The recent developments surrounding COVID-19 have spiked the demand for working from home and virtual collaboration. As it is already part of the Microsoft Office 365 suite, companies look to Microsoft Teams to help close the gap. Microsoft Teams is a communication and collaboration platform that combines chats, video meetings, file storage, and application integration. However, when adding or migrating an entire suite of functionalities on such short notice, security considerations easily neglected. Therefore, we will give you five guidelines to help prevent some of the possible pitfalls that could be in store for you and your organisation when moving to Microsoft Teams.
1) Establish and communicate solid security policies and procedures for app management in Microsoft Teams
Apps in Microsoft Teams are tools that combine the functionality of tabs, messaging extensions, connectors, and bots. These apps are provided by Microsoft, built by a third party or by developers in your organisation. When enabled, an app is made available for use to individual users, groups, or the entire organisation. If not properly assessed and approved, an app can introduce several security vulnerabilities or leak data. Security requirements should therefore be taken into account when developing, designing, selecting and approving apps, prior to enabling them for users in your organisation.
2) Ensure that users understand what information they can securely store or communicate with Microsoft Teams
As users are in control of the information they store or communicate through Microsoft Teams, it is important that they understand how to handle data types used in your organisation. This could be achieved by establishing and communicating guidance on data classifications, such that users understand how to apply security classifications to information they store or communicate.
3) Train users to securely manage data and access in Microsoft Teams
It is important that users are given guidance on the workings of Microsoft Teams and their individual responsibility with regard to the security of data in it. This includes, but is not limited to, granting or denying access requests to teams or channels. Users should therefore receive guidance on the implications of assigning the following three roles in Microsoft Teams:
- Owners have administrative privileges at team level, allowing them to edit team settings and manage team users.
- Members are able to add channels and change settings within defined permissions.
- Guests are members of a team that are part of another organisation
Adding a guest user to a team can introduce several security risks that might not be immediately clear to the end users. For example, external users also automatically acquire access to the underlying SharePoint team sites, including the Recycle bin. Therefore, an external user will be able to access documents used in the team, including those that have already been deleted!
4) Establish and communicate the responsibilities of users
It is important that users understand their responsibilities with regard to chats, video meetings, file storage, and apps in Microsoft Teams, as each functionality communicates or stores information using their own respective technologies. Understanding of which functionality to use for what type of data enables users to securely use Microsoft Teams functionalities and apply correct security measures where applicable. For example, do not store confidential files in channels that are shared with guest users.