Using MS Teams for better organisational security

You might remember the unfortunate exchange between two employees of Allens Arthur Robinson. The exchange was quickly shared and made its way to friends and colleagues at PwC, KPMG, JPMorgan, Barclays Capital, Deutsche Bank, HSBC, ABN Amro, Westpac Bank, Macquarie Bank, Deloitte, Phillips Fox, Mallesons, Minter Ellison and Deacons, to name a few. The email exchange was eventually published on news platforms worldwide, resulting in both people losing their jobs.

As embarrassing as this is, the emails made it into the wild because the employees shared the email on an all-staff mailing list and staff at Allens Arther Robinson thought it was so amusing that they quickly forwarded the messages to colleagues and friends in other organisations. Within hours, the emails had gone viral among the international legal and consulting communities, communities with wide-reaching and tight-knit relationships.

Using Microsoft Teams to communicate within your organisation won't stop inappropriate exchanges among employees, but it will control the scope of those exchanges. Microsoft Teams lets you be selective about who you share information with, allowing you to target messages to specific teams or groups of people.

This makes it easy to restrict conversations to a specific group and ensures that people see those messages within an organisation. It's easy for people to accidentally share information with their team in Microsoft Teams or with the broader organisation.

Conversations in Microsoft Teams are designed with security in mind and have additional controls that help people control their privacy and the content they share. For example, that you can't “forward” a conversation in Teams (one of the biggest complaints about conversations) is an intentional security feature. It limits your organisation's exposure and creates a walled garden that supports better practice cybersecurity design principles.

What are the better practice cyber security design principles

This whitepaper by Eaton describes cyber security principles based on multiple industry standards and best practices, including IEC62443, UL, and OWASP. Eaton's cyber security principles form the basis for a robust cybersecurity posture that supports the development of applications and services designed with cyber security in mind.

Minimise the attack surface area

The attack surface is an area vulnerable to attack or risk in your organisation. A large attack surface exposes your organisation to several risks. These risks include loss of data, theft of intellectual property or customer details, disruption of services, server breaches and theft of money or funds.

Microsoft Teams helps you minimise your attack surface by reducing the potential exposure of your conversations from being forwarded outside your organisation. It also reduces exposure to unwanted messages being received by your organisation that introduce risk. For example, phishing emails are significantly less effective and more easily identified when your organisation has a Teams first communication policy.

Secure by default

People prefer to use systems and services that offer the least “friction”. It can be frustrating and aggravating for people to log in, manage passwords, and remember complex security information. Secure by default means that an organisation embeds security into applications and services; users don't see it, but the team responsible for keeping the organisation secure benefits from it.

Human factors are carefully managed through the design of Microsoft Teams by maintaining a secure walled garden environment that provides ease of communication and collaboration. It is simple to add external people as guests, but this needs to be an explicit requirement by a team owner, meaning that likelihood of your conversations being shared outside the organisation is minimised. Again, using the example from above, the fallback is an example of how secure by default works.

Least privilege

The principle of least privilege is a fundamental cybersecurity best practice that ensures users have the minimum access they need to perform their tasks and nothing more. This ensures your organisation minimises exposure to security risks due to a user's actions. Any users with additional privileges should only be done so strictly with the principle of least privilege and only temporarily.

Microsoft Teams allows you to quickly and simply manage the membership of Teams. It helps ensure that team membership provides access to the limited SharePoint folders and content that a team member requires. This keeps your organisation secure by ensuring users have the minimum access required to perform their tasks and preventing them from accidentally accessing information they do not need. It means you don't need to give people access to the entire Z: drive or email IT support whenever you want to change a person's access to a drive or folder. You add or remove them from the team.

Defence in depth

Defence in depth is a risk management practice that helps organisations protect and secure data and digital assets by placing them in multiple layers of protection. Each layer has specific functions that help an organisation's security posture. Using numerous protection layers, an organisation can maintain control and reduce the risk of any breach.

Microsoft Teams helps you mitigate your organisation's risks associated with your conversations by keeping them secure within the organisation's secure walled garden according to the guidelines in your organisation's security strategy.

For example, setting a policy to require two-factor authentication for people accessing external SharePoint sites from Teams helps protect you from external attackers by automatically validating their identity when they access your SharePoint sites.

Fail securely

At some point, human factors mean that failures in policy or behaviour may occur. But Microsoft Teams' walled garden approach helps you quickly identify failures when team members share inappropriate messages. Because not only are your team conversations secure within your organisation, but they are also open by default to all team members. This means that failures in policy or behaviour are quickly identified so they can be corrected before any damage is done.

Avoid security by obscurity

The principle of security by obscurity relies on concealing or limiting information so that an attacker cannot deduce or discover it. It's the organisational equivalent of hiding the keys to the front door under the potplant.

Security by obscurity is not an effective security practice when it comes to cyber security. Hiding your systems or usage patterns makes an attacker's job easier as they are provided with a less complex target to attack.

Microsoft Teams supports security by design. Through the use of Teams, it is made explicit who owns the team, who the members are, what the team is about, and what the collaborative boundaries are.

Keep security simple

Sometimes securing systems and methods in organisations becomes overly complex. They can rely on layered security policies, complex authentication systems, and unique usernames and passwords for every account they have to access. Increasingly complex security policies and procedures make peoples' jobs harder and prevent people from identifying and fixing simple security breaches and breaches from unauthorised users.

Microsoft Teams helps your organisation comply with the principle of keeping security simple by making it easy for people to communicate securely within your organisation. Your IT team doesn't have to configure more than a single click to enable teams to use two-factor authentication or enable single-sign-on (SSO) to SharePoint sites.

Use secure components and designs

When individuals and organisations build systems and use components, they use designs with vulnerabilities. The component or design is considered secure if it meets a set of requirements based on a security framework. These requirements are essential, but sometimes they can mismatch your organisation's security requirements.

And while it may be tempting to think that the above principles can also be applied to applications like Zoom and Slack (and that would also be a valid assumption), Microsoft is the largest and most widely used organisational platform in the world. They have significant investment in securing the infrastructure they provide and ensuring that what they provide is as secure as possible for you, your teams, your people, and your data.

They are constantly penetration testing and proactively fixing vulnerabilities in the services and applications they provide. It helps organisations secure their conversations with Microsoft Teams. Teams is a secure by design application that uses secure components. This means your conversations are kept within the secure walled garden of your organisation, and your users have access to only the sites and content they need to complete their tasks.

While you can use third-party apps and services to run Teams alongside these other third-party apps, please be very careful. You may be exposing your organisation to additional security risks by doing so. Do it in your organisation when you know exactly what you're doing and when you're willing to live with the consequences that may be brought upon your organisation and the users you protect by doing so.

This also means that if you have a question, problem, or something you want to report about Microsoft Teams, you can report it to them. They actively listen to feedback and regularly communicate what they're doing in each of these different areas to help you keep the conversations that are happening in Teams safe and secure.

Educate and train people

The principle of education refers to educating people about your organisation's security policies and how to protect their sensitive information. The goal is to reduce the risk of breaches occurring so that your organisation can maintain compliance with regulators and prevent your organisation from being victimised.

Microsoft provides various educational tools and resources to help you educate and train people about the security of your organisation's conversations in Teams. You can train your teams to keep their conversations private and protected.

Conclusion

I'm not a Microsoft representative or certified security professional, so what I've said here is based on my own experiences around this topic. But I know good service design, I understand the place of security by design, and I am familiar with how leading platforms in this domain work.

Ultimately, what I've said is my opinion based on my perspective and experience. While I acknowledge that Microsoft Teams has some security and control issues, I firmly believe that Teams can be used very effectively in organisations to help improve collaboration across your organisation.

You can improve your organisation's productivity by opening up your conversations to a broader group of people. People don't need to hunt down the correct person to join a meeting or gather the right people for a chat or discussion. And Teams can drive employee engagement as you can easily connect people across your organisation - in finance, marketing, sales or operations.

It is also well documented that Teams can help organisations drive digital transformation as it helps them transition to modern collaboration and communication platforms.

Tell me what you think. Am I an unreasonable rabid Teams fanboy? Will this article push you to reconsider your communication strategies? Will you put Teams first and send your email to the same place the fax machine went?