The Coronavirus lockdown saw many organisations dust off their business continuity plans, quickly trial a day of working from home and then have vast portions – if not all – of their employees permanently working from home.
Most organisations moved with impressive agility. People and organisations scrambled to get ‘something in place’ to support remote workers; messaging solutions were installed and rolled out without much consideration beyond ‘does it work?’ A bad decision was better than no decision, and understandably so.
As organisations adjust to the new normal, there’s time for reflection. If you have a nagging feeling that the collaboration tool you chose might cause some issues down the line, here are seven questions you should ask yourself.
1. How secure does your chat app need to be?
This is a bigger question than it sounds. Group chat has grown from a ‘nice to have’ to an absolute necessity. Employees are discussing business options and making decisions within chat tools, so security should be a top priority.
A leak of contrary views around the pricing of a new drug for example - and the possible impact on lives - may not reflect well in the media or in court. The balance between the quality of customer service, and the cost of delivering it, is a calculation best kept to the team that makes those choices. And this is before we even consider compliance, retention or data audit issues.
In short, the simple chat app has become a company approved business collaboration tool that enables and captures critical decision-making. It needs to be very secure indeed.
2. So is your secure collaboration tool end-to-end encrypted?
OK, let’s be clear here. End-to-end encryption means that your messages can only be decrypted by the people you are talking to. In other words, it makes it impossible for someone in the network to read your messages.
Although end-to-end encryption is easy to understand conceptually, in terms of technical implementation it’s multifaceted and complex. When you throw in non-technical people getting confused and the devil’s work that is marketing, you’re soon into snake oil territory.
Major companies are now finding themselves publicly-shamed for having danced around the term end-to-end encryption. Slack, Facebook and Zoom are just three firms that have tried to apply the term to mean “encrypted end-to-end… as long as one of those ends is us”. This means that in these cases the service provider, and anyone who compromises it, has full visibility on your conversations. It has led to some spectacular climb downs, forcing these companies to review their marketing and publish clarifications such as this from Zoom.
Why the weasel words and awkward apologies for having misspoken? Well it’s very hard to do end-to-end encryption properly - after all, the reason most services don’t bother is because they need to spy on your data in order to analyse and integrate it. Happily there are some which have made the effort to get it right - such as iMessage, Matrix, Signal and WhatsApp.
2b. And even if it’s properly encrypted, do you know for sure who you’re talking to?
Within the services that actually implement end-to-end encryption (the real kind, not the fantasists' versions), there’s a separate challenge: how do you know if you’re talking to the right person or an imposter trying to intercept your messages? On services like iMessage, there is simply no way to tell whether you’re talking to an imposter or not. On Signal and WhatsApp, you get a warning when the person changes their device, and it’s up to you to laboriously check if the new device is legitimate or an imposter. On Matrix, users will soon be able to vouch for their own devices - and you only ever need to check the user’s identity once, giving unprecedented power to ensure you’re actually talking to the right person.
3. Have you locked yourself in a silo?
Who can you talk to on your chat system? Is it just your team, or is it your partners, customers and the rest of the world?
It’s a bizarre irony that most collaboration tools lock other people out. Collaborating while being closed doesn’t work. People find themselves having to log in and out of various walled garden collaboration tools in order to connect with their customers and partners.
Why not have a single app that can interoperate with the chat systems in place elsewhere (as is the case with email)? Otherwise, your group chat is little more than digital internal memos.
4. Is your collaboration provider holding your data hostage?
Vendor lock-in is bad for all sorts of reasons, so it’s important to know you can switch providers easily without losing data. Hopefully your collaboration service is part of an ecosystem, rather than being from just a single company. Ideally, you should be able to simply point your own DNS at whichever provider you like.
By choosing the right provider and having a good IT architecture in place, your collaboration data should be in your control and portable in the short, medium and long term.
5. How reliable is your provider?
However massive a cloud platform, it still goes down unexpectedly for three or four hours every few months. That can be anything from inconvenient to costing millions; or even costing lives. So it’s sensible to consider if your chosen collaboration tool is tied into a particular cloud platform, or if you can run it on premises. Indeed in a mission-critical environment, you should really have full operational independence. If that’s not an in-house option, then at least be sure you can pick and switch servers at a moment’s notice to ensure you’re never ‘speechless,’ whatever the circumstances.
6. Does your provider help or hinder compliance?
Compliance obligations depend on the type of organisation you are, geographic and industry-specific jurisdiction, and where your data is stored.
Collaboration tools are often most vital in fast-moving frontline functions; an acute healthcare setting for example where information isn’t just power, it’s the power of life or death. But regulation is tight. Patient confidentiality needs to be assured, yet medical histories, X-ray images, and remote diagnosis can be flowing through group chat. Committed, well-intentioned clinicians might well violate HIPAA rules as they share protected health information (PHI). In the UK the NHS stipulates end-to-end AES-256 encryption and has collaboration tool specifications around passcode protection, remote-wipe, and message retention.
Financial services and other regulated industries also have specific requirements, while any firm operating in the EU needs to ensure GDPR compliance or face a fine of up to four percent of global turnover. Similar legislation is in place, or in development, elsewhere such as the California Consumer Privacy Act. Collaboration tools also need to support cybersecurity regulation, such as the EU’s NIS Directive.
And more generally, companies pay a lot of money to make sure their internal network and users’ machines are protected from viruses and malware which may be propagated by email. Yet how many chat systems actually provide anti-virus and anti-malware protection to the files shared by instant messaging?
Can you attest as to where your data resides? Did you have the option to specify? Is the service even architected to allow such choices so that you can meet your specific compliance requirements?
7. Does your official solution work so well that people won’t choose alternatives?
Shadow IT is a genuine issue, particularly in an area like instant messaging, chat and video where so many free consumer-grade solutions are available.
It is a perfect example of the classic pure-play vs platform dilemma. A provider that only focuses on collaboration tools will have a faster, smarter, better solution than a company that provides it as an add-on to an enterprise-wide suite. Those clunky, dated team collaboration tools from big enterprise software firms will see your mandated choice gather dust while the workforce embraces unmanaged consumer-grade solutions.
And free consumer-grade chat services almost certainly have advertising-funded business models that are data harvesting the content they pick up.
In short, collaboration tools used within your organisation need to be secure. At least as safe, and as compliant, as your file storage and core IP - and that means proper encryption. They should offer bridging into other messaging platforms, portability and reliability. They need to offer a choice of architectures, including both cloud and on-premise, and geographic flexibility. All of that should enable you to meet your compliance obligations. And finally, it has to deliver on usability; or the whole project is doomed to failure.
So ultimately you need to ask yourself, does your collaboration tools provide security, freedom and usability? If it’s a no, then take a look at New Vector’s products and Matrix….
Get in touch for more information.
Sign up for a free one month trial of Modular, your custom collaboration app (up to five users).
Sign up for complete enterprise-wide use of Modular, a fully hosted collaboration tool.