granting users access to sensitive data such as intellectual property (IP), classified data, or regulated data assets that contain personal or healthcare information on their personal devices via Teams that can be downloaded to these unmonitored devices.
Empower Users to Collaborate Freely Without Risking Sensitive Data
A data-centric approach is best suited to ensuring that there is no accidental sharing of confidential or sensitive content in Microsoft Teams. It provides granular access control and protection of content within a team or channel without having to create separate collaboration silos to carry out tasks.
NC Protect strengthens sensitive information protection in Teams with fine-grained, data-centric security. NC Protect prevents accidental oversharing, misuse and theft of both chat and file content in Microsoft Teams by enhancing out-of-the-box security:
- Combine Microsoft Purview Information Protection (MPIP) sensitivity labels and Microsoft Azure Active Directory (Azure AD) attributes with NC Protect’s dynamic attribute-based access control (ABAC) and data protection policies to control access, usage and sharing of files.
- Conditional access and usage rights prevent accidental sharing of files and sensitive chat content in Teams.
- Set default security options that Team Owners can select and apply when creating a new team or channel.
- Security Scopes can be automatically applied and adjusted based on the team membership and the sensitivity of chat content or files.
- Hide specific files from the view of team members that aren’t authorized to view them.
- Dynamically apply unique protection capabilities such as user-specific watermarks and secure read-only access through a zero-footprint file viewer.
- Contextual ABAC policies help control sensitive data access and restrict how users can interact with the data when using personal devices.
- Proactively block sensitive content from chat threads; and
- Retroactively delete sensitive content from chat threads if a new policy is applied or a team member is no longer authorized to view content.
If you’re struggling with Microsoft Teams security contact us to learn more about how NC Protect offers greater control over Teams data access and protection.