The recent developments surrounding COVID-19 have spiked the demand for working from home and virtual collaboration. As it is already part of the Microsoft Office 365 suite, companies look to Microsoft Teams to help close the gap. Microsoft Teams is a communication and collaboration platform that combines chats, video meetings, file storage, and application integration. However, when adding or migrating an entire suite of functionalities on such short notice, security considerations easily neglected. Therefore, we will give you five guidelines to help prevent some of the possible pitfalls that could be in store for you and your organisation when moving to Microsoft Teams.
Apps in Microsoft Teams are tools that combine the functionality of tabs, messaging extensions, connectors, and bots. These apps are provided by Microsoft, built by a third party or by developers in your organisation. When enabled, an app is made available for use to individual users, groups, or the entire organisation. If not properly assessed and approved, an app can introduce several security vulnerabilities or leak data. Security requirements should therefore be taken into account when developing, designing, selecting and approving apps, prior to enabling them for users in your organisation.
As users are in control of the information they store or communicate through Microsoft Teams, it is important that they understand how to handle data types used in your organisation. This could be achieved by establishing and communicating guidance on data classifications, such that users understand how to apply security classifications to information they store or communicate.
It is important that users are given guidance on the workings of Microsoft Teams and their individual responsibility with regard to the security of data in it. This includes, but is not limited to, granting or denying access requests to teams or channels. Users should therefore receive guidance on the implications of assigning the following three roles in Microsoft Teams:
Adding a guest user to a team can introduce several security risks that might not be immediately clear to the end users. For example, external users also automatically acquire access to the underlying SharePoint team sites, including the Recycle bin. Therefore, an external user will be able to access documents used in the team, including those that have already been deleted!
It is important that users understand their responsibilities with regard to chats, video meetings, file storage, and apps in Microsoft Teams, as each functionality communicates or stores information using their own respective technologies. Understanding of which functionality to use for what type of data enables users to securely use Microsoft Teams functionalities and apply correct security measures where applicable. For example, do not store confidential files in channels that are shared with guest users.
Another thing that is important to keep in mind when working with Microsoft Teams is that access rights can be assigned to teams and channels, but also to the underlying SharePoint team sites. A user can request access to the underlying SharePoint directory, and acquires access to files in the team whilst not appearing in the Microsoft Teams user management overview. It is therefore important to ensure that user access management policies and procedures are updated to include identification and correction for these 'hidden' user access permissions.
To conclude, it is clear that many organisations can benefit greatly in these trying times by leveraging Microsoft Teams. However, it is important to help your employees make secure choices when it comes to collaborating through Microsoft Teams, especially when external users from outside your organisation get access as well. However, with secure configuration of your Teams setup and with the right guidance for your end users, Microsoft Teams could be a great and secure addition to the way your organisation is working together.