Smaller businesses rarely invest in high-cost collaboration tools, opting instead for cheaper — or, better still, free — utilities. For better or worse, they have plenty of choices. However, failure to consider the security implications of using such tools can end up costing SMBs far more.
Document collaboration tools
Many services allow small teams to edit documents simultaneously. They’re not just text tools, though; using them, team members can jointly develop graphical interfaces, diagrams, source code, and much more as well. It is handy, after all. However, before using such a service, it is worth understanding exactly how it works: how it stores your information, who has access to it, what security settings are available. Leaving work files publicly accessible is always a bad idea. Even if you are not concerned about information leakage, an intruder could gain access and make their own changes to your project documentation.
Google Docs provides the most vivid example. People often share documents through Google, using a direct link without any restrictions. That means search engines can index them, and therefore pretty much anyone can see them. Complete strangers have found all sorts of confidential information in those docs: employees’ personal data, lists of customers including contact details, and even payroll records.
What to do: Use only services in which you can hide documents from prying eyes, or that at least give a clear explanation of how documents are stored. Do not forget to configure access rights — the ability to do so is a vital consideration. So, if you use Google Docs for work purposes, restrict access, granting it only to people you share documents with, and do not forget to revoke it if they no longer need it.
Cloud file storage
Another type of service that you should treat with caution is cloud file storage. Need to transfer a large amount of information? No problem — just upload it to the cloud and send the recipient a link. That neatly avoids any e-mail size limits. But many file-sharing services have no protection at all; and, again, files can pop up in the search results of random strangers.
Even if a service has protection, you need to turn security settings up to the max. People often sign up, upload data to the cloud, and forget about it. But passwords can leak. One hackers even stole passwords from Dropbox, not to mention smaller services.
What to do: Choose a reliable file-sharing service that supports two-factor authentication. Once you put data in the cloud, do not forget about it, and if you’re no longer using a file for work, delete it. Settle on one service for sharing files; using more than one invites confusion.
Overall, these platforms allow workflow participants to communicate, share files, and systematize projects. If you use one to discuss business strategies or transfer files, it is important to know not only who can see them today, but also who might be able to later. Some cloud platforms make everything visible to everyone by default. Users can hide items, but odds are they won’t remember to 100% of the time; the default usually stands. What’s more, if someone gets access to a project, it is likely they will gain access to the entire project history, which is not always desirable.
Companies often grant access to such environments to contractors or freelancers, who may be working for you today and for a competitor tomorrow. Not to mention dismissed employees, who might have time to download an archive before you revoke their permissions.
What to do: Regulate project access rights, restricting those rights to work-related files only, for all parties. Use separate communication environments for employees and external people (contractors, customers). And do not forget to revoke access for former employees and freelancers promptly.
Remember that all services may have vulnerabilities (which might be undiscovered when you start working with them). In addition, many services have client apps with their own problems. Therefore, we recommend that you stick to the following principles:
- Before you start working with a service, carefully study its settings and data processing rules, as well as read how people have reviewed it in the context of security.
- Your dedicated IT expert or team, if you have one, must clearly understand what services you use, how they are configured, and who is handling their administration.
- If you have no dedicated specialist, appoint a responsible party for each service to ensure that the client app is updated promptly any time a vulnerability is found, that passwords are changed in the event of a leak, and that access rights are issued and revoked as and when required.
- Any service used to share a link or file can potentially be a malware distribution channel. Therefore, every device on which these tools are used needs a reliable security solution.
Kaspersky Small Office Security, our solution for SMBs, works on the install-and-forget principle. It protects against the latest ransomware, and it secures all online payments, valuable files (through encryption and backup), and applications (through vulnerability monitoring and timely software updates). The solution is available for Windows and macOS computers, Android mobile devices, and file servers. You can learn more and purchase the solution on the Kaspersky Small Office Security page.