Summary

  • Slack and Teams usage is sky-rocketing in FS organizations but, in a sector that is highly regulated, these tools are a massive data security risk.
  • Slack and Teams can often be ‘black boxes’. The IT team has no idea what data is being shared and with whom, making it impossible to ensure compliance requirements are met.
  • There are tools out there – like ours – that allow you to monitor exchanges between users on Slack and Teams, including messages, files and snippets.

As the financial services (FS) sector embraces new ways of working and digital transformation, communication tools like Slack and Teams are helping employees to find new efficiencies and better collaborate with partners, customers and clients.

Platforms like Slack and Teams are highly versatile–and they are constantly adding new functionality that makes them more appealing to businesses.

Beyond just communication, finance professionals can use these channels to track projects, share documents, host video conferences, and manage operations from end to end. Monzo, for example, even uses Slack for incident response.

And that’s just the internal use cases. Slack and Teams also help FS organizations to maintain a dialogue with customers, investors, partners and so on.

However, while these tools have many plus sides, they also open FS organizations to new security risks and compliance challenges.

Nothing exemplifies this more then the recent EA Games data breach, which occurred due to a Slack API vulnerability and the Microsoft Power Apps fiasco, where Upguard discovered that a considerable number of PowerApps portals were publicly exposing data on the Internet.

Already we’re seeing the consequences of digital transformation in FS on compliance requirements. In 2020, 198 fines were imposed against financial service institutions, up 141% from the year before, with penalties totaling $10.4 billion.

Infographic showing the cybersecurity risks in financial services.

 

Security challenges of Slack and Teams 

As a financial institution, you have unique compliance requirements for data security, such as SEC, FINRA & GLBA. While great for productivity, limitless collaboration can often be at odds with these requirements.

Even though Slack and Teams are, as far as we know, secure platforms, that doesn’t mean they don’t present compliance risks.

Slack and Teams enable financial teams to share documents and data seamlessly. However, this means that it’s easier than ever for employees to share the wrong document with the wrong person, either accidentally or on purpose.

Put simply, Slack and Teams can often be ‘black boxes’. The IT team has no idea what data is being shared and with whom, making it impossible to conduct compliance audits and ensure that data security requirements are being met.

This lack of visibility also increases the risk of a data breach, as IT teams cannot correctly safeguard sensitive data.

How to embrace Slack and Teams without a data breach

The first step to addressing Slack and Teams security issues is acknowledging the problem. Too many organizations forget that Slack and Teams operate within the cloud’s shared responsibility model.

This means that, while the provider is responsible for making the infrastructure secure, the client is responsible for ensuring that data is shared appropriately and for managing configurations.

Moreover, Slack and Team’s native security tools aren’t granular enough to deal with the compliance challenges that FS companies face.

The good news, though, is that there is a way for FS companies to manage the security of Slack and Teams better.

Here is how to do it:

Embrace new-age DLP 

Slack and Teams compliance relies on granular visibility and monitoring. There are tools out there, like Polymer DLP, that allow you to monitor exchanges between users on Slack and Teams, including messages, files and snippets.

While this might sound invasive, these solutions are automated and focused. They aren’t looking at what your employees are saying; they’re looking at what data they are sharing.

These tools automatically scan and redact sensitive data in tools like Slack and Teams, preventing accidental data exposure and stopping data theft in its tracks through pre-defined data classification policies and artificial intelligence.

This gives security teams much needed control and visibility over how data is being used and stored no matter where it travels.

For example, Routefusion, a high growth cross-border payment SaaS platform used by banks, used Polymer DLP for Slack and Google Drive. The integration has successfully protected the company from both accidental and intentional data leaks.

We were able to remove over 97% of all sensitive data elements shared in public chats in real-time while blocking virtually all sensitive files from being shared with unauthorized parties.

“Polymer just worked out of the box. Minimal tweaking of rules with great support was done within 2-3 sessions” – Michael Cramer, Head of Operations at Routefusion.

 

Keep records 

FS organizations must keep in-depth records of messages shared in Slack and Teams.

There are numerous ways to do this, such as using an enterprise archiving solution or Slack and Teams’ in-built capabilities. However, these solutions have drawbacks, as they aren’t designed for rigorous reporting requirements.

The good news is that a cloud DLP provider can also help you with reporting requirements. Our solution, for example, offers highly granular auditing capabilities and detailed contextual maps of collaboration tool events so that compliance teams have multiple ways of monitoring and applying compliance protocols while keeping an in-depth record.

 

Train your users 

Just as you will likely have a company policy for social media communications, you should create documented expectations around how you expect your users to engage with Slack and Teams and any other communication channel you use.

This should include reminders, for example, about corporate policies when it comes to sharing sensitive data, FDIC prohibited activities, incident response and data security breaches.

However, a document isn’t enough to combat the risk of human error or negligence. Therefore, it would be best to back up your corporate policy with security training.

Be careful about the type of training you opt for. Long away days, impersonal eLearning modules and unfriendly user interfaces all decrease the likelihood of your employees taking the lessons being shared onboard.

The best-in-breed security training solutions today integrate directly into your employee workflows. They appear as prompts and nudges, which help employees to make security-conscious decisions as they go about the working day.

No training program is a silver bullet for accidental data leaks, in any case. Employees are only human, and mistakes will inevitably happen at some point. Therefore, training must be backed up by adequate data protection policies – particularly for redacting sensitive data.

Enjoy the benefits of Slack and Teams in FS 

In an environment as regulated as FS, you can’t afford to let your collaboration tools be the reason for a data breach.

Going backwards isn’t an option. These tools are the future of collaboration and communication. However, they require a rigorous approach to security.

With tools like ours, you can unlock the productivity benefits of Slack, Teams and more while also ensuring a high level of compliance and data security.

Learn more about Polymer for financial services today or request further information via this form. 

Polymer is a no-code data loss prevention (DLP) platform that allows companies to monitor, auto-remediate, and apply behavioral techniques to reduce the risk of insider threats, sensitive data misuse, and leakage over third-party SaaS apps. Try Polymer for free.

SHARE

Get Polymer blog posts delivered to your inbox.