In the modern workplace, communication tools have evolved significantly, enabling seamless interaction among team members. However, with the convenience of these tools come concerns and vulnerabilities that businesses need to address. In this podcast episode of "Stimulus Tech Talk," Sherry Lipp, Marketing Manager, and CEO Nathan Whittacre from Stimulus Technologies delve into the various communication devices used in workplaces, along with associated concerns and strategies to mitigate risks.
Stimulus Tech Talk - Securing Workplace Communication: Strategies To Put In Place Now
Understanding Communication Tools and Concerns For Business
The discussion kicked off by identifying the plethora of communication tools prevalent in today's workplaces. From email to instant messaging platforms like Slack, employees often utilize various channels for efficient communication. However, the concern arises when employees resort to unauthorized tools without the knowledge of business owners, potentially compromising data security. Nathan shares an anecdote highlighting the inadvertent use of Slack by team members without proper authorization, emphasizing the importance of proactive measures to establish an official communication platform.
How To Implement Communication Safeguards and Policies in the Workplace
Implementing safeguards and policies in place is crucial to business operations and security. Restricting access to specific platforms through acceptable use policies and leveraging technology to enforce these restrictions is one of the most important steps in this process. By defining clear guidelines and educating employees on acceptable practices, businesses can minimize the risks posed by unauthorized communication channels.
Mitigating Risks on Personal Devices
With the proliferation of remote work, employees often use personal devices for work-related communication. However, this introduces additional vulnerabilities, especially concerning data retention and privacy. Nathan highlights the importance of remote wipe capabilities offered by platforms like Microsoft Teams to ensure the secure removal of company data from personal devices upon employee departure. Additionally, he emphasizes the need for businesses to define policies regarding the use of personal devices for work purposes, striking a balance between productivity and security.
Why a Communication Strategy is Important
Effective workplace communication entails not only leveraging the right tools but also implementing robust security measures and policies. Sherry and Nathan advocate for a proactive approach wherein businesses define clear guidelines, restrict access to authorized platforms, and prioritize data security. By fostering a culture of compliance and awareness, organizations can navigate the complex landscape of workplace communication while safeguarding sensitive data and enhancing productivity.
If you would like to discuss your company's communication tools use policy, schedule a call with us today.
Securing Workplace Communication: Strategies To Put In Place Now - transcript
SUMMARY KEYWORDS
employees, communication, company, slack, stimulus, instant messaging, tools, device, platforms, communicate, information, set, work, concern, leaves, employer, place, acceptable use policy, technology, years
SPEAKERS
Intro, Nathan Whittacre, Sherry Lipp
Intro 00:00
You're listening to Stimulus Tech Talk. A conversation based podcast created by stimulus technologies covers a range of topics related to business and technology.
Sherry Lipp 00:14
Welcome to stimulus tectonic. I'm Sherry Lipp, marketing manager here at Stimulus Technologies. And I am here today as usual with Stimulus Technologies CEO Nathan Whittacre. And today we're going to be talking about all the many communication devices that we use to communicate at work. And you know, what kind of concerns and vulnerabilities we have with those. Hello, Nathan.
Nathan Whittacre 00:38
Thanks, Sherry, it's good to be here, as always.
Sherry Lipp 00:42
So let's start out by talking about, you know, what kinds of communication tools are we talking about? And what are some of the concerns we have with them.
Nathan Whittacre 00:54
So when we're talking about, you know, there's a lot of different communication tools. And I think, today, we're gonna be talking about more text based communication tools. You know, like instant messaging, things like that. So obviously, there's, you know, email that's very common today. But I think one of the things that business owners need to consider is your employees, maybe using tools to communicate among each other, that they that you don't necessarily know about, because a lot of these tools are, you know, free to sign up, or they're, you know, maybe on their devices already, and your employees may be using them without your knowledge. Just a quick experience, a few years ago, a few members of my team, you know, wanted to have some instant messaging capabilities. And Slack was a new tool back then, and without, you know, talking to their supervisors or talking to me, they set up some Slack groups among themselves, and were communicating, you know, among themselves without my knowledge, or, you know, even blessing on it. And the reason this was allowed is because it was all web based, so there wasn't any software to install, and anything that we could do, really, rather than other than blocking, you know, slack as a website, for them using it. So, you know, we eventually talked about it and put a plan in place and made it so that, you know, we had an instant messaging platform across the company. But you know, more than likely, your employees are probably communicating with each other in ways that you don't know about. And that's probably our biggest concern.
Sherry Lipp 02:46
Yeah, and I know with some of these employee get into a little bit more about tips, but I mean, I know I've had that same experience. And, you know, I use Slack for marketing communication, but I, you can throw tools you can put in place because I can't upload files. So, you know, I can't upload files, or nobody could log into my computer and upload a bunch of sensitive data into Slack. So there are some safeguards we can put in place, even in these web based tools.
Nathan Whittacre 03:15
Yeah, there's definitely things that you have to do or should be doing. If you're allowing or using web based tools to protect confidential data that's inside the company. As we know, you know, once it's uploaded onto the internet, it's probably there forever. And it's hackable, forever. So the concern is, is, you know, employees are uploading, or able to upload into channels that you don't necessarily want them to that information, especially if it's confidential information could live on forever, and there's a ton of different communications do they come up all the time, whether you know, a slack from maybe 10 years ago, or discord that, you know, kind of coming into business today, or, you know, as much as like Facebook or LinkedIn, or hockey at all that Strava which is a tool for runners and cyclists to communicate with each other, which with each other, there's instant messaging on that now too. And so, you know, your employees could be communicating through these different platforms, and potentially confidentially sharing information that you don't want to so, you know, a quick story. A friend of mine runs a technology company, and, you know, he had issues with some employees were going to be leaving the company, and, you know, they were communicating through text messaging with each other. And, you know, their their whole intention was to steal employees and or steal clients and leave and They were using, you know, off the tools, you know, the word company tools to upload, client records client information. Interestingly enough, all that information is repeatable in in court later down the road. And so, you know, it was later discovered of all this communication that was happening, but, you know, that's the concern for you as an employee is or employer, business owners, what information are you allowing your employees to share through non regular communication channels, and that's, you know, that could be a lot of different things. And so having that protection in place on your web browsers and in your file environment to protect against that is really important. And, you know, I've
Sherry Lipp 05:49
heard a lot of you mentioned discord. And that's kind of a social media forum site that you could have viewed as kind of like a Reddit almost, and but businesses are using it for internal communication. How is that become a part of just company policy, how that's used, I mean, are there very many safeguards of business can put in place for something like that,
Nathan Whittacre 06:13
Certainly, you could block it, through technology, we can take and block the, the apps and websites. So if you do have specific concerns about different applications, you would just disable that through, you know, security services on the endpoints and devices. So that would be you know, a way to do that and say, Okay, these are the platforms. And this would be my recommendation is, is to tell your employees through acceptable use policies and say, Okay, on on copy devices, with company information, we're going to only use Microsoft Teams, or we're going to only use Slack, and it's going to be our company teams, or company slack service. And that's all that's allowed. You know, we're not going to allow discord or Reddit, I mean, people are posting stuff to Reddit that they probably shouldn't, and, you know, be good to monitor, you know, some of these things. But it's certainly important from it, you know, to set an expectation across your company of what's acceptable, define what tools you're going to use as a company, and don't allow your employees to go beyond that, what the reason employees, you know, set up these, we call it shadow IT, which means that they're going to do their own IT work without letting you or the IT provider know, is because they're just trying to do their job, the most efficient way possible. So, you know, our team members, you know, from five years ago, set up a Slack channel, because they found that that was the easiest way for them to get their job done. And we realized, hey, you know, that that is actually a good tool, we need to do something in our organization to allow for this instant communication, and we went with, you know, a different product, but, you know, just discuss it with your employees and say, Why are you using discord? Why are you using slack? Or, and, you know, analyze that and say, Okay, well, we need to have something in place for our team members to better communicate with each other. Let's make a let's make a policy and then enforce that policy through technology.
Sherry Lipp 08:26
And I think another thing to keep in mind too, is like how these things will integrate, because you know, a lot of times slack and teams do, you can start integrating all these apps with each other. And so you might be integrating it into a work system that you're not realizing a lot of people, of course, are doing it for convenience, like you said, and not because they're trying to do anything wrong. But a quick story on my part, you know, we I worked at a place where we did customer service via Twitter. And so in a lot of companies have the only have a dedicated customer service Twitter account, but since it was connected to our main ones, somebody hacked into it and started posting on our behalf. And it wasn't even something that anybody was thinking about. Because you know, the Twitter one, one just went into a ticketing system, and they're like, oh, that's fine. But actually, somebody was able to get into the normal account and start posting things that we wouldn't want posted. So I think that's important to keep in mind.
Nathan Whittacre 09:22
That's a huge concern. Now. You know, there's so much single sign on and API integration across platforms, which makes it work better. But in the security industry, right now, we're really concerned about platform integration, like you mentioned. So a great example, Sherry, that if you authorize what are called API, integrations are API keys between two platforms. That means that you're basically saying okay, these two systems can communicate with this data, but and they trust each other. They Problem with that is, is if one of the systems gets compromised, you have a conduit into the other system. And this is happening a lot with single sign on now that you, you know, you sign up for a new service. And you you know, it says, Okay, you can create a username and password or use your Google account or use your Microsoft account or use your Facebook account to log in. And it's just a convenient thing to say, Oh, just use my, you know, Google account or Microsoft account, and then you enter, you know, then you're always logged into that service. But now that has a token, and it eliminates multi factor authentication between the two platforms. So to get into that secondary platform, or to get back to the one that you're using a single sign on, there's a token authentication that allows those two systems to communicate without you having to be involved or enter a password and multi factor authentication again. And that's a way that hackers are now getting into these systems back and forth. So I know we've got a little off topic on communication here. But it is, it is a concern that we have right now about this tokenization and multifactor, or that single sign on, that's bypassing the multi factor authentication that we often set up. So you know, these platforms that you're using just, you know, just be really careful about what you're signing up for. And it's better to leave them a little siloed rather than integrating them, especially if they're unknown platforms, but even well known platforms have been hacked, you know, LinkedIn, I'd beat up on them on this podcast a lot. But if they were, you know, compromised, it's been eight to 10 years now. But even these big systems that are owned by big companies get compromised, and, you know, data gets leaked out. And if they have access in between your systems, then, you know, that's a conduit for a hacker to, you know, use one set of credentials to get access into other systems.
Sherry Lipp 12:03
You know, and with all these methods, you know, communication, you know, since it has become, you know, texting, instant messaging and direct messaging, you know, the slack type programs, is that a bigger risk for not knowing who you're talking to sometimes?
Nathan Whittacre 12:19
I certainly is, I mean, I think text messaging is a really easy scenario. So I think we've shared the story on this podcast a number of times that often, you know, a new employee that joins stimulus will change. And I'm grateful that they do this, they change their status on LinkedIn that said, they're working for stimulus technologies now, and they're super excited to join the team, their profile is visible, because LinkedIn was hacked, in the past, the hacker may have that user's cell phone number, because that's in the private information that was put into LinkedIn. And so as soon as they change that status, within a few minutes, I'll get a text message from me and say, hey, you know, I'm on vacation right now. And I really need to get these amazon gift cards out to a few clients, would you mind running down and picking these up, and, you know, they don't know my cell phone number, but they're getting this text message for that looks potentially legitimate. And you know, it's a scary thing out there. So it's, you know, text messaging is definitely an issue. So I always recommend you to have a clear channel of communication with with a team that you you use and you know, that is valid and authenticate any other communication against that. And if you know, as with any hacking, if it feels weird, if it doesn't feel right, or if there's pressure to do something right then in there, slow down, do you know secondary verification that that's really what needs to happen and and use that so it's a scary It's a scary thing out there especially with texting and instant messaging and you know, with all these other communication methods that are out there, you know, have one central communication method that you trust and you know, is valid and use that in general
Sherry Lipp 14:22
and so you mentioned you know, data retention earlier and you know, one employee leaves starting on you know, maybe they're still unemployed, but you need to see what they're doing because because it's kind of almost like you know, line started become as a personal or is it work, you know, with these types of communication? How do you ensure that you get the data that belongs to the company and you know, is there any possibility of privacy lines being crossed?
Nathan Whittacre 14:53
Again, it goes back to this acceptable use policy and it should be clearly defined in your employee handbook and in In your acceptable use policy that any communication that is performed on company devices is owned by the company. And the employee should take that literally is, you know, if I send an email, or I open up a web browser, and I go to, you know, a site and put information in, what I did, during that time is is owned by the company and could be, you know, monitored, subpoenaed in the future, you know, in a, in a legal case, I mean, there's, we've seen it over the years that, you know, stuff gets out that, you know, it's being tracked somewhere, and, you know, somebody wants access to that, whether it's, you know, by subpoena through a court case, or, you know, hackers trying to get access to it, it can be found. So, my recommendation to all employees out there is, you know, assume whatever you're doing on a corporate device, is being monitored, and recorded, and ensure that, you know, that you would want your employer to see what you're doing. So, you know, funny case a few years ago, you know, we often set up these monitoring systems, just, you know, it's more for protection, and also logging purposes, if there's a future HR issue, you know, employers are in the business of micromanaging every website you go to, but you know, if there is an issue or concern, you know, especially if there's productivity issues and things like that, they might want to look at it, right. And if there's an HR problem, they might want to look at it too. So two cases that I just will share, you know, they, we implemented this, and the owner of the company is like, Hey, I'd like to see what the reports are looking like, and we bring up the report, and they're like, you know, what, this employee isn't the most productive employee, let's see what he's doing. And sure enough, like the entire day, they're on social media sites, or they were on job search sites on their, on their, their work computer, they were literally putting in applications for other employment. And you know, that I mean, that's certainly grounds for terminating an employee that they were not, you know, using their time productively, and not working for the company. So certainly a big concern. The other thing that, you know, that happened at another businesses, there was a sexual harassment case, and we had monitoring, and we go to the person's computer, and they were spending a lot of time on pornography websites. And so you know, it's a terrible thing, you know, they were doing on work time. And so, you know, just for all employees out there, don't don't use work computers to do that kind of stuff, you know, go if whatever you want to do, if you're searching for another job, go home, do it on your home PC, or laptop, or tablet or phone or whatever it is don't don't do it on work devices, because just assume that it's all monitored. And, and, you know, somebody will find out what's going on.
Sherry Lipp 18:09
Yes, definitely a good point. And so kind of getting to some of these tools, you can't, you know, they're they're on our work devices, but there are apps that will go along with it, if we put on our phones, you know, like teams or even a CRM app, just so we can, you know, be connected. Or if we're moving around, you know, especially when we're remote. Are there more vulnerabilities when you're putting those apps on a phone? On your personal phone? Especially? Yeah,
Nathan Whittacre 18:41
I think for the most most part, like your, your mainstream communication software, like Microsoft Teams, or slack or something like that is probably very safe to allow employees to put on their devices. One of the things that Microsoft particularly does, and this is why we like Microsoft is it has a remote wipe capabilities. And this is, from an employer standpoint, you'd want to look at as if an employee leaves, can I remove that information from their device? And even if it's a company owned device, you know, there, they may or may not return it? So is there a way to clear that data off from that device. And so Microsoft makes it so that we can when the employee puts that app on the device, they give us authorization as an IT department to wipe that software off. So you know, if if a salesperson leaves a company, and they have one drive and teams and all these apps on their device, and they leave the company, we just, you know, do authorize that mobile device and it removes all that data off the device. The question is, is an app like maybe a CRM app? Can you do the same thing can you wipe the contents have that app off? If that employee leaves? Or did that, can they still log in for a period of time and download customer information, maybe for their new employer that they're going to a competitor or something like that. So those are questions as an employer, you want to ask if you have the capability of removing that data off of the employees, bring your own device, computer or laptop or tablet or whatever it may be your phone?
Sherry Lipp 20:30
Yeah, so it sounds like kind of this boils down to, you know, besides the security measures we talked about putting on is that an acceptable use policy is very important, especially now than ever?
Nathan Whittacre 20:43
Yes, yeah. And customers often come to us and say, Well, I want to be able to do X. And I want to be able to prevent my employees from, you know, going out to job hunting websites. And the first thing that I recommend them to do is they have you defined a policy to say what they're allowed to do on their computers and, or their devices or whatever it may be. And if they haven't, we need to start there, we need to start with defining the policies and then implementing those policies through technology. But first, you know, the the team members, the employees need to sign off on the rules of engagement with the company first, and then we can implement the technology to make that work. If the employers like just changing things all the time, then the your, your staff will know what's right, or what's wrong. So it's really important just to have that clearly defined, whether you know, bring your own device is allowed or not, you know, do you want to allow company information on an employee's you know, home computer or personal cell phone or not, you know, just make those decisions as a company and you know, that we can help you as a stimulus, we can help you with that. And your it, people can help you with that, too. And if there's any questions on that, you know, we can we could walk through developing these acceptable use policies and security, security policies with you. And I talked about it in my book and the workshops and keynotes that we do as a company that, you know, that's one of the things we talked about is defining these policies properly, and then implementing them through technology.
Sherry Lipp 22:31
Yes, definitely. And our past podcast, you know, we talked about all the different layers of security, so and then thanks so much, Nathan, for this information. I thought, I think it was a really interesting topic for a lot of people.
Nathan Whittacre 22:43
It's a definitely a different thing to think about. And, you know, there's a lot of aspects to communication and this aspect of how you communicate with each other is is important to think about as business owners to clearly clearly understand how your team can be productive, but also limit the potential problems for your organization as you go through this.
Sherry Lipp 23:04
All right. Well, thank you and thanks, everybody.
Nathan Whittacre 23:07
Thank you for being here.
