Ask the experts: make light work of MS Teams security for home workers
Most of our staff need to work from home now, and Teams seems the obvious means of collaboration. It’s important we don’t curb people’s productivity, but at the same time we’re concerned about information privacy and security protocols being breached if users are unwittingly careless. How can we achieve a safe middle ground?
Given companies’ haste to get employees up and running on Teams from home, information and security managers are right to be concerned about where sensitive details might be shared. Here are some pointers on maximising users’ freedom and productivity, without creating new and lasting risk.
- Don’t panic.
If the business has already embraced Teams with gusto, and without adequate controls being in place to determine who can see or share what, this isn’t an irretrievable situation. Be assured that you will be able to restore order retrospectively: bringing sensitive content within acceptable accessibility and ensuring that the latest information and documents are stored in the right place.
- Weigh up your needs: open/discoverable vs closed/private or combinations thereof.
Set some basic security parameters as soon as you can. Take advantage of the settings Microsoft offers ‘out of the box’ with Teams and Office 365, and then add some simple additional parameters if you want to hone these criteria further (see points 3-5).
To encourage widespread Teams take-up, Microsoft has put in place default settings that make teams open and discoverable, ready for anyone to find and join. But it is very easy to amend these settings, as needed. All teams are designated Public (open for others to join without approval), or Private (requiring membership for users to gain access). Essentially, wherever there might be a need to control access to certain topics or related information/documents, team creators/owners should select the private option – ensuring that no one else can enter without seeking permission first.
However, even private teams are set by default to be searchable and discoverable (by title and description) by non-members. If a team is set up to discuss a sensitive internal project, client case or legal matter, the name of the chat or collaboration topic could be sufficient to compromise required secrecy. Our software helps guard against that (MS Teams will have this capability natively soon too). If a team owner doesn't want activity to show up in search results and suggestions, they can simply select the alternative option at set-up. This will hide all the metadata linked to a team so that it won’t appear in theme-related searches.
- Add additional control steps, as needed.
To make absolutely sure that non-members can’t see any content they shouldn’t, consider adding in some other simple steps – for example, requiring two owners per team who can approve new-joiners; or requiring requestors to enter a code to verify their approved status.
- Link to and re-use existing content controls, as reflected in other systems.
Given that you may have established privacy and security controls and information access rights within other systems such as project or practice management applications, it would be a great time-saver and confidence-booster if you could simply carry across these controls to use in Teams. Our software lets you do exactly that.
So if you’re concerned about sensitive information being shared with external users via Teams, why not link access controls to people’s Office 365 credentials to ensure that certain content goes no further? As well as ensuring that sensitive documents aren’t shared with ‘the wrong Jenny’, such measures will help ensure there is no accidental transgression of GDPR and other regulatory restrictions around data management.
- Auto-create teams with pre-set security controls.
For even greater reliability and speed of set-up, you could pre-populate certain types of Team with agreed parameters. So that, for a given project, case or matter, the right members are pre-assigned, and the appropriate levels of content lockdown are already defined - as per the parameters set down in other business systems.
Our solutions make this kind of thing easy, for example making it easy to assign a whole group to a team instead of having to invite members individually, and pre-defining appropriate security settings. Our software can also define and enforce enhanced approval processes, for particularly sensitive Teams.
Importantly, we make all of this very intuitive and user-friendly, so that these additional measures do not stand in the way of people using Teams productively from day one. By linking to the fine-grained controls specified in existing policies and systems, we make it possible for organisations to roll out Teams confidently and at speed.