A Data Safety Guide for Your Next Slack, Google Workspace, and Zoom Integration.

Where work happens

Using workflow & collaboration platforms is the norm for all of us. Whether physical, remote, or hybrid, today’s workspace is adopting such technologies faster than ever. For many teams, everyday work is happening on Google Workspace, Microsoft Teams, Monday, Zoom, and Slack. The growing demand for more functionality has created a vibrant ecosystem of business apps and integrations. Even most modern browsers now provide extension support, enriching the user experience and capabilities.

In addition, no-code tools like Zapier and Bubble are slowly but surely finding their way into the mainstream of business, marketing, and creative work. These applications allow more people (a.k.a. citizen developers) to create custom-designed apps and business processes, driving increased interconnectivity between tools, boosting productivity, allowing more data to flow freely, and improving workflow efficiency.

Why should you care about 3rd-party data protection?

Your sensitive data is being collected

Firstly, 3rd-party integrations collect vast amounts of data about you, your team, and your customers. You often probably don’t even realize you’ve given a company permission to see personal information! We have analyzed the top permissions required by 3,900 of the most popular integrations on Slack and Zoom and highlighted the permissions that might lead to sensitive data being stored and processed by the integration’s backend.


Top required permissions by 2,517 Slack integrations:

Perform actions in channels & conversations 24%
Perform actions in your workspace 22%
View content and info about channels & conversations 20%
View content and info about your workspace 19%
View content and info about you 8%
Perform actions as you 6%
Administer Slack for your organization 1%

Top required permissions by 1,414 Zoom apps:

View and manage your meetings 16%
View your user information 14%
View your meetings 10%
View all user information 9%
View and manage all user meetings 8%
View all user meetings 6%
View your profile information 4%

Our analysis also found that 20% of 10K business apps analyzed had at least one security risk, 16% of apps had critical security risks, and more than 30% didn’t have a clear privacy policy commitment not to share or sell data.

Given these results, the potential of your sensitive data being exposed intentionally (for monetization) or unintentionally (via data breach) is not zero. It is estimated to be closer to a low two-digit percentage.

Consent to share your data

You wouldn’t give a stranger your personal information. Likewise, when connecting a new integration, you might feel a bit uncomfortable giving your data to a 3rd-party, providing the mandatory consent, without knowing who will eventually have access to your data. The concern is real - once your data is leaving your trusted platforms (e.g. Slack, Teams, Zoom) via an integration, there’s no way to keeping track of it. In some cases, even well-trusted apps might monetize data via ad networks or selling it to data brokers, sometimes without robust anonymization. The data buyers might be legitimate market research firms, hedge funds, or competitive intelligence agencies, in which case your data might be used against your interest. It’s a good practice to understand the privacy policy of each 3rd-party; however, very few companies do that.

Regulation & compliance

Data protection regulations and security compliance are starting to affect smaller companies, SMBs, and startups, which means that R&D, sales, and marketing teams will need to keep an eye on cloud security, code, and the tools they use. Complying with standards and regulations like the GDPR, CCPA, ISO-27001, SOC2 might be a time-consuming process, while failing to comply is likely to hurt business performance and user trust. Choosing only the safest 3rd-party integrations from the get-go will save you time and money when choosing to comply with current & future regulations.

Open door for hackers

Platforms make it easier than ever to add new integrations, which is great for productivity and collaboration but can impose new threats on your company’s data. The risk is twofold:

  • A hacker might infiltrate the servers of your integrated 3rd-party, exposing all the data they collect to provide the service. In many cases, the developer doesn’t have strong security measures in place (especially startups and small integration providers), and a relatively simple attack may, unfortunately, be effective. This risk is growing with the global rise of cybercrime and the increasing popularity of 3rd-party integrations.
  • Bad actors could create useful and seemingly innocent integrations with the sole purpose of gaining access to as many companies as possible. As articulated by Matt Gayford, principal consultant at the Crypsis Group: “An attacker could create a Slack add-on that advertises some great features but also reads channel data, if an end-user mistakenly installs the add-on, they could expose all Slack channels to the attacker.” (source)

Evaluating data safety is hard

Internal assessment is complicated

First of all, full security & privacy evaluation of a 3rd-party is performed mostly by mature organizations with a dedicated information security team, and less by small companies and startups, which are focused on pressing issues like growing customers and generating cash flow. A typical internal assessment for a new integration would require several steps:

  • Cloud security and vulnerabilities - analyzing the developers’ cloud, infrastructure, storage, and networking robustness against potential data leaks.
  • Privacy-policy and DPA(data processing agreement) - validating that the collected data will be used only for the intended purposes and not shared with third parties.
  • Data protection certificates - ensuring the developer has the required security certifications like SOC2, HIPAA, etc.
  • Team and trust - it’s often helpful to evaluate the trustworthiness of a developers by looking at the company structure, location, team, existing clients, and the community sentiment.

Performing a complete data safety analysis can take from a few weeks to a couple of months, depending on the team’s expertise level and the developer’s responsiveness.

Data leak prevention (DLP) and data discovery solutions are often too late

Many solutions perform data-loss risk evaluation, protection, monitoring, and data discovery. However, they are designed mainly for corporate, often cost lots of money, and require complicated integrations, management, and a dedicated team. Even if you pick one of these solutions, it’s usually long after your data has been exposed. That definitely defeats the purpose of protecting your data! It’s more effective to perform quick data safety checks for new apps before integration, preventing the risk of data exposure in the first place and reducing the need for expensive DLP solutions.

Lack of good online resources

From our conversations with information security experts, the task of evaluating the trustworthiness of a specific integration is challenging, time-consuming, and often requires a lengthy manual process. It’s somewhat surprising that in 2021 we still don’t have an online open repository for a data security and privacy evaluation of popular SaaS providers, integrations, and no-code tools, especially since many companies are performing a similar review over and over again per integration. Such an online repository would benefit large and small companies with their data protection efforts.

Which integrations can you trust?

You probably shouldn’t blindly trust a new business app with your information. The main reason apps overlook data protection and confidentiality is the high cost of security on the one hand and the high monetization potential on the other.

As a company that uses 3rd-party integrations, it’s often too complicated and costly to perform a data detailed security assessment for every integration, not to mention performing ongoing data protection monitoring. The challenge is even more significant for smaller companies and startups without a dedicated information security team.

Here are 7 simple but useful ways to help you decide which integrations are safe and will probably protect your data:

  1. Popularity – The app or integration should have a decent social media following and installs on platforms that share that information. Anyone with a large user base will be careful to protect users’ data since their reputations are on the line.
  2. Regulation compliance – Make sure the app is compliant with data privacy regulations like GDPR, CCPA, HIPAA, and security certifications like SOC2, NIST CSF, COBIT, ISO27002, FFIEC, and PCI-DSS (depending on your segment regulation requirements).
  3. Existing clients – Check if your new integration has recognized names under their belt. If accurate, this would mean a large organization has already taken the time and spent some resources evaluating the security and data integrity of the solution.
  4. Privacy policy – Pay special attention to sections that list the data collected and what it’s used for, and make sure it explicitly states the company doesn’t have the right to sell your data.
  5. Reviews and comparisons – Use sites like G2 and TrustRadius to quickly evaluate the community satisfaction with an integration. Although this analysis can be helpful, it wouldn’t provide a concrete metric for the data protection level.
  6. Company and team – Look at sites like LinkedIn and Crunchbase to learn about the company, founding team, team size, year of incorporation, and funding amount. Try to better understand the developers' maturity level (high maturity would imply more attention to data protection and security).
  7. Known data breaches - A quick Google search should give you a brief answer to whether the company was part of a major data breach or leak. It’s always a good idea to choose only developers who have proven to focus on privacy and security.

Conclusions

Remember that every third-party has its own way of protecting data privacy, and you should always question how they do so! When adding a new integration to your Slack, Zoom, Chrome, Google Workspace (or any other business platform), it’s important to keep in mind that not all integrations are created equal in terms of data protection. In order to protect your customer data, emails, payments, and documents secured, it’s crucial to perform some evaluation or research, as described in this post. We hope this post will help you keep your data safe with your new and existing integrations!

Let's talk

Need help? Interested in early access? Want to get in touch? Send us a message below, or email us at info@protective.ai