Third Party Collaboration Tools: Data Controller

If you are a data controller and play a legal role in the decisions a organisation makes on processing personal data, no doubt you’ve suffered a headache or two assuring you are GDPR compliant. But how recently have you focused your attention on the third party collaboration tools your organisation uses? 

Does your collaboration tool meet your compliance needs? 

Third party collaboration tools, generally speaking, offer a one size fits all solution, especially regarding encryption and data security compliance. Unfortunately, each economic zone has its own data protection and compliance regulations.  

Depending on the type of data, where it is acquired and stored and/or the business location,you will need to ensure that collaboration tools and their usage keep your organisation compliant.

Get a FREE DEMO to the Layer-8 Toolkit

Are you actioning purpose limitation with your use of collaboration tools? 

Most effective collaboration tools can be partitioned into different accounts or projects to restrict data to specific users who need use that data.  

Partitioning is often done by project, client, function, department or activity. According to article 5 of GDPR,the data controller must be able to demonstrate that limited access to data including third-party collaboration tools.  

Often as a by-product of collaboration, data is shared or stored on the tool making it susceptible to data loss or theft. The tool must be configured to be as limiting as possible. 

Large organisations may have hundreds or thousands of users and partitions and it is impossible to monitor them allin real-time to ensure compliance withexternal and internal data protection regulations. 

For this reason, user training is essential. Personnel who use collaboration tools have to take ownership of their role in data security. For this to happen there needs to be a real change in culture. 

As data controller, can you demonstrate that every precaution has been taken? 

Data controllers must be able to demonstrate that stringent password control policies, including increased complexity and regular changes, have been implemented. Pseudonyms would also be a requirement, to mask identities making it more difficult for hackers to target key data processors. 

Ultimately, there needs to be a change in culture when using third-party tools.  

Layer 8’s experience is that the most effective approach to take when looking to change the culture of security and data protection compliance is to get users and personnel to buy into the process. The most effective strategy is to provoke conversations and allow collaborators to explore the problem of security and their role in providing the best solution. 

Why HR has the most important role in data security

There is a common misconception about IT security that the weakest link is the firewall, server or any other technical component of a organisation’s security infrastructure. The belief is that hackers are always one step ahead leaving the IT team to play catch up. 

In reality, the human factor is the real weak link in data security as users go about their day-to-day business handling data of all kinds including confidential information and corporate IP.  Hackers focus on people to get inside networks and access such sensitive data using phish attacks, social engineering and malicious emails.  

Hackers also target the way that third-party applications, such as collaboration tools, are used. Login information, passwords and the scope of data available on the tool are all potential security issues that can be easily managed with greater awareness and “buy-in” from users. 

Get a FREE DEMO to the Layer-8 Toolkit

This is where HR can step in and be at the forefront of changing security culture. Data protection and security training are the most critical components of maintaining data security. It’s more than just delivering facts and information, the key to IT security is ensuring that every worker takes ownership of IT security. It’s about having the right conversations. 

People need to understand why passwords need to be varied and complex, why they need to be changed regularly and why extra security is required when using network and third-party tools, particularly when accessing them remotely. 

The goal is to have each user to take ownership of their data security. That’s where Layer 8 comes in. 

Are you keeping your data compliant? 

Keeping your data safe from phish or cyber attacks should be a key focus for every user, particularly for HR, due to the sensitive data the department stores,  

If users are storing personal data on a third-party collaboration tool, it is important to be aware of local legislation (multinational operations will have to navigate potentially conflicting data laws).  

A good example of compliance regulations that may be relevant to HR teams could be the US’s Health Insurance Portability and Accountability Act (HIPAA) that requires native encryption on any device that holds data relating to health insurance. 

Starting a conversation with IT departments

IT departments generally have traditionally had a bad reputation for blocking innovation. They are naturally risk averse which, in terms of implementation and management of collaboration tools, is an asset that a business can harness to drive security best practice. 

One of the most effective strategies to encourage IT personnel to join the conversations your business is having on IT security is to identify the right questions to ask. 

For example, when looking at collaboration tools, how can your organisation limit the access to sensitive data of each particular user? 

Collaboration tools can be partitioned into different business units, projects and business processes. Within those partitions, sub-partitions can be put in place to refine access to specific data even further. 

Having a well-designed and comprehensive partition infrastructure helps the organisation to limit the exposure each user has to privileged or sensitive data. By optimising user privileges, you are limiting potential data loss to the necessity.  

Get a FREE DEMO to the Layer-8 Toolkit

How secure is the tool against web-based threats? 

With a remote or a fluid workforce, users need to access the collaboration tool on less secure internet connections, increasing the potential for malware attacks or unauthorised tracking.  

One option would be to implement an off-site security protocol that takes advantage of a secure VPN connection. Users accessing the collaboration tool remotely will have to provide credentials to gain access to the VPN before they can log in. 

Has the collaboration tool been optimised to make it secure against hacks? 

Hackers are extremely creative. They can find angles to attack a business that most people wouldn’t consider. For a collaboration tool to be secure, issues like URL structuring, encryption and summary settings need to be addressed. 

URL Structuring: Hackers are very skilled at getting access to company sites through 3rd party software by following standard protocols for the web-based apps. For example, There is a good chance this will take the hacker to the personalised presence of the company using the tool. 

Often these tools pull metadata into the URL. A simple scrape of URLs might give the hacker access to a whole host of confidential data.  

Having the IT team ask questions around the URL structuring during the decision-making process will ensure a tool which allows for URL control is chosen. The IT team will also see the value in customising URL structuring to secure this data. 

Encryption: What kind of encryption does the software utilise? Unfortunately, due to the skill of hackers, having some form of encryption isn’t enough as it will need to be compliant. If your collaboration tool has health data, it will need to be HIPAA HITECH compliant, likewise, for credit card processing or payment details you would need to ensure its PCI DSS compliant. 

Summary settings: Some collaboration toolscan send daily summaries to privileged users. Unfortunately, whilst the tool may be very secure, sending data to an email server opens up the potential for the server to be hacked.  

Third party email systems are particularly vulnerable as they are often not set up to be secure. A better solution would be to use a tool that offers a “recent activities” summary which is accessible through the software. 

Summary of questions to ask IT teams 

  • How can your organisation limit the access to sensitive data of each particular user? 
  • How secure is the collaboration tool against web-based threats? 
  • Has the collaboration tool been optimised to make it secure against hacks? 
  • Does the tool include metadata in the URL 
  • How well encrypted is the tool and is it compliant regarding data protection 
  • Will the tool be accessed remotely and if so, does it require a VPN for additional protection against malware and hacks. 

What now? 

Engaging an IT team and having conversations about the relative risks of collaboration tools is important.  However, it must be remembered that this conversation is only a component of IT security and the promotion of conversations to drive changing attitudes and behaviours toward safety is essential. Facilitating these conversations is something that Layer 8 specialises in. Watch a quick demo to understand more. 

What questions should you be asking your employees?

Employees using collaboration tools have a duty of care to restrict or control access to the information, especially if it is used to share or store sensitive data.

Most of these tools, give individuals access to different levels of data. They enable the creation of partitions that isolate data in terms of business processes or projects that can only be accessed by selected team members.

The questions that should be asked of employees include:

  • How aware are they of the privileged data their account allows them to access, even if they don’t actively use the data?
  • Do they have a firm grasp on what data could be considered sensitive or could cause damage if compromised?
  • How securely do they keep their credentials?
  • How complex is your password on your collaboration tools?
  • How often do you have conversations about your IT security?

You may or may not be surprised to hear that we meet employees on a daily basis who are still using basic passwords like “password123”. If they have access to financial information or proprietary company data, this represents a significant organisational security risk.

Having strict guidelines for passwords, including the frequency in which they are changed (every 3 months) would go a long way towards making life more difficult for potential hackers and protecting your business.

However, for such guidelines to be effective user buy-in is required. The ultimate goal is for users to take responsibility for their security and to share the same vision and focus that drives good IT security practice.

What now?

Asking questions related to how secure collaboration tools are being used will definitely have a positive impact on risk mitigation, but this is just one piece of the puzzle. You should also be provoking conversations about other security issues that are user-led. Facilitating these conversations is something that Layer 8 specialises in.. Watch a quick demo to understand more.

Top 5 Conversation Starters to Secure your Online Collaboration

Does your business likes the productivity and agility afforded by collaborative tools but have serious concerns about the security vulnerabilities these tools potentially introduce into the system.

Click below to view 5 conversation starters to help you achieve a balance:

  1. Employees
  2. IT
  3. Data Controller
  4. HR
  5. Internal Comms

Learn more about how to use online collaboration tools and using these questions within your business and how to train your employees on the risks associated with using unsanctioned applications.


Layer 8 Signs Up VCW As UK Distribution Partner for Cyber Security Training Solutions

Layer 8, a leading provider of experiential cyber security training solutions, has appointed VCW Security as UK distribution partner.  The partnership will enable VCW to expand its portfolio of market-leading cyber security solutions with a unique solution that allows resellers to provide customers with an additional layer of protection against security breaches by employees that are not fully aware of all potential cyber threats.

Commenting on this new partnership, Sarah Janes, Managing Director at Layer 8 said: “Working with VCW has been extremely refreshing. The company is proactive and really understands how to position and sell the ‘value add’ that many talk about but are unable to fulfil.”

Layer 8 provides a new breed of training solutions which empowers changes in organisational security cultures by raising awareness that technology alone cannot deliver the required level of protection. In fact, the recently published ‘Black Report’  states that 85% of hackers said people were the primary source of blame for security breaches, even more than inadequate security and unpatched software.

Layer 8 training solutions are delivered using a combination of methods including immersive workshops, peer-to-peer learning and leadership via ‘champions’ campaigns. A smartphone app is also available for both iOS and Android users. The training programmes blend security and educational experience to challenge the status quo, strengthen the human factor in security and empower leaders to drive a culture change that will have a real impact on stopping cyber-attacks.

VCW Security, added: “Layer 8 gives resellers a significant competitive advantage by enabling them to provide their customers with a multi-layered approach to security that recognises the role played by employees as first line of defence against the rising tide of cyber threats. Activating an effective human firewall will help organisations to plug the gap in existing IT security strategies whilst providing resellers with additional ongoing revenue streams.”

Layer 8 GDPR compliant Data Protection Training

Get your people compliant and improve their security behaviours around data protection and privacy starting at £995.

You need employees to convert legislation into actions that will protect your business. Get key messages out fast and meet your compliance requirements with the Layer 8 Toolkit®.

Over 90 days, every one of your staff will get:

  • Daily security tips
  • Engaging and informative articles
  • 2-minute video challenges
  • 2-minute animated films
  • Quick wins
  • Questions to answer

The Layer 8 Toolkit® offer for SMEs includes:

  • 3 editions: Privacy, Data Breaches and Security Behaviours
  • Each edition comprises: 2 videos, 1 audio drama, 9 articles, 3 quick wins, 30 daily security tips
  • Access to the web, IoS and Android platforms
  • Exception report (telling you who has not completed)
Watch the 7-minute demo of the Layer 8 Toolkit® and get in touch with any questions or to sign-up.

Activate your human firewall and start transforming the security culture in your organisation today

Traditionally, the security market has secured businesses using technology alone. However, this approach is inadequate to protect people, data and businesses in today’s threat landscape where criminals target employees.

In the face of these constantly changing threats, businesses will not be able to operate effectively by simply locking systems; they need to develop a security culture where employees are alert to the risks, understand the value of the information entrusted to them, and know that their behaviours and practices are vital to keeping it secure.

By activating the power of the human firewall Layer 8 provides cyber security training which empowers a change in your company’s security culture to influence future generations enabling you to:

  • Educate your colleagues to manage and protect their information assets better than ever before
  • Reduce the volume of day-to-day security incidents
  • Spend more time focussing on securing every layer of your business to support your organisation’s commercial success
  • Develop security champions across your organisation to impart best practice and embed process changes
  • Get everyone involved in conversations about security

Security Culture in Action – The Layer 8 Toolkit from Amanda Price on Vimeo.

Fill in the form below to Download Brochure