Sometimes new software has to be introduced faster than one would like. In the process, established data protection and compliance processes may fall short. This makes it all the more important to catch up on the evaluation process and identify any new security gaps that have arisen.
When the Corona situation started to come to a head a few months ago, quick decisions had to be made. It was (and still is) about nothing less than the health of the staff and colleagues. From then on, whoever could, worked in a home office. Even personal meetings with clients and partners were out of the question for the foreseeable future. To enable employees to work from home as smoothly as possible, many companies introduced new collaboration and communications tools.
Due to the time pressure, many people resorted to software solutions that were easy to obtain and quickly installed. Typical examples are Zoom or the use of private Skype accounts for video conferences. Often, there was not enough time to check their suitability in terms of security and compliance. Now, at the latest, it is time to catch up. The IT situation has eased in many companies and most employees can now work remotely as they were used to in the office. And even if many return to the office, digital collaboration tools will probably become more established.
A typical selection process starts with the definition of what the software should do and what criteria it should fulfil. In addition to the desired functions, appropriate user-friendliness and the smoothest possible integration, it is above all security and compliance requirements that need to be taken into account. This is especially important when it comes to cloud solutions, such as Zoom or Skype. This is because sensitive data is exchanged with the cloud and stored there. Accordingly, the cloud itself must also meet the defined criteria.
First of all, you should ask the usual security questions, such as: Does the software meet the requirements of the GDPR? Can data protection and data security be guaranteed to a sufficient degree? Does it support end-to-end encryption and secure protocols such as SRTP (Secure Real-Time Transport Protocol) or similar? How are access rights managed? And so on.
But since the software is already in use in this particular case, it is not unlikely that it does not quite meet some of the criteria. Therefore, you now have to ask yourself further questions: What concrete risks does the use of the software entail? Is there a risk of fines, damage to your image or even loss of data? Can your company live with the risks? Critically question whether the hastily introduced tools may even have created shadow IT and what this means for your infrastructure.
In addition to the retrospective evaluation process, it is important to carefully examine the concrete effects of the software on the security situation. We support our customers in this with a security assessment, for example. With a threat check in the productive system, we analyse exactly which threats can arise over a period of two weeks. Insecure passwords are detected as well as insecure connections from mobile work devices and possible gateways for denial-of-service attacks. The result is a detailed threat analysis with recommendations for action - a good basis for sustainably improving your own security.
Security and compliance are of course not only important topics when new, web-based collaboration tools suddenly come into use. But now that these new tools should be critically scrutinised anyway, it makes sense to check the overall situation.