Hybrid work and hybrid play now merge into hybrid living, but where is the line between the two? Is there one?
That the COVID-19 pandemic brought a new normal to businesses, educational institutions, and our everyday lives is an understatement. Many interactions, whether work-related or personal, moved online or at least gained a virtual mirror. This virtual migration began alongside the pandemic when most people and businesses first turned to tried-and-tested communications solutions, such as Microsoft Teams, Slack, and Zoom, which merged rich communication functions with collaboration and productivity tools to help compensate for lost in-person work.
Together with Skype and Skype for Business, all were known entities before our “new normal”; however, the shift to hybrid work, study, and play saw these platforms explode in popularity. As cloud-based solutions, shared access and files, parallel workflows, instant messaging, and more were all easily accessible. But all ups have their downs.
Anything that becomes widely popular also becomes attractive to attackers. This holds true of cloud-based platforms too. Cloud-based cyberattacks accounted for 20% of all cyberattacks in 2020. Because the popularity of cloud-powered services isn’t wavering, neither is the interest of attackers. Let’s look at three platforms mentioned above to identify a trend: apps designed for work but transformed by popular demand into a social communication platform.
Securing the convenience of hybrid life
Microsoft Teams, launched in 2017, is now the fastest-growing Microsoft app and go-to communications tool. Teams has seen explosive growth from early in the pandemic. The annual number of Teams users nearly doubled between 2020 and 2021, and in 2022, users numbered 270 million, most of whom are of working age (35-54 years old). The choice of many, Teams has moved beyond its intended business setting and is now commonly used in education and has gained a role in people’s personal lives.
Microsoft Teams is a convenient option among communication apps, but it is not without risks. In 2021, a vulnerability was discovered in Teams that allowed malicious insiders to steal emails, Teams messages, and OneDrive and SharePoint files. More recently, in August 2022, a post-exploitation opportunity was discovered due to Teams storing access tokens in plaintext on disk, thus making them easier to steal should an attacker somehow first manage to compromise a victimized computer. For some, weaknesses like these indicate that cloud-based solutions are more susceptible to attacks than on-premises solutions and thus need a special layer of cloud-based protection.
Another cloud-based solution for videoconferencing that has become a household name in recent years is Zoom. This peer-to-peer software platform saw a massive boom during the pandemic as people began working, socializing, and attending events online. Zoom seemed to be the perfect option, as it didn’t require having an account to attend an event. It also has a free version with limited functionalities.
Of course, Zoom’s wide use brought with it the attention of security professionals and ill-intentioned actors alike. The platform has come under the spotlight a number of times since 2020, including for privacy and security issues that were not of its own making. In one widely publicized issue, the former UK Prime Minister Boris Johnson came under fire for inadvertently revealing a Zoom meeting ID for a Cabinet meeting, which raised concerns about the meetings being exposed to a heightened risk of eavesdropping and attacks known as Zoombombing.
Also early into the pandemic, hackers gathered more than 500,000 Zoom usernames and passwords via an attack known as credential stuffing before putting the logins up for grabs on the dark web. Another type of issue involved security vulnerabilities, including one that affected the Zoom app for macOS and could have given hackers root access to macOS desktops. Fast forward to early 2022, and Google’s Project Zero team revealed a buffer overflow and an info leak vulnerability in Zoom that, before it was remedied, could have allowed threat actors to monitor Zoom meetings. Some of these issues were followed by reports of phishing and other social engineering attacks, which are known for being the top vector for malware delivery.
Inheriting the risks of success – a pattern
Similarly, the abovementioned productivity app, Slack, which claims to reduce the need for emails by 32% and meetings by 27%, is also a victim of its success. This instant messaging platform allows users to make voice calls and video chats, and send messages and media files in private chats or as part of a community (workspace). This app reports over 12 million daily users while being compatible with all major operating systems. According to one estimate, an average user is on the app for at least 10 hours a week. Slack is used by more than 100,000 organizations worldwide and offers a paid tier called Slack Connect that includes a secure messaging feature used by over 10,000 organizations.
However, Slack comes with its fair share of vulnerabilities and risks to users too. A more recent vulnerability was reported in 2019. It allowed attackers to exploit a vulnerability in Slack Desktop for Windows to alter where files sent through a Slack channel are downloaded, ultimately allowing them to inject malware into the files or steal them. This, of course, is not the first security issue, as major flaws were found as early as as early as 2015. One of Slack´s more obvious downsides seems to be its open communities feature, allowing large groups of people to connect. Like email, Slack has become a perfect vector for phishing and spam.
We’ve reviewed some of the security issues affecting apps like Teams, Zoom, and Slack. Even though remedied, we should not think these types of issues are of no further concern. The hybrid workplace we live in is imbued with the power of metamorphosis. What began as work apps have transformed into social communication platforms, opening up a whole new vector for security and privacy risks.
With the move of business into the social sphere, these platforms have their work cut out. But they are not alone in this task. They represent one force competing inside a melting pot of platforms. Popular communication apps like Facebook, Telegram, and Bumble are another force. Originally social apps but, again, imbued with the power of metamorphosis. We see them being repurposed for business users, bringing both success and new cyber-risks in their wake.
So, with multiple cloud-powered apps in both our hands and pockets, we have crossed a threshold – one that is taking us to a new dimension of how we work, socialize, and play. However, we are not just passive spectators caught up in a web of virtual environments, but active participants who create our own communities and influence the shapes of others. Escaping this hybrid life is almost unimaginable, perhaps leaving only one option: striking forth boldly … but with caution.
This article is an adapted version of the corresponding section from our Cybersecurity Trends 2023 report. Indeed, why not also read the report’s other sections that focus on hybrid commerce and hybrid play, respectively?
UPDATE (January 10th, 2023): The article was updated to clarify information about security and privacy challenges facing Zoom.